SEWORKS INC. CTO WOWHACKER TEAM [email protected]/archive/2014/2014-2-5.pdf · 1....
Transcript of SEWORKS INC. CTO WOWHACKER TEAM [email protected]/archive/2014/2014-2-5.pdf · 1....
![Page 1: SEWORKS INC. CTO WOWHACKER TEAM hinehong@seworks.cosecuinside.com/archive/2014/2014-2-5.pdf · 1. Malware copy 2. Motor stop 1. Copy and replicate itself 2. Motor stop 3. GPS 4. DNS](https://reader030.fdocuments.net/reader030/viewer/2022041000/5f2ebab96f18916a2c22d4c5/html5/thumbnails/1.jpg)
Automatic attack on drones by malware infection
SEWORKS INC. CTO WOWHACKER TEAM
Dongcheol Hong [email protected]
![Page 2: SEWORKS INC. CTO WOWHACKER TEAM hinehong@seworks.cosecuinside.com/archive/2014/2014-2-5.pdf · 1. Malware copy 2. Motor stop 1. Copy and replicate itself 2. Motor stop 3. GPS 4. DNS](https://reader030.fdocuments.net/reader030/viewer/2022041000/5f2ebab96f18916a2c22d4c5/html5/thumbnails/2.jpg)
INFORMATION
Drone malware attack
2 Dongcheol Hong - SEworks.Inc
![Page 3: SEWORKS INC. CTO WOWHACKER TEAM hinehong@seworks.cosecuinside.com/archive/2014/2014-2-5.pdf · 1. Malware copy 2. Motor stop 1. Copy and replicate itself 2. Motor stop 3. GPS 4. DNS](https://reader030.fdocuments.net/reader030/viewer/2022041000/5f2ebab96f18916a2c22d4c5/html5/thumbnails/3.jpg)
Speaker Bio
• SEWORKS Inc. Chief Technology Officer
- Develops the Anti-Decompiler and Anti-Reverse Engineering Tool for Android applications.
• WOWHACKER Admin.
- Qualified 5 times for Defcon CTF hacking contest finals.
- Organized Secuinside, Codegate, ISEC hacking contests.
• Made Android and Windows mobile antivirus applications in 2009.
• Presented on many security conferences like Secuinside and Hitcon.
3 Dongcheol Hong - SEworks.Inc
![Page 4: SEWORKS INC. CTO WOWHACKER TEAM hinehong@seworks.cosecuinside.com/archive/2014/2014-2-5.pdf · 1. Malware copy 2. Motor stop 1. Copy and replicate itself 2. Motor stop 3. GPS 4. DNS](https://reader030.fdocuments.net/reader030/viewer/2022041000/5f2ebab96f18916a2c22d4c5/html5/thumbnails/4.jpg)
Abstract
• Recently, there are many drone system existing in the world.
• People think that Drone can only be hacked using network attacks.
• Drone systems are developing rapidly. • Let’s look at the worldwide famous drone -
AR.Drone 2.0 • We can infect a malware called “HSDrone”
to the AR.Drone 2.0, spread malware to other drones, and control all of them.
4 Dongcheol Hong - SEworks.Inc
![Page 5: SEWORKS INC. CTO WOWHACKER TEAM hinehong@seworks.cosecuinside.com/archive/2014/2014-2-5.pdf · 1. Malware copy 2. Motor stop 1. Copy and replicate itself 2. Motor stop 3. GPS 4. DNS](https://reader030.fdocuments.net/reader030/viewer/2022041000/5f2ebab96f18916a2c22d4c5/html5/thumbnails/5.jpg)
ABOUT THE DRONE MALWARE
Drone malware attack
5 Dongcheol Hong - SEworks.Inc
![Page 6: SEWORKS INC. CTO WOWHACKER TEAM hinehong@seworks.cosecuinside.com/archive/2014/2014-2-5.pdf · 1. Malware copy 2. Motor stop 1. Copy and replicate itself 2. Motor stop 3. GPS 4. DNS](https://reader030.fdocuments.net/reader030/viewer/2022041000/5f2ebab96f18916a2c22d4c5/html5/thumbnails/6.jpg)
Communication
• A lot of old drone systems communicate through radio frequency.
• Difficult to spread malwares via radio frequency communication.
• However, drone systems are becoming more developed, and WIFI connection is now used widely in the today’s world.
• WIFI connection is convenient but people needs to consider about its security.
