ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due...
Transcript of ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due...
![Page 1: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/1.jpg)
ELECTRIC MOTORS
Matthew Jablonski
Duminda Wijesekera, Ph.D.
![Page 2: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/2.jpg)
About Us
• Ph.D. Student in IT
• Engineer and penetration tester
• Safety and security of cyber-physical systems
2
• Professor, CS
• 250+ Publications
• Areas of Focus:• RF Off. and Def.
• Cyber Physical Systems
• Computer Vision
• Risks in algorithms, HW/SW, etc.
• Collaborations:• Government
• Transportation
• Medical
• Industrial
Matthew
Jablonski
Dr. Duminda
Wijesekera
![Page 3: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/3.jpg)
Abstract & Caveats
• Comprehensive technical evaluation of attack objectives and offensive strategies focused on electric motor (EM) systems
• Introducing the Motor Threat Model
• We do not:• target a specific product or endorse any products
• follow safety warnings (but you should and we are not responsible for your actions)
3
![Page 4: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/4.jpg)
Quick Overview
SAFETY AND
SECURITY OF MOVING THINGS
THE MOTOR ATTACK MODEL
MOTOR ATTACK
METHODS
EXPERIMENTAL VALIDATION
4
(Got to keep this presentation MOVING…)
DISCUSSION
![Page 5: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/5.jpg)
Hypothetical Problem Scenario
5
• Your next risk assessment target:
A Proprietary Drone System
• Thousands deployed worldwide for package delivery
• 30 different drone models were dev’ed
• Hundreds of operators…
• With physical and remote access…
• And… background checks aren’t required.
• Over the Internet.
• WHAT IS THE ATTACK SURFACE?
(and we need your response NOW!)
![Page 6: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/6.jpg)
Safety First!
• Rules, Regulations, Standards• Designed to address accidents
• Protect against risks through:• Operational requirements
• i.e. air traffic control
• Power requirements• i.e. overcurrent, low voltage, etc.
• System calibration requirements
• Security… Second?• What about intentional threats?
6
Safety Risks
Focus: Accident Prevention
Security Risks
Focus: Intentional Misuse
Risk Management
![Page 7: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/7.jpg)
The First Security Problem…
• Possible nightmare scenario…
7
![Page 8: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/8.jpg)
Unacceptable Security Recommendation
8
![Page 9: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/9.jpg)
System Review: What’s Inside?
9
ESC ESC
ESCESC
)))
)))
Brushless
Motor
M
Brushless
Motor
M
Brushless
Motor
M
Brushless
Motor
M
DRIVE DRIVE
Controller –
Linux; AI apps
DRIVEDRIVE
Sensors:
Accelerometers;
inertial
measurement;
magnetic;
optical;
GPS;
Controller
4G LTE
2.4GHz
FHSS
Handheld
Throttle
(OPERATOR)
Mission
Control
(OPERATOR)
![Page 10: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/10.jpg)
The Start: Find Similar Threat Models?
10
![Page 11: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/11.jpg)
How do Electric Motors Work?
11
5V
0V
5V
0V
5V
0V
5V
0V
5V
0V
0% duty cycle
25% duty cycle
50% duty cycle
75% duty cycle
100% duty cycle
• Every motor connected to a drive
• Embedded controller• ESC, VSD, VFB
• Voltage fluctuated at pin by HW switch
• Current flows to motor when V>0
• Pulse Width Modulation
• Clock and duty cyclecontrolled by HW & SW
![Page 12: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/12.jpg)
How do Electric Motors Work?
• Input: electrical energy
• Output: torque, speed, mechanical energy
• Rotor: free-moving
• Stator: stationary
• Many different types:• DC vs. AC power• Rotary vs. linear• Selection based on LOAD
12
Brushed DC Motor
Leads
NS
Rotor
Stator
Magnet
Commutator
Windings
Brushes
Air Gap
![Page 13: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/13.jpg)
How do Electric Motors Work?
13
Torque
Speed
Stall Torque: τS
No-Load Speed: ωN
Max Power: PMAX
τMP=0.5τS
ωMP=0.5ωN
Low Power
Slope: τ=τS-ωτS/ωN
Optimal Operation Zone
Intermittent Duty Zone
Continuous Duty Zone
ωR
τR
Torque vs. Speed
Torque (N*m)
Speed (RPM)
Stall Torque: τS
No-Load Speed: ωN
Max Power: PMAX
τMP=0.5τS
ωMP=0.5ωN
Power (W)
POUT
Effects on Power Output
![Page 14: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/14.jpg)
Control Theory:The Recipe for Digital Movement Control
14
Open loop systems:
Closed loop systems:
![Page 15: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/15.jpg)
Another Security Problem…
15
![Page 16: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/16.jpg)
Yet Another Security Problem…
16
Movement is continuous (usually)
Digital control requires discrete commands
![Page 17: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/17.jpg)
Maybe Similar Threat Models?
