Hacking a Professional Drone
asia-16-Rodday-Hacking-A-Professional-Drone
asia-16-Rodday-Hacking-A-Professional-Drone
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Hacking</strong><br />
a <strong>Professional</strong><br />
<strong>Drone</strong><br />
Nils Rodday<br />
rodday@arcor.de<br />
https://de.linkedin.com/in/nilsrodday
Goal<br />
The goal of this talk is to give insights into the security of<br />
Unmanned Aerial Vehicles (UAVs) and to show that professional<br />
UAVs are not as secure as one might think.<br />
2
Agenda<br />
The UAV<br />
Attacks<br />
Live Demonstration<br />
Remediation<br />
Impact<br />
3<br />
Q&A<br />
Lessons Learned
The UAV – Specifications<br />
25k – 30k €<br />
30k – 35k $<br />
Add-ons<br />
3kg Payload<br />
7lb Payload<br />
Advanced<br />
Features<br />
30 – 45min<br />
Endurance<br />
4
The UAV<br />
Data flow<br />
Telemetry Box<br />
802.11 WiFi link (WEP)<br />
Not connected<br />
(two separate devices)<br />
XBee 868LP link<br />
Data flow<br />
Video link<br />
Data flow<br />
GPS Receiver<br />
©IEEE<br />
Remote Control<br />
2.4 Ghz<br />
Remote Control<br />
link<br />
5
The UAV – Wifi focus<br />
Data flow<br />
802.11 WiFi link (WEP)<br />
XBee 868LP link<br />
Data flow<br />
Video link<br />
GPS Receiver<br />
Data flow<br />
2.4 Ghz<br />
Remote Control<br />
link<br />
6
The UAV – Wifi attack<br />
Attacker's tablet<br />
Communication route<br />
after attack<br />
Original<br />
communication<br />
route<br />
Original tablet<br />
7
The UAV – XBee focus<br />
Data flow<br />
802.11 WiFi link (WEP)<br />
XBee 868LP link<br />
Data flow<br />
Video link<br />
GPS Receiver<br />
Data flow<br />
2.4 Ghz<br />
Remote Control<br />
link<br />
8
XBee – Chips<br />
9
10
XBee – Reading the manual...<br />
1. API mode<br />
2. Broadcast<br />
3. Remote AT<br />
Commands<br />
It's not a bug, it's a feature <br />
11
XBee – Man-in-the-Middle Attack<br />
Attacker<br />
Communication route<br />
after attack<br />
Original<br />
communication<br />
route<br />
5. Remote AT Command:<br />
Write<br />
1. Broadcast<br />
3. Remote AT Command:<br />
Change DH + DL<br />
Tablet Remote Control UAV<br />
©IEEE<br />
12
What´s next?<br />
We can read/send data on the XBee channel.<br />
But what does that data stream mean?<br />
13
Decompilation of Android APK<br />
14
Decompilation of Android APK<br />
15<br />
Decimal –> Hex<br />
36<br />
87<br />
73<br />
70<br />
73<br />
paramByte<br />
paramByte<br />
paramByte<br />
24<br />
57<br />
49<br />
46<br />
49<br />
XX<br />
XX<br />
XX<br />
.<br />
.<br />
.
Example Commands<br />
24 57 49 46 49 XX XX XX<br />
24 57 49 46 49 89 89 89 (Start-Engines)<br />
24 57 49 46 49 58 58 58 (Auto-Takeoff)<br />
24 57 49 46 49 97 97 97 (Enable Autopilot)<br />
16
Demonstration
Remediation – XBee Onboard Encryption<br />
• Secures Data ONLY on the XBee channel<br />
• Prevents Remote-AT-Commands<br />
• Mitigates Man-in-the-Middle<br />
18
Remediation – Add. Hardware Encryption<br />
• Does NOT prevent Remote-AT-Commands<br />
• Does NOT mitigate Man-in-the-Middle<br />
• Ensures CONFIDENTIALITY<br />
19
Remediation – Application-layer Encryption<br />
• Does NOT prevent Remote-AT-Commands<br />
• Does NOT mitigate Man-in-the-Middle<br />
• Ensures CONFIDENTIALITY<br />
20
Impact<br />
• Cost of attack: 40$<br />
• UAV is currently in use<br />
• Multiple manufacturers are using similar<br />
setups<br />
21
Lessons Learned<br />
Use strong<br />
encryption<br />
Alter passphrases<br />
Test your product<br />
22
Credits<br />
Prof. Dr. Aiko Pras<br />
Dr. Ricardo de O. Schmidt<br />
Ruud Verbij<br />
Matthieu Paques<br />
Atul Kumar<br />
Annika Dahms<br />
23
Nils Rodday<br />
https://de.linkedin.com/in/nilsrodday<br />
rodday@arcor.de<br />
24
<strong>Hacking</strong><br />
a <strong>Professional</strong><br />
<strong>Drone</strong><br />
Nils Rodday<br />
rodday@arcor.de<br />
https://de.linkedin.com/in/nilsrodday
26
• Slide 5 & 12: Photo credit to: 978-1-5090-0223-8/16/$31.00 © 2016 IEEE<br />
27