Hacking a Professional Drone
-
Upload
priyanka-aash -
Category
Technology
-
view
255 -
download
2
Transcript of Hacking a Professional Drone
![Page 1: Hacking a Professional Drone](https://reader034.fdocuments.net/reader034/viewer/2022051708/589f43e01a28ab490c8b6a6b/html5/thumbnails/1.jpg)
SESSION ID:
#RSAC
Nils Rodday
Hacking a Professional Drone
HT-W03
IT Security Consultant
![Page 2: Hacking a Professional Drone](https://reader034.fdocuments.net/reader034/viewer/2022051708/589f43e01a28ab490c8b6a6b/html5/thumbnails/2.jpg)
#RSAC
Goal
2
The goal of this talk is to give insights into the security of Unmanned Aerial Vehicles (UAVs) and to show that professional
UAVs are not as secure as one might think.
![Page 3: Hacking a Professional Drone](https://reader034.fdocuments.net/reader034/viewer/2022051708/589f43e01a28ab490c8b6a6b/html5/thumbnails/3.jpg)
#RSAC
Agenda
3
Definition
Attack Vectors
The UAV
Attacks
Live Demonstration
Remediation
Impact
Lessons Learned
Q&A
![Page 4: Hacking a Professional Drone](https://reader034.fdocuments.net/reader034/viewer/2022051708/589f43e01a28ab490c8b6a6b/html5/thumbnails/4.jpg)
#RSAC
Definition
4
Modelled after: R. Austin, Unmanned Aircraft Systems. UAVs Design, Development and Deployment
![Page 5: Hacking a Professional Drone](https://reader034.fdocuments.net/reader034/viewer/2022051708/589f43e01a28ab490c8b6a6b/html5/thumbnails/5.jpg)
#RSAC
Example products – Physical attack vectors
5
©AP Photo/Francois Mori©Rapere
![Page 6: Hacking a Professional Drone](https://reader034.fdocuments.net/reader034/viewer/2022051708/589f43e01a28ab490c8b6a6b/html5/thumbnails/6.jpg)
#RSAC
Example products – Logical attack vectors
6
Denial of Service
©Battelle
![Page 7: Hacking a Professional Drone](https://reader034.fdocuments.net/reader034/viewer/2022051708/589f43e01a28ab490c8b6a6b/html5/thumbnails/7.jpg)
#RSAC
Mission statement
7
Take over the UAV
![Page 8: Hacking a Professional Drone](https://reader034.fdocuments.net/reader034/viewer/2022051708/589f43e01a28ab490c8b6a6b/html5/thumbnails/8.jpg)
#RSAC
The UAV Under Investigation
8
![Page 9: Hacking a Professional Drone](https://reader034.fdocuments.net/reader034/viewer/2022051708/589f43e01a28ab490c8b6a6b/html5/thumbnails/9.jpg)
#RSAC
The UAV – Specifications
9
25k – 30k €30k – 35k $
3kg Payload7lb Payload
30 – 45min Endurance
Advanced Features
Add-ons
![Page 10: Hacking a Professional Drone](https://reader034.fdocuments.net/reader034/viewer/2022051708/589f43e01a28ab490c8b6a6b/html5/thumbnails/10.jpg)
#RSAC
10
The UAV
Remote Control
Not connected(two separate devices)
Telemetry Box
802.11 WiFi link (WEP)
XBee 868LP link
Video link
2.4 GhzRemote Control
link
Data flow
Data flow
GPS ReceiverData flow
©IEEE
![Page 11: Hacking a Professional Drone](https://reader034.fdocuments.net/reader034/viewer/2022051708/589f43e01a28ab490c8b6a6b/html5/thumbnails/11.jpg)
#RSAC
11
The UAV – WiFi focus
802.11 WiFi link (WEP)
XBee 868LP link
Video link
2.4 GhzRemote Control
link
Data flow
Data flow
GPS ReceiverData flow