Dongcheol Hong - SEworks.Inc 6
![Page 7: SEWORKS INC. CTO WOWHACKER TEAM hinehong@seworks.cosecuinside.com/archive/2014/2014-2-5.pdf · 1. Malware copy 2. Motor stop 1. Copy and replicate itself 2. Motor stop 3. GPS 4. DNS](https://reader030.fdocuments.net/reader030/viewer/2022041000/5f2ebab96f18916a2c22d4c5/html5/thumbnails/7.jpg)
How are drone systems upgraded
• Network
- WIFI control
- GPS System
- Try to control by internet access
• Smart device
- Control by smart device(Android, iOS)
7 Dongcheol Hong - SEworks.Inc
![Page 8: SEWORKS INC. CTO WOWHACKER TEAM hinehong@seworks.cosecuinside.com/archive/2014/2014-2-5.pdf · 1. Malware copy 2. Motor stop 1. Copy and replicate itself 2. Motor stop 3. GPS 4. DNS](https://reader030.fdocuments.net/reader030/viewer/2022041000/5f2ebab96f18916a2c22d4c5/html5/thumbnails/8.jpg)
AR. Drone 2.0
• Parrot AR. Drone 2.0 is commonly used and widely spread drone in the world.
• Can connect with smart devices.
• Can be controlled by WIFI connection with a smart device.
8 Dongcheol Hong - SEworks.Inc
![Page 9: SEWORKS INC. CTO WOWHACKER TEAM hinehong@seworks.cosecuinside.com/archive/2014/2014-2-5.pdf · 1. Malware copy 2. Motor stop 1. Copy and replicate itself 2. Motor stop 3. GPS 4. DNS](https://reader030.fdocuments.net/reader030/viewer/2022041000/5f2ebab96f18916a2c22d4c5/html5/thumbnails/9.jpg)
INSIDE THE AR.DRONE
Drone malware attack
9 Dongcheol Hong - SEworks.Inc
![Page 10: SEWORKS INC. CTO WOWHACKER TEAM hinehong@seworks.cosecuinside.com/archive/2014/2014-2-5.pdf · 1. Malware copy 2. Motor stop 1. Copy and replicate itself 2. Motor stop 3. GPS 4. DNS](https://reader030.fdocuments.net/reader030/viewer/2022041000/5f2ebab96f18916a2c22d4c5/html5/thumbnails/10.jpg)
WIFI
• AR. Drone uses WIFI connection.
10 Dongcheol Hong - SEworks.Inc
![Page 11: SEWORKS INC. CTO WOWHACKER TEAM hinehong@seworks.cosecuinside.com/archive/2014/2014-2-5.pdf · 1. Malware copy 2. Motor stop 1. Copy and replicate itself 2. Motor stop 3. GPS 4. DNS](https://reader030.fdocuments.net/reader030/viewer/2022041000/5f2ebab96f18916a2c22d4c5/html5/thumbnails/11.jpg)
AR.Drone Controller
• AR. Drone is controlled by smart device’s App.
11 Dongcheol Hong - SEworks.Inc
![Page 12: SEWORKS INC. CTO WOWHACKER TEAM hinehong@seworks.cosecuinside.com/archive/2014/2014-2-5.pdf · 1. Malware copy 2. Motor stop 1. Copy and replicate itself 2. Motor stop 3. GPS 4. DNS](https://reader030.fdocuments.net/reader030/viewer/2022041000/5f2ebab96f18916a2c22d4c5/html5/thumbnails/12.jpg)
Telnet
• The AR.Drone is running a Telnet daemon.
12 Dongcheol Hong - SEworks.Inc
![Page 13: SEWORKS INC. CTO WOWHACKER TEAM hinehong@seworks.cosecuinside.com/archive/2014/2014-2-5.pdf · 1. Malware copy 2. Motor stop 1. Copy and replicate itself 2. Motor stop 3. GPS 4. DNS](https://reader030.fdocuments.net/reader030/viewer/2022041000/5f2ebab96f18916a2c22d4c5/html5/thumbnails/13.jpg)
FTP
• The AR.Drone is running a FTP daemon. • Basic directory is /data/video
13 Dongcheol Hong - SEworks.Inc
![Page 14: SEWORKS INC. CTO WOWHACKER TEAM hinehong@seworks.cosecuinside.com/archive/2014/2014-2-5.pdf · 1. Malware copy 2. Motor stop 1. Copy and replicate itself 2. Motor stop 3. GPS 4. DNS](https://reader030.fdocuments.net/reader030/viewer/2022041000/5f2ebab96f18916a2c22d4c5/html5/thumbnails/14.jpg)
program.elf
• /bin/program.elf is an important file.