17
![Page 18: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/18.jpg)
Threat Modeling… Gaps…
• Let’s get away from drones.
• Common issues:• Cyber vs. physical attacks• Physical attack outcomes• Multiple control layers• Digital commands are discrete
• Possible models?• ICS Cyber Kill Chain (Stage 2) [1]• Mitre’s ICS ATT&CK Framework [2]
18
[1] M. J. Assante and R. M. Lee, “The Industrial Control System Cyber Kill Chain,” Tech. Rep. 36297, SANS Institute, October 2015.
[2] O. Alexander, “ICS ATT&CK Framework: Adversary Tactics and Techniques (S4x19).”
www.brighthubengineering.com/commercial-electrical-applications/78579-determining-causes-for-electric-motor-failure/, January
2019. Accessed: 2019-07-05.
![Page 19: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/19.jpg)
The Motor Threat Model (MTM)
19
Our proposed model:
![Page 20: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/20.jpg)
The MTM Stack
20
• Simplified 7-layer stack
• Key takeaways:• Attacks at higher layers allow better control for attacker
• Attacks at lower layers take control of movement from higher layers
• Can understand access needed for C v. P attacks
![Page 21: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/21.jpg)
High Level Attack Objectives
• Control• Steal control to achieve some goal
• Cyber attacks• Easiest at layers 4-7
• Disrupt• Stop movement or prevent operational controls
• Cyber or physical attacks• All layers
21
• Data Exfiltration• IP or privacy theft by tracking movement data
• Cyber attacks
• Easiest at layers 5-7
![Page 22: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/22.jpg)
Layer Descriptions
22
Name Description Level 1 Access Description
Level 2 Access Description
Types of Attacks(C, P)*
Attack Objectives(C, D, DE)**
7 – OPERATOR Unprivileged motor control
Operator interface
OPERATOR-CONTROL channel
C, P C, D, DE
6 – SENSOR Feedback data on phys. env.
Sensors or Wireless Sensor Network (WSN)
Out-of-band safety system (if exists)
C, P C, D, DE
5 – CONTROL Root system control
System controller
CONTROL-DRIVE channel
C, P C, D, DE
4 – DRIVE Modify motor configuration
Motor drive controller
DRIVE-MOTOR channel
C, P C, D
* Cyber (C) or Physical (P)
** Control (C), Disrupt (D) or Data Exfiltration (DE)
![Page 23: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/23.jpg)
Layer Descriptions
23
* Cyber (C) or Physical (P)
** Control (C), Disrupt (D) or Data Exfiltration (DE)
Name Description Level 1 Access Description
Level 2 Access Description
Types of Attacks(C, P)*
Attack Objectives(C, D, DE)**
3 - POWER Prevent or degrade movement
Power system access
N/A C, P D
2 - MOTOR Source of mechanical movement
Motor physical access
N/A C, P D
1 - LOAD Prevent movement by overload
Output LOAD access
N/A P D
![Page 24: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/24.jpg)
OPERATOR Attack Ex. 1Wireless Control
24
Controller Operator
Forward Reverse
Example Target:
![Page 25: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/25.jpg)
OPERATOR Attack Ex. 1Wireless Control
25
Results: Control and Disrupt
![Page 26: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/26.jpg)
OPERATOR Attack Ex. 2Remote Pin Control
Example Target:
This physical setup is used in most attack examples, unless noted.
