Nate Krussel, Maxine Major, and Theora Rice. Overview Parrot AR Drone 2.0 Purchased off Amazon ○...
-
Upload
rosemary-odham -
Category
Documents
-
view
220 -
download
2
Transcript of Nate Krussel, Maxine Major, and Theora Rice. Overview Parrot AR Drone 2.0 Purchased off Amazon ○...
THE PARROT AR.DRONE 2.0
Nate Krussel, Maxine Major, and Theora Rice
Overview
Parrot AR Drone 2.0Purchased off Amazon
○ ~ $300 for everybody○ 2 day prime shipping
Works out of the box○ No assembly required, charge the battery,
download the application and fly○ Comes with special hull for flying indoors
Embedded Linux on SOC Atheros chipset
Overview
Free Flight AppRuns on Android and IOS
○ No Windows phone appUses gyros and accelerometers to control
the flightFailsafe: if hands not on device, drone
attempts to hover in place.
Early Thoughts
ExperimentsUse Wireshark to sniff trafficTake over drone control
○ App and PCHijack the videoHard crash the drone, similar to the
emergency landing built into the drone
Wireshark
Connected the AR.Drone wifi to sniff the trafficPattern Identification
Wireshark didn’t show any trafficARP packets, not much else
Wireshark
ConclusionWireshark couldn’t identify packets used to
transmit dataUsed a packet different from normal TCP/IP
and didn’t know how to display itNeed to use a raw packet dump and try to
analyze it that way
Drone Hacks \ Mods
Hack#1: Program Drone over Wi-fiNode.js
○ Platform built on Chrome’s Javascript runtimeInstall AR Drone module
○ Client for controlling AR Drone (nodecopter.com)
Save flight commands to file○ Auto-execute drone actions
This method also included untrusted .js files
Drone Hacks \ Mods Hack#2: Program Drone over Wi-fi
Packets sent as UDP/TCPSingle UDP contains 1+ command(s)
○ AT*REF: takeoff, landing, reset, stopPorts:
○ Port 5556- UDP packets with regular commands ○ Port 5554- Reply UDP data packets from AR.Drone○ Port 5555- Reply video stream packets from
AR.Drone○ Port 5559- TCP packets for critical data that cannot
be lost usually for configuration
Drone Hacks \ Mods
Hack#3: Exploration of internalsAirodump-ng capture of drone wifi
Revealed open access pointAireplay -0 deauth attack Arp scansNmapftp, telnet ports left open
Projecting Video …The Hard Way
Projecting Video …The Easy Way
Telnettelnet 192.168.1.1
ffplay (ffmpeg)ffplay tcp://192.168.1.1:5555
Video Demo
Optional Modifications
Blinking LED lights Upgraded Blades/Rotors Long-life replacement batteries
1000mAh standard, 1500mAh RF controller
… for lights, etc. Radio upgrade Prop axle brushing replacement Upgraded camera
Attacks
Using Telnet to get into the drone (no security, default is open)Typing “Reboot” will cause the drone to
restart, and it will fall, but can reconnect after it finishes restarting.
Attacks
Using TelnetUsing “netstat –pantu” then identifying the
connected person and their TCP stream.Then typing “Kill <pid>” will cause the drone
to fall out of the sky, it needs to be restarted before it will fly again from any user.
Attack 1 Demo
Hardening
RepeaterAR.Assist – Windows Wizard
○ Use to connect drone to WiFi hotspotNow locked to that hotspotCan be permanent
http://www.shellware.com/BlogEngine.Web/post/2011/02/12/ARAssist-Infrastructure-Wi-Fi-Enabling-Your-ARDrone-Made-Easy.aspx
Hardening
Reload the linux kernelLots of time and effort
Operation Stux2bu
Attack 1No security, reboot with lock-out capability
○ Responds to Telnet only
Attack 2With security, MAC Spoofing, Attack 1
Attack 3Jamming the signal
Attack 4Floss...in the rotors
Sources
http://www.shellware.com/BlogEngine.Web/post/2011/02/12/ARAssist-Infrastructure-Wi-Fi-Enabling-Your-ARDrone-Made-Easy.aspx
http://www.lawfareblog.com/2012/09/operation-stux2bu-layered-offense-and-defense-and-drone-cyberattacks/
https://www.robotappstore.com/Knowledge-Base/How-to-Program-ARDrone-Remotely-Over-WIFI/96.html
http://www.libcrack.so/2012/10/13/hacking-the-ar-drone-parrot/
http://dronemediaproject.com/resources-3/drone-hack/
http://dronescapes.com/dronepage3.html
http://droneflyers.com/2013/02/ar-drone-modifications/