• Motor will be stopped when program.elf process is killed using /bin/kk
14 Dongcheol Hong - SEworks.Inc
![Page 15: SEWORKS INC. CTO WOWHACKER TEAM hinehong@seworks.cosecuinside.com/archive/2014/2014-2-5.pdf · 1. Malware copy 2. Motor stop 1. Copy and replicate itself 2. Motor stop 3. GPS 4. DNS](https://reader030.fdocuments.net/reader030/viewer/2022041000/5f2ebab96f18916a2c22d4c5/html5/thumbnails/15.jpg)
Network
• Network
• Atheros chipset : ath0
15 Dongcheol Hong - SEworks.Inc
![Page 16: SEWORKS INC. CTO WOWHACKER TEAM hinehong@seworks.cosecuinside.com/archive/2014/2014-2-5.pdf · 1. Malware copy 2. Motor stop 1. Copy and replicate itself 2. Motor stop 3. GPS 4. DNS](https://reader030.fdocuments.net/reader030/viewer/2022041000/5f2ebab96f18916a2c22d4c5/html5/thumbnails/16.jpg)
Session profile
Dongcheol Hong - SEworks.Inc 16
![Page 17: SEWORKS INC. CTO WOWHACKER TEAM hinehong@seworks.cosecuinside.com/archive/2014/2014-2-5.pdf · 1. Malware copy 2. Motor stop 1. Copy and replicate itself 2. Motor stop 3. GPS 4. DNS](https://reader030.fdocuments.net/reader030/viewer/2022041000/5f2ebab96f18916a2c22d4c5/html5/thumbnails/17.jpg)
Open source project
• It has an open source project but this project is neither supported nor endorsed by Parrot S.A.
• https://github.com/ardrone/ardrone
Dongcheol Hong - SEworks.Inc 17
![Page 18: SEWORKS INC. CTO WOWHACKER TEAM hinehong@seworks.cosecuinside.com/archive/2014/2014-2-5.pdf · 1. Malware copy 2. Motor stop 1. Copy and replicate itself 2. Motor stop 3. GPS 4. DNS](https://reader030.fdocuments.net/reader030/viewer/2022041000/5f2ebab96f18916a2c22d4c5/html5/thumbnails/18.jpg)
Decompile on Android App
Dongcheol Hong - SEworks.Inc 18
![Page 19: SEWORKS INC. CTO WOWHACKER TEAM hinehong@seworks.cosecuinside.com/archive/2014/2014-2-5.pdf · 1. Malware copy 2. Motor stop 1. Copy and replicate itself 2. Motor stop 3. GPS 4. DNS](https://reader030.fdocuments.net/reader030/viewer/2022041000/5f2ebab96f18916a2c22d4c5/html5/thumbnails/19.jpg)
HSDRONE MALWARE
Drone malware attack
19 Dongcheol Hong - SEworks.Inc
![Page 20: SEWORKS INC. CTO WOWHACKER TEAM hinehong@seworks.cosecuinside.com/archive/2014/2014-2-5.pdf · 1. Malware copy 2. Motor stop 1. Copy and replicate itself 2. Motor stop 3. GPS 4. DNS](https://reader030.fdocuments.net/reader030/viewer/2022041000/5f2ebab96f18916a2c22d4c5/html5/thumbnails/20.jpg)
Development Environment
Dongcheol Hong - SEworks.Inc 20
AR. Drone 2.0 two GPS Beagle board Laptop
![Page 21: SEWORKS INC. CTO WOWHACKER TEAM hinehong@seworks.cosecuinside.com/archive/2014/2014-2-5.pdf · 1. Malware copy 2. Motor stop 1. Copy and replicate itself 2. Motor stop 3. GPS 4. DNS](https://reader030.fdocuments.net/reader030/viewer/2022041000/5f2ebab96f18916a2c22d4c5/html5/thumbnails/21.jpg)
Processer information
• ARM processer
• Have to compile ARM
21 Dongcheol Hong - SEworks.Inc
![Page 22: SEWORKS INC. CTO WOWHACKER TEAM hinehong@seworks.cosecuinside.com/archive/2014/2014-2-5.pdf · 1. Malware copy 2. Motor stop 1. Copy and replicate itself 2. Motor stop 3. GPS 4. DNS](https://reader030.fdocuments.net/reader030/viewer/2022041000/5f2ebab96f18916a2c22d4c5/html5/thumbnails/22.jpg)
Network
• drone has to scan other drones.
• Master mode can not scan wireless networks.