![Page 12: Hacking a Professional Drone](https://reader034.fdocuments.net/reader034/viewer/2022051708/589f43e01a28ab490c8b6a6b/html5/thumbnails/12.jpg)
#RSAC
12
The UAV – WiFi attack
Original tablet
Communication route after attack
Original communication
route
Attacker's tablet
![Page 13: Hacking a Professional Drone](https://reader034.fdocuments.net/reader034/viewer/2022051708/589f43e01a28ab490c8b6a6b/html5/thumbnails/13.jpg)
#RSAC
13
The UAV – XBee focus
802.11 WiFi link (WEP)
XBee 868LP link
Video link
2.4 GhzRemote Control
link
Data flow
Data flow
GPS ReceiverData flow
![Page 14: Hacking a Professional Drone](https://reader034.fdocuments.net/reader034/viewer/2022051708/589f43e01a28ab490c8b6a6b/html5/thumbnails/14.jpg)
#RSAC
XBee – Chips
14
![Page 15: Hacking a Professional Drone](https://reader034.fdocuments.net/reader034/viewer/2022051708/589f43e01a28ab490c8b6a6b/html5/thumbnails/15.jpg)
#RSAC
XBee – Using 3rd party hardware
15
Software Defined Radio (SDR)
![Page 16: Hacking a Professional Drone](https://reader034.fdocuments.net/reader034/viewer/2022051708/589f43e01a28ab490c8b6a6b/html5/thumbnails/16.jpg)
#RSAC
XBee – Spectral analysis
16
![Page 17: Hacking a Professional Drone](https://reader034.fdocuments.net/reader034/viewer/2022051708/589f43e01a28ab490c8b6a6b/html5/thumbnails/17.jpg)
#RSACXBee – Using XBee chip itself(Obtaining Connection Parameters)
17
0013A20040C6662C
18 * 10^18 tries(4.294.967.296 ^2)
0013A20040C6662C
16 * 10^6 tries(1 * 16.777.216)
0013A20040C6662C
42 * 10^8 tries(1 * 4.294.967.296)
![Page 18: Hacking a Professional Drone](https://reader034.fdocuments.net/reader034/viewer/2022051708/589f43e01a28ab490c8b6a6b/html5/thumbnails/18.jpg)
#RSAC
XBee – Obtaining Connection Parameters
18
![Page 19: Hacking a Professional Drone](https://reader034.fdocuments.net/reader034/viewer/2022051708/589f43e01a28ab490c8b6a6b/html5/thumbnails/19.jpg)
#RSAC
XBee – Reading the manual...
19
1. API mode
2. Broadcast
3. Remote AT Commands
It's not a bug, it's a feature
![Page 20: Hacking a Professional Drone](https://reader034.fdocuments.net/reader034/viewer/2022051708/589f43e01a28ab490c8b6a6b/html5/thumbnails/20.jpg)
#RSAC
20
XBee – Man-in-the-Middle Attack
1. Broadcast3. Rem
ote AT Comm
and:Change DH + DL
5. Remote AT Com
mand:
Write
Communication route after attack
Original communication
route
Attacker
Tablet Remote Control UAV©IEEE
![Page 21: Hacking a Professional Drone](https://reader034.fdocuments.net/reader034/viewer/2022051708/589f43e01a28ab490c8b6a6b/html5/thumbnails/21.jpg)
#RSAC
What´s next?
21
We can read/send data on the XBee channel.
But what does that data stream mean?
![Page 22: Hacking a Professional Drone](https://reader034.fdocuments.net/reader034/viewer/2022051708/589f43e01a28ab490c8b6a6b/html5/thumbnails/22.jpg)
#RSAC
Decompilation of Android APK
22
![Page 23: Hacking a Professional Drone](https://reader034.fdocuments.net/reader034/viewer/2022051708/589f43e01a28ab490c8b6a6b/html5/thumbnails/23.jpg)
#RSAC
Decompilation of Android APK
23
2457 49 46 49 XX XX XX
.
.
.