26
RPi
Controller;
Raspbian;
pigpiod with
Remote GPIO
LiPO Battery
ESCBrushed DC
Motor
Dynanometer
![Page 27: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/27.jpg)
OPERATOR Attack Ex. 2Remote Pin Control
27
Fingerprint on network Attack script
• Attacker has network access and observes remote GPIO
• Executes attack script: PIGPIO_ADDR=192.168.1.4 python3 attack.py
![Page 28: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/28.jpg)
OPERATOR Attack Ex. 2Remote Pin Control
28
Results:
Control and Disrupt
RPM vs. Time
Baseline Run Attack Run
![Page 29: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/29.jpg)
SENSOR Attack:Accelerometer Data Injection
29
Example Target: ADXL345 accelerometer used to control servo angle
![Page 30: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/30.jpg)
SENSOR Attack:Accelerometer Data Injection
30
• Capture and decode I2C, 6 bytes sent for X, Y, Z
• Connecting attack Pi – observe I2C address 0x53
![Page 31: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/31.jpg)
SENSOR Attack:Accelerometer Data Injection
31
• Set attack Pi as I2C slave
• Control bytes
Results:
Control and Disrupt
![Page 32: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/32.jpg)
CONTROL Attack 1:Timing Impacts of Discrete Command Injections
on Motor Control
32
• Inject changes to duty cycle during operation
Results: Control and Disrupt; RPM vs. Time
![Page 33: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/33.jpg)
CONTROL Attack 2:Hardware Implant Targeting PWM Channel
33
Example Target:
![Page 34: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/34.jpg)
CONTROL Attack 2:Hardware Implant Targeting PWM Channel
34
• When PWM used as control signal, typically a 3-wire cable is used:
• Black wire = ground
• Red wire = current
• White or yellow wire = control
![Page 35: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/35.jpg)
CONTROL Attack 2:Hardware Implant Targeting PWM Channel
35
Results:
Control and Disrupt
RPM vs. Time
![Page 36: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/36.jpg)
DRIVE Attacks:Pin Control and Configuration Attacks
• Attacks modify pin registers in Rpi 3 B+ SoC, Broadcom BCM2837
• Memory map physical memory locations using BCM2837 spec
36
![Page 37: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/37.jpg)
DRIVE Attacks:Pin Control and Configuration Attacks
• Attack 1: Change pin to INPUT during operation
Results:
Control and Disrupt
RPM vs. Time
37
![Page 38: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/38.jpg)
DRIVE Attacks:Pin Control and Configuration Attacks
• Attack 2: Modify PWM CLOCK and DATA on BCM2837 to identify behavioral changes to motor
• Target:
38
![Page 39: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/39.jpg)
DRIVE Attacks:Pin Control and Configuration Attacks
39
Results:
Control and Disrupt
DATA vs. CLOCK
w/ Static RANGE
![Page 40: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/40.jpg)
DRIVE Attacks:Pin Control and Configuration Attacks
40
• Attack 3: Record and playback PWM registers
Results:
Control and Disrupt
RPM vs. Time
![Page 41: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/41.jpg)
POWER Attack:Motor Performance due to Low Voltage
• Test run with low voltage LiPO battery
41
Results:
Disrupt
RPM vs. Time
NOTE: LiPO batteries should never be used in low voltage (may overheat or worse)
7.62V LiPO 6.5V LiPO
![Page 42: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/42.jpg)
POWER Attack:Motor Performance due to Low Voltage
42
Results:
Disrupt
Torque and Power Output vs. Speed
NOTE: LiPO batteries should never be used in low voltage (may overheat or worse)
7.62V LiPO – Torque (N*mm) 6.5V LiPO – Torque (N*mm)
7.62V LiPO – Power Out (W) 6.5V LiPO – Power Out (W)
![Page 43: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/43.jpg)
MOTOR Attack 1: Motor Performance in Presence of
External Electromagnet• Introduced electromagnet (500N suction) to target during run to observe behavior
43
![Page 44: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/44.jpg)
MOTOR Attack 1: Motor Performance in Presence of
External Electromagnet
44
Results:
Disrupt
RPM vs. Time
Baseline Run Attack Run 1, Electromagnet full run
Attack Run 2, Electromagnet removed at 15 sec.
![Page 45: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/45.jpg)
MOTOR Attack 1: Motor Performance in Presence of
External Electromagnet
45
Results:
Disrupt
Torque and Power Output vs. Speed
Baseline – Torque (N*mm) Attack Run 2 – Torque (N*mm)
Baseline – Power Out (W) Attack Run 2 – Power Out (W)
![Page 46: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/46.jpg)
MOTOR Attack 2:Reprogramming Digital Servo Motor• Digital servo manufacturers provide programming tools
• Identify motor type and procure programmer – no auth!