22 Dongcheol Hong - SEworks.Inc
![Page 23: SEWORKS INC. CTO WOWHACKER TEAM hinehong@seworks.cosecuinside.com/archive/2014/2014-2-5.pdf · 1. Malware copy 2. Motor stop 1. Copy and replicate itself 2. Motor stop 3. GPS 4. DNS](https://reader030.fdocuments.net/reader030/viewer/2022041000/5f2ebab96f18916a2c22d4c5/html5/thumbnails/23.jpg)
How to infect drone 1
Infect
Drone
Drone malware
1. Fake App can infect drone
2. Attacker can infect from smart device at the drone's networks area.
Smart Device to Drone
23 Dongcheol Hong - SEworks.Inc
![Page 24: SEWORKS INC. CTO WOWHACKER TEAM hinehong@seworks.cosecuinside.com/archive/2014/2014-2-5.pdf · 1. Malware copy 2. Motor stop 1. Copy and replicate itself 2. Motor stop 3. GPS 4. DNS](https://reader030.fdocuments.net/reader030/viewer/2022041000/5f2ebab96f18916a2c22d4c5/html5/thumbnails/24.jpg)
How to infect drone 2
Infected Drone’s network area
Impacted Drone
Normal Drone
Normal Drone’s network area
Infect
Drone to Drone
normal drones will be infected if a infected drone enters to the normal drone’s network area.
24 Dongcheol Hong - SEworks.Inc
![Page 25: SEWORKS INC. CTO WOWHACKER TEAM hinehong@seworks.cosecuinside.com/archive/2014/2014-2-5.pdf · 1. Malware copy 2. Motor stop 1. Copy and replicate itself 2. Motor stop 3. GPS 4. DNS](https://reader030.fdocuments.net/reader030/viewer/2022041000/5f2ebab96f18916a2c22d4c5/html5/thumbnails/25.jpg)
Activity
Infected Drone’s network area
Impacted Drone
Normal Drone
Normal Drone’s network area
1. Malware copy 2. Motor stop
1. Copy and replicate itself
2. Motor stop
3. GPS
4. DNS Pharming
25 Dongcheol Hong - SEworks.Inc
![Page 26: SEWORKS INC. CTO WOWHACKER TEAM hinehong@seworks.cosecuinside.com/archive/2014/2014-2-5.pdf · 1. Malware copy 2. Motor stop 1. Copy and replicate itself 2. Motor stop 3. GPS 4. DNS](https://reader030.fdocuments.net/reader030/viewer/2022041000/5f2ebab96f18916a2c22d4c5/html5/thumbnails/26.jpg)
HOW TO INFECT - 1 FROM SMART DEVICE
Drone malware attack
26 Dongcheol Hong - SEworks.Inc
![Page 27: SEWORKS INC. CTO WOWHACKER TEAM hinehong@seworks.cosecuinside.com/archive/2014/2014-2-5.pdf · 1. Malware copy 2. Motor stop 1. Copy and replicate itself 2. Motor stop 3. GPS 4. DNS](https://reader030.fdocuments.net/reader030/viewer/2022041000/5f2ebab96f18916a2c22d4c5/html5/thumbnails/27.jpg)
Controller App modification
• Recently, a lot of android apps are modified by cracker.
• AR. Drone 2.0 can be controlled by smartphone app.
• Cracker modifies the control app and upload on the internet.
• Medium of Spread – internet, SMS, E-mail, market, etc.
• Drone is infected when a person uses the fake app.
27 Dongcheol Hong - SEworks.Inc
![Page 28: SEWORKS INC. CTO WOWHACKER TEAM hinehong@seworks.cosecuinside.com/archive/2014/2014-2-5.pdf · 1. Malware copy 2. Motor stop 1. Copy and replicate itself 2. Motor stop 3. GPS 4. DNS](https://reader030.fdocuments.net/reader030/viewer/2022041000/5f2ebab96f18916a2c22d4c5/html5/thumbnails/28.jpg)
Controller App modification
• We can modify and repackage applications by freeware called Apktool.