3687737073
paramByteparamByteparamByte
Decimal –> Hex
![Page 24: Hacking a Professional Drone](https://reader034.fdocuments.net/reader034/viewer/2022051708/589f43e01a28ab490c8b6a6b/html5/thumbnails/24.jpg)
#RSAC
Example commands
24
24 57 49 46 49 89 89 89 (Start-Engines)
24 57 49 46 49 XX XX XX
24 57 49 46 49 58 58 58 (Auto-Takeoff)24 57 49 46 49 97 97 97 (Enable Autopilot)
![Page 25: Hacking a Professional Drone](https://reader034.fdocuments.net/reader034/viewer/2022051708/589f43e01a28ab490c8b6a6b/html5/thumbnails/25.jpg)
#RSAC
Demonstration
25
![Page 26: Hacking a Professional Drone](https://reader034.fdocuments.net/reader034/viewer/2022051708/589f43e01a28ab490c8b6a6b/html5/thumbnails/26.jpg)
#RSAC
Remediation – XBee onboard encryption
27
Secures Data ONLY on the XBee channel
Prevents Remote-AT-Commands
Mitigates Man-In-The-Middle
![Page 27: Hacking a Professional Drone](https://reader034.fdocuments.net/reader034/viewer/2022051708/589f43e01a28ab490c8b6a6b/html5/thumbnails/27.jpg)
#RSAC
Remediation – Add. Hardware Encryption
28
Does NOT prevent Remote-AT-Commands
Does NOT mitigate Man-in-the-Middle
Ensures CONFIDENTIALITY
![Page 28: Hacking a Professional Drone](https://reader034.fdocuments.net/reader034/viewer/2022051708/589f43e01a28ab490c8b6a6b/html5/thumbnails/28.jpg)
#RSAC
Remediation – Application-layer encryption
29
Does NOT prevent Remote-AT-Commands
Does NOT mitigate Man-in-the-Middle
Ensures CONFIDENTIALITY
![Page 29: Hacking a Professional Drone](https://reader034.fdocuments.net/reader034/viewer/2022051708/589f43e01a28ab490c8b6a6b/html5/thumbnails/29.jpg)
#RSAC
Impact
30
Cost of attack: 40$
UAV is currently in use
Multiple manufacturers are using similarsetups
![Page 30: Hacking a Professional Drone](https://reader034.fdocuments.net/reader034/viewer/2022051708/589f43e01a28ab490c8b6a6b/html5/thumbnails/30.jpg)
#RSAC
Lessons Learned
31
Use strongencryption
Alter passphrases
Test your product
![Page 31: Hacking a Professional Drone](https://reader034.fdocuments.net/reader034/viewer/2022051708/589f43e01a28ab490c8b6a6b/html5/thumbnails/31.jpg)
#RSAC
Credits
32
Prof. Dr. Aiko Pras
Dr. Ricardo de O. Schmidt
Ruud Verbij
Matthieu Paques
Atul KumarAnnika Dahms
![Page 32: Hacking a Professional Drone](https://reader034.fdocuments.net/reader034/viewer/2022051708/589f43e01a28ab490c8b6a6b/html5/thumbnails/32.jpg)
#RSAC
Contact Details
33
Nils Rodday
https://de.linkedin.com/in/nilsrodday
![Page 33: Hacking a Professional Drone](https://reader034.fdocuments.net/reader034/viewer/2022051708/589f43e01a28ab490c8b6a6b/html5/thumbnails/33.jpg)
SESSION ID:
#RSAC
Nils Rodday
Hacking a Professional Drone
HT-W03
IT Security Consultant
![Page 34: Hacking a Professional Drone](https://reader034.fdocuments.net/reader034/viewer/2022051708/589f43e01a28ab490c8b6a6b/html5/thumbnails/34.jpg)
#RSAC
Back-Up Slides
![Page 35: Hacking a Professional Drone](https://reader034.fdocuments.net/reader034/viewer/2022051708/589f43e01a28ab490c8b6a6b/html5/thumbnails/35.jpg)
#RSAC
Back-Up – UAV Commands
36
![Page 36: Hacking a Professional Drone](https://reader034.fdocuments.net/reader034/viewer/2022051708/589f43e01a28ab490c8b6a6b/html5/thumbnails/36.jpg)
#RSAC
References
37
Slide 04: Modelled after R. Austin. Unmanned Aircraft Systems. UAVs Design, Development and Deployment. Wiley, 2010. ISBN: 978-0-470-05819-0.
Slide 05: Photo credit to: Rapere
Slide 05: Photo credit to: AP Photo/Francois Mori
Slide 06: Photo credit to: Battelle
Slide 10 & 21: Photo credit to: 978-1-5090-0223-8/16/$31.00 © 2016 IEEE