• Target and programmer:
46
![Page 47: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/47.jpg)
MOTOR Attack 2:Reprogramming Digital Servo Motor
• Expected behavior (top, CW) vs. reprogrammed (bot, CCW):
47
![Page 48: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/48.jpg)
LOAD Attack: Overheating and Stalling a Motor
• Target desk fan:
48
![Page 49: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/49.jpg)
LOAD Attack: Overheating and Stalling a Motor
49
• Overheated to ~180° F and motor died at 61-min mark
Results: Disrupt
![Page 50: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/50.jpg)
LOAD Attack: Overheating and Stalling a Motor
50
• Brushless motor comparison between dead and good fan
• No visual difference
![Page 51: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/51.jpg)
Motor Threat Model Redux
51
![Page 52: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/52.jpg)
Start Over: Hypothetical Problem Scenario
52
• Your next risk assessment target:
A Proprietary Drone System
• Thousands deployed worldwide for package delivery
• 30 different drone models were dev’ed
• Hundreds of operators…
• With physical and remote access…
• And… background checks aren’t required.
• Over the Internet.
• WHAT IS THE ATTACK SURFACE?
(and we need your response NOW!)
![Page 53: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/53.jpg)
Attacker Model for Drone System
• Nation State – C & P; Offensive campaigns directed at accomplishing some mission; Many resources
• Cybercriminal – C; Motivated by data collection
• Terrorist – C; Motivated by spreading fear
• Insider – C or P; Disgruntled employee or social engineering victim
53
![Page 54: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/54.jpg)
Refined Attack Objectives for Targeting Drone Movement
• Control –• Steal property• Alter predictable movements
• Disrupt –• Physical damage• Physical harm• Prevent movement
• Data Exfiltration –• Privacy Invasion
54
![Page 55: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/55.jpg)
Movement Focused Attack Trees
55
![Page 56: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/56.jpg)
MTM Application for Finding Movement Threats
56
ESC ESC
ESCESC
)))
)))
Brushless
Motor
M
Brushless
Motor
M
Brushless
Motor
M
Brushless
Motor
M
DRIVE DRIVE
Controller –
Linux; AI apps
DRIVEDRIVE
Sensors:
Accelerometers;
inertial
measurement;
magnetic;
optical;
GPS;
Controller
4G LTE
2.4GHz
FHSS
Handheld
Throttle
(OPERATOR)
Mission
Control
(OPERATOR)
6-SENSOR
2-MOTOR 2-MOTOR
2-MOTOR2-MOTOR4-DRIVE 4-DRIVE
4-DRIVE4-DRIVE
7-OPERATOR
7-OPERATOR
5-CONTROL3-POWER1-LOAD
![Page 57: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/57.jpg)
Experimental Boneyard
57
![Page 58: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/58.jpg)
Thanks!
58
![Page 59: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/59.jpg)
Backup Slides
59
![Page 60: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/60.jpg)
The OPERATOR Layer
• Unprivileged motion control (most of the time)
• 2 levels of access:1. Operator interface2. OPERATOR-CONTROL channel
• Type: cyber and physical
• Objectives: control, disrupt, data exfiltration
60
![Page 61: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/61.jpg)
The SENSOR Layer
61
• Provides input data about physical environment
• 2 levels of access:1. Sensors2. Out-of-Band Safety Systems
(TRITON)
• Type: cyber and physical
• Objectives: control, disrupt, data exfiltration
![Page 62: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/62.jpg)
The CONTROL Layer
62
• Privileged motion control (root!)
• 2 levels of access:1. Controller2. CONTROL-DRIVE Channel
• Type: cyber and physical
• Objectives: control, disrupt, data exfiltration
![Page 63: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/63.jpg)
The DRIVE Layer
• Modify motor properties during operation
• 2 levels of access:1. Controller2. CONTROL-DRIVE Channel
• Type: cyber* and physical
• Objectives: control and disrupt
63
* With limited physical access
![Page 64: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/64.jpg)
The POWER LAYER
• Prevent or degrade motor performance
• 1 level of access:• Targeting power input
• Type: cyber* and physical
• Objective: disrupt
64
* With limited physical access
![Page 65: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/65.jpg)
The MOTOR Layer
• Disruption of movement at the source of mechanical power
• 1 level of access:• Targeting the motor
• Type: cyber* and physical
• Objective: disrupt
65
* With limited physical access
![Page 66: ELECTRIC MOTORS - Black Hat Briefings · 7.62V LiPO 6.5V LiPO. POWER Attack: Motor Performance due to Low Voltage 42 Results: Disrupt Torque and Power Output vs. Speed NOTE: LiPO](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f38176e8a0cf94e93775cc3/html5/thumbnails/66.jpg)
The LOAD Layer
• Movement prevention by overloading the system
• 1 level of access:• Targeting the output system
• Type: physical
• Objective: disrupt
66