28 Dongcheol Hong - SEworks.Inc
![Page 29: SEWORKS INC. CTO WOWHACKER TEAM hinehong@seworks.cosecuinside.com/archive/2014/2014-2-5.pdf · 1. Malware copy 2. Motor stop 1. Copy and replicate itself 2. Motor stop 3. GPS 4. DNS](https://reader030.fdocuments.net/reader030/viewer/2022041000/5f2ebab96f18916a2c22d4c5/html5/thumbnails/29.jpg)
Controller App modification
• Smali code
Dongcheol Hong - SEworks.Inc 29
![Page 30: SEWORKS INC. CTO WOWHACKER TEAM hinehong@seworks.cosecuinside.com/archive/2014/2014-2-5.pdf · 1. Malware copy 2. Motor stop 1. Copy and replicate itself 2. Motor stop 3. GPS 4. DNS](https://reader030.fdocuments.net/reader030/viewer/2022041000/5f2ebab96f18916a2c22d4c5/html5/thumbnails/30.jpg)
Android malware
• Using thread for network communications
• AR. Drone 2.0 IP is 192.168.1.1
30 Dongcheol Hong - SEworks.Inc
![Page 31: SEWORKS INC. CTO WOWHACKER TEAM hinehong@seworks.cosecuinside.com/archive/2014/2014-2-5.pdf · 1. Malware copy 2. Motor stop 1. Copy and replicate itself 2. Motor stop 3. GPS 4. DNS](https://reader030.fdocuments.net/reader030/viewer/2022041000/5f2ebab96f18916a2c22d4c5/html5/thumbnails/31.jpg)
FTP upload 1
• FTP connection
• File copy
31 Dongcheol Hong - SEworks.Inc
Asset file
![Page 32: SEWORKS INC. CTO WOWHACKER TEAM hinehong@seworks.cosecuinside.com/archive/2014/2014-2-5.pdf · 1. Malware copy 2. Motor stop 1. Copy and replicate itself 2. Motor stop 3. GPS 4. DNS](https://reader030.fdocuments.net/reader030/viewer/2022041000/5f2ebab96f18916a2c22d4c5/html5/thumbnails/32.jpg)
FTP upload 2
• FTP upload
32 Dongcheol Hong - SEworks.Inc
![Page 33: SEWORKS INC. CTO WOWHACKER TEAM hinehong@seworks.cosecuinside.com/archive/2014/2014-2-5.pdf · 1. Malware copy 2. Motor stop 1. Copy and replicate itself 2. Motor stop 3. GPS 4. DNS](https://reader030.fdocuments.net/reader030/viewer/2022041000/5f2ebab96f18916a2c22d4c5/html5/thumbnails/33.jpg)
Telnet
• Connection telnet
• Command
33 Dongcheol Hong - SEworks.Inc
![Page 34: SEWORKS INC. CTO WOWHACKER TEAM hinehong@seworks.cosecuinside.com/archive/2014/2014-2-5.pdf · 1. Malware copy 2. Motor stop 1. Copy and replicate itself 2. Motor stop 3. GPS 4. DNS](https://reader030.fdocuments.net/reader030/viewer/2022041000/5f2ebab96f18916a2c22d4c5/html5/thumbnails/34.jpg)
Malware
34 Dongcheol Hong - SEworks.Inc
• Inside of drone.
![Page 35: SEWORKS INC. CTO WOWHACKER TEAM hinehong@seworks.cosecuinside.com/archive/2014/2014-2-5.pdf · 1. Malware copy 2. Motor stop 1. Copy and replicate itself 2. Motor stop 3. GPS 4. DNS](https://reader030.fdocuments.net/reader030/viewer/2022041000/5f2ebab96f18916a2c22d4c5/html5/thumbnails/35.jpg)
HOW TO INFECT - 2 DRONE TO DRONE
Drone malware attack
35 Dongcheol Hong - SEworks.Inc
![Page 36: SEWORKS INC. CTO WOWHACKER TEAM hinehong@seworks.cosecuinside.com/archive/2014/2014-2-5.pdf · 1. Malware copy 2. Motor stop 1. Copy and replicate itself 2. Motor stop 3. GPS 4. DNS](https://reader030.fdocuments.net/reader030/viewer/2022041000/5f2ebab96f18916a2c22d4c5/html5/thumbnails/36.jpg)
Scanning
• Change network to “managed” mode.
• Drone repeat scan to other drones using fork function.
36 Dongcheol Hong - SEworks.Inc
![Page 37: SEWORKS INC. CTO WOWHACKER TEAM hinehong@seworks.cosecuinside.com/archive/2014/2014-2-5.pdf · 1. Malware copy 2. Motor stop 1. Copy and replicate itself 2. Motor stop 3. GPS 4. DNS](https://reader030.fdocuments.net/reader030/viewer/2022041000/5f2ebab96f18916a2c22d4c5/html5/thumbnails/37.jpg)
Connect to other drone
• Connect if other AR.Drone’s AP exists
37 Dongcheol Hong - SEworks.Inc
![Page 38: SEWORKS INC. CTO WOWHACKER TEAM hinehong@seworks.cosecuinside.com/archive/2014/2014-2-5.pdf · 1. Malware copy 2. Motor stop 1. Copy and replicate itself 2. Motor stop 3. GPS 4. DNS](https://reader030.fdocuments.net/reader030/viewer/2022041000/5f2ebab96f18916a2c22d4c5/html5/thumbnails/38.jpg)
Connect to other drone
• Drone succeeds connecting to another drone’s AP
38 Dongcheol Hong - SEworks.Inc
![Page 39: SEWORKS INC. CTO WOWHACKER TEAM hinehong@seworks.cosecuinside.com/archive/2014/2014-2-5.pdf · 1. Malware copy 2. Motor stop 1. Copy and replicate itself 2. Motor stop 3. GPS 4. DNS](https://reader030.fdocuments.net/reader030/viewer/2022041000/5f2ebab96f18916a2c22d4c5/html5/thumbnails/39.jpg)
Boot
• Malware has to execute in the boot-up sequence.
39 Dongcheol Hong - SEworks.Inc
![Page 40: SEWORKS INC. CTO WOWHACKER TEAM hinehong@seworks.cosecuinside.com/archive/2014/2014-2-5.pdf · 1. Malware copy 2. Motor stop 1. Copy and replicate itself 2. Motor stop 3. GPS 4. DNS](https://reader030.fdocuments.net/reader030/viewer/2022041000/5f2ebab96f18916a2c22d4c5/html5/thumbnails/40.jpg)
Action
• Repeat until attacker drone scans to other drones.
• Connect to AR.Drone’s AP if found.
• FTP upload itself.
• Telnet connection.
• Permission setting(execute).
• boot setting.
40 Dongcheol Hong - SEworks.Inc
![Page 41: SEWORKS INC. CTO WOWHACKER TEAM hinehong@seworks.cosecuinside.com/archive/2014/2014-2-5.pdf · 1. Malware copy 2. Motor stop 1. Copy and replicate itself 2. Motor stop 3. GPS 4. DNS](https://reader030.fdocuments.net/reader030/viewer/2022041000/5f2ebab96f18916a2c22d4c5/html5/thumbnails/41.jpg)
FTP upload itself
• FTP login to other drone.
• Upload itself
Reference was Cmdftp source.
41 Dongcheol Hong - SEworks.Inc
![Page 42: SEWORKS INC. CTO WOWHACKER TEAM hinehong@seworks.cosecuinside.com/archive/2014/2014-2-5.pdf · 1. Malware copy 2. Motor stop 1. Copy and replicate itself 2. Motor stop 3. GPS 4. DNS](https://reader030.fdocuments.net/reader030/viewer/2022041000/5f2ebab96f18916a2c22d4c5/html5/thumbnails/42.jpg)
ACTIVITY
Drone malware attack
42 Dongcheol Hong - SEworks.Inc
![Page 43: SEWORKS INC. CTO WOWHACKER TEAM hinehong@seworks.cosecuinside.com/archive/2014/2014-2-5.pdf · 1. Malware copy 2. Motor stop 1. Copy and replicate itself 2. Motor stop 3. GPS 4. DNS](https://reader030.fdocuments.net/reader030/viewer/2022041000/5f2ebab96f18916a2c22d4c5/html5/thumbnails/43.jpg)
Command
• HSDrone connect socket.
43 Dongcheol Hong - SEworks.Inc
![Page 44: SEWORKS INC. CTO WOWHACKER TEAM hinehong@seworks.cosecuinside.com/archive/2014/2014-2-5.pdf · 1. Malware copy 2. Motor stop 1. Copy and replicate itself 2. Motor stop 3. GPS 4. DNS](https://reader030.fdocuments.net/reader030/viewer/2022041000/5f2ebab96f18916a2c22d4c5/html5/thumbnails/44.jpg)
Command
• Make a directory
• Copy
• Permission setting
44 Dongcheol Hong - SEworks.Inc
![Page 45: SEWORKS INC. CTO WOWHACKER TEAM hinehong@seworks.cosecuinside.com/archive/2014/2014-2-5.pdf · 1. Malware copy 2. Motor stop 1. Copy and replicate itself 2. Motor stop 3. GPS 4. DNS](https://reader030.fdocuments.net/reader030/viewer/2022041000/5f2ebab96f18916a2c22d4c5/html5/thumbnails/45.jpg)
Command
• kk
- Motor will be stopped.
• Change to mode master
45 Dongcheol Hong - SEworks.Inc
![Page 46: SEWORKS INC. CTO WOWHACKER TEAM hinehong@seworks.cosecuinside.com/archive/2014/2014-2-5.pdf · 1. Malware copy 2. Motor stop 1. Copy and replicate itself 2. Motor stop 3. GPS 4. DNS](https://reader030.fdocuments.net/reader030/viewer/2022041000/5f2ebab96f18916a2c22d4c5/html5/thumbnails/46.jpg)
AT Commands
• Drone command using UDP 5556 port
AT*PCMD_MAG=21625,1,0,0,0,0,0,0<CR>AT*REF=21626,290717696<CR>
AT*PCMD_MAG=xx,xx,−1085485875,xx,xx,xx,xx.
Dongcheol Hong - SEworks.Inc 46
![Page 47: SEWORKS INC. CTO WOWHACKER TEAM hinehong@seworks.cosecuinside.com/archive/2014/2014-2-5.pdf · 1. Malware copy 2. Motor stop 1. Copy and replicate itself 2. Motor stop 3. GPS 4. DNS](https://reader030.fdocuments.net/reader030/viewer/2022041000/5f2ebab96f18916a2c22d4c5/html5/thumbnails/47.jpg)
AT Commands
• We can see the developer guide on this command information.
Dongcheol Hong - SEworks.Inc 47
![Page 48: SEWORKS INC. CTO WOWHACKER TEAM hinehong@seworks.cosecuinside.com/archive/2014/2014-2-5.pdf · 1. Malware copy 2. Motor stop 1. Copy and replicate itself 2. Motor stop 3. GPS 4. DNS](https://reader030.fdocuments.net/reader030/viewer/2022041000/5f2ebab96f18916a2c22d4c5/html5/thumbnails/48.jpg)
Configuration
• Altitude max : drone will be 100000 (100 meters from the ground)
• We can fly to some GPS location with no obstacle
AT*CONFIG=605,"control:altitude_max","3000"
AT*CONFIG=605,"control:altitude_max", "100000"
Dongcheol Hong - SEworks.Inc 48
![Page 49: SEWORKS INC. CTO WOWHACKER TEAM hinehong@seworks.cosecuinside.com/archive/2014/2014-2-5.pdf · 1. Malware copy 2. Motor stop 1. Copy and replicate itself 2. Motor stop 3. GPS 4. DNS](https://reader030.fdocuments.net/reader030/viewer/2022041000/5f2ebab96f18916a2c22d4c5/html5/thumbnails/49.jpg)
tcpdump
• Install tcpdump on drone.
• We can capture the network packet after that.
• 192.168.1.5 is controller’s IP.
Dongcheol Hong - SEworks.Inc 49
![Page 50: SEWORKS INC. CTO WOWHACKER TEAM hinehong@seworks.cosecuinside.com/archive/2014/2014-2-5.pdf · 1. Malware copy 2. Motor stop 1. Copy and replicate itself 2. Motor stop 3. GPS 4. DNS](https://reader030.fdocuments.net/reader030/viewer/2022041000/5f2ebab96f18916a2c22d4c5/html5/thumbnails/50.jpg)
Packet capture
Dongcheol Hong - SEworks.Inc 50
![Page 51: SEWORKS INC. CTO WOWHACKER TEAM hinehong@seworks.cosecuinside.com/archive/2014/2014-2-5.pdf · 1. Malware copy 2. Motor stop 1. Copy and replicate itself 2. Motor stop 3. GPS 4. DNS](https://reader030.fdocuments.net/reader030/viewer/2022041000/5f2ebab96f18916a2c22d4c5/html5/thumbnails/51.jpg)
GPS
- AR. Drone 2.0 is supports GPS.
- If we click a point to GPS on the smart device, drone will go to
that place.
- The user can go back to the GPS registered "home“ by pressing
the "home" button.
- Infected drones will come to my real home if there isn’t any
obstacle.
51 Dongcheol Hong - SEworks.Inc
![Page 52: SEWORKS INC. CTO WOWHACKER TEAM hinehong@seworks.cosecuinside.com/archive/2014/2014-2-5.pdf · 1. Malware copy 2. Motor stop 1. Copy and replicate itself 2. Motor stop 3. GPS 4. DNS](https://reader030.fdocuments.net/reader030/viewer/2022041000/5f2ebab96f18916a2c22d4c5/html5/thumbnails/52.jpg)
GPS
Dongcheol Hong - SEworks.Inc 52
![Page 53: SEWORKS INC. CTO WOWHACKER TEAM hinehong@seworks.cosecuinside.com/archive/2014/2014-2-5.pdf · 1. Malware copy 2. Motor stop 1. Copy and replicate itself 2. Motor stop 3. GPS 4. DNS](https://reader030.fdocuments.net/reader030/viewer/2022041000/5f2ebab96f18916a2c22d4c5/html5/thumbnails/53.jpg)
DNS Pharming
• Drones can change some vulnerable AP’s DNS during the fly.
Dongcheol Hong - SEworks.Inc 53
![Page 54: SEWORKS INC. CTO WOWHACKER TEAM hinehong@seworks.cosecuinside.com/archive/2014/2014-2-5.pdf · 1. Malware copy 2. Motor stop 1. Copy and replicate itself 2. Motor stop 3. GPS 4. DNS](https://reader030.fdocuments.net/reader030/viewer/2022041000/5f2ebab96f18916a2c22d4c5/html5/thumbnails/54.jpg)
AP
Dongcheol Hong - SEworks.Inc 54
No encryption Default password
Access administrator mode from wireless
![Page 55: SEWORKS INC. CTO WOWHACKER TEAM hinehong@seworks.cosecuinside.com/archive/2014/2014-2-5.pdf · 1. Malware copy 2. Motor stop 1. Copy and replicate itself 2. Motor stop 3. GPS 4. DNS](https://reader030.fdocuments.net/reader030/viewer/2022041000/5f2ebab96f18916a2c22d4c5/html5/thumbnails/55.jpg)
DNS Server change
• Can change DNS on Administrator mode
Dongcheol Hong - SEworks.Inc 55
![Page 56: SEWORKS INC. CTO WOWHACKER TEAM hinehong@seworks.cosecuinside.com/archive/2014/2014-2-5.pdf · 1. Malware copy 2. Motor stop 1. Copy and replicate itself 2. Motor stop 3. GPS 4. DNS](https://reader030.fdocuments.net/reader030/viewer/2022041000/5f2ebab96f18916a2c22d4c5/html5/thumbnails/56.jpg)
dnsmasq
Dongcheol Hong - SEworks.Inc 56
![Page 57: SEWORKS INC. CTO WOWHACKER TEAM hinehong@seworks.cosecuinside.com/archive/2014/2014-2-5.pdf · 1. Malware copy 2. Motor stop 1. Copy and replicate itself 2. Motor stop 3. GPS 4. DNS](https://reader030.fdocuments.net/reader030/viewer/2022041000/5f2ebab96f18916a2c22d4c5/html5/thumbnails/57.jpg)
dnsmasq
• /etc/dnsmasq.conf
• 8.8.8.8 is Google DNS Server
Dongcheol Hong - SEworks.Inc 57
![Page 58: SEWORKS INC. CTO WOWHACKER TEAM hinehong@seworks.cosecuinside.com/archive/2014/2014-2-5.pdf · 1. Malware copy 2. Motor stop 1. Copy and replicate itself 2. Motor stop 3. GPS 4. DNS](https://reader030.fdocuments.net/reader030/viewer/2022041000/5f2ebab96f18916a2c22d4c5/html5/thumbnails/58.jpg)
DNS
Dongcheol Hong - SEworks.Inc 58
![Page 59: SEWORKS INC. CTO WOWHACKER TEAM hinehong@seworks.cosecuinside.com/archive/2014/2014-2-5.pdf · 1. Malware copy 2. Motor stop 1. Copy and replicate itself 2. Motor stop 3. GPS 4. DNS](https://reader030.fdocuments.net/reader030/viewer/2022041000/5f2ebab96f18916a2c22d4c5/html5/thumbnails/59.jpg)
Pharming
Dongcheol Hong - SEworks.Inc 59
![Page 60: SEWORKS INC. CTO WOWHACKER TEAM hinehong@seworks.cosecuinside.com/archive/2014/2014-2-5.pdf · 1. Malware copy 2. Motor stop 1. Copy and replicate itself 2. Motor stop 3. GPS 4. DNS](https://reader030.fdocuments.net/reader030/viewer/2022041000/5f2ebab96f18916a2c22d4c5/html5/thumbnails/60.jpg)
Result
• Drone malware (HSDrone that I’ve made) can spread through wireless networks. - Smart Device to Drone - Drone to Drone
• Can control other drone UDP network command. • Malware can attack AP DNS Pharming. • Drone malwares like this one could spread and
attack your computers, APs, smart devices, drones, and everything in the future.
• It is dangerous, drone has an advantage of having physical distance for the attack to be done.
Dongcheol Hong - SEworks.Inc 60