SEWORKS INC. CTO WOWHACKER TEAM [email protected]/archive/2014/2014-2-5.pdf · 1....
Transcript of SEWORKS INC. CTO WOWHACKER TEAM [email protected]/archive/2014/2014-2-5.pdf · 1....
Automatic attack on drones by malware infection
SEWORKS INC. CTO WOWHACKER TEAM
Dongcheol Hong [email protected]
INFORMATION
Drone malware attack
2 Dongcheol Hong - SEworks.Inc
Speaker Bio
• SEWORKS Inc. Chief Technology Officer
- Develops the Anti-Decompiler and Anti-Reverse Engineering Tool for Android applications.
• WOWHACKER Admin.
- Qualified 5 times for Defcon CTF hacking contest finals.
- Organized Secuinside, Codegate, ISEC hacking contests.
• Made Android and Windows mobile antivirus applications in 2009.
• Presented on many security conferences like Secuinside and Hitcon.
3 Dongcheol Hong - SEworks.Inc
Abstract
• Recently, there are many drone system existing in the world.
• People think that Drone can only be hacked using network attacks.
• Drone systems are developing rapidly. • Let’s look at the worldwide famous drone -
AR.Drone 2.0 • We can infect a malware called “HSDrone”
to the AR.Drone 2.0, spread malware to other drones, and control all of them.
4 Dongcheol Hong - SEworks.Inc
ABOUT THE DRONE MALWARE
Drone malware attack
5 Dongcheol Hong - SEworks.Inc
Communication
• A lot of old drone systems communicate through radio frequency.
• Difficult to spread malwares via radio frequency communication.
• However, drone systems are becoming more developed, and WIFI connection is now used widely in the today’s world.
• WIFI connection is convenient but people needs to consider about its security.
Dongcheol Hong - SEworks.Inc 6
How are drone systems upgraded
• Network
- WIFI control
- GPS System
- Try to control by internet access
• Smart device
- Control by smart device(Android, iOS)
7 Dongcheol Hong - SEworks.Inc
AR. Drone 2.0
• Parrot AR. Drone 2.0 is commonly used and widely spread drone in the world.
• Can connect with smart devices.
• Can be controlled by WIFI connection with a smart device.
8 Dongcheol Hong - SEworks.Inc
INSIDE THE AR.DRONE
Drone malware attack
9 Dongcheol Hong - SEworks.Inc
WIFI
• AR. Drone uses WIFI connection.
10 Dongcheol Hong - SEworks.Inc
AR.Drone Controller
• AR. Drone is controlled by smart device’s App.
11 Dongcheol Hong - SEworks.Inc
Telnet
• The AR.Drone is running a Telnet daemon.
12 Dongcheol Hong - SEworks.Inc
FTP
• The AR.Drone is running a FTP daemon. • Basic directory is /data/video
13 Dongcheol Hong - SEworks.Inc
program.elf
• /bin/program.elf is an important file.
• Motor will be stopped when program.elf process is killed using /bin/kk
14 Dongcheol Hong - SEworks.Inc
Network
• Network
• Atheros chipset : ath0
15 Dongcheol Hong - SEworks.Inc
Session profile
Dongcheol Hong - SEworks.Inc 16
Open source project
• It has an open source project but this project is neither supported nor endorsed by Parrot S.A.
• https://github.com/ardrone/ardrone
Dongcheol Hong - SEworks.Inc 17
Decompile on Android App
Dongcheol Hong - SEworks.Inc 18
HSDRONE MALWARE
Drone malware attack
19 Dongcheol Hong - SEworks.Inc
Development Environment
Dongcheol Hong - SEworks.Inc 20
AR. Drone 2.0 two GPS Beagle board Laptop
Processer information
• ARM processer
• Have to compile ARM
21 Dongcheol Hong - SEworks.Inc
Network
• drone has to scan other drones.
• Master mode can not scan wireless networks.
22 Dongcheol Hong - SEworks.Inc
How to infect drone 1
Infect
Drone
Drone malware
1. Fake App can infect drone
2. Attacker can infect from smart device at the drone's networks area.
Smart Device to Drone
23 Dongcheol Hong - SEworks.Inc
How to infect drone 2
Infected Drone’s network area
Impacted Drone
Normal Drone
Normal Drone’s network area
Infect
Drone to Drone
normal drones will be infected if a infected drone enters to the normal drone’s network area.
24 Dongcheol Hong - SEworks.Inc
Activity
Infected Drone’s network area
Impacted Drone
Normal Drone
Normal Drone’s network area
1. Malware copy 2. Motor stop
1. Copy and replicate itself
2. Motor stop
3. GPS
4. DNS Pharming
25 Dongcheol Hong - SEworks.Inc
HOW TO INFECT - 1 FROM SMART DEVICE
Drone malware attack
26 Dongcheol Hong - SEworks.Inc
Controller App modification
• Recently, a lot of android apps are modified by cracker.
• AR. Drone 2.0 can be controlled by smartphone app.
• Cracker modifies the control app and upload on the internet.
• Medium of Spread – internet, SMS, E-mail, market, etc.
• Drone is infected when a person uses the fake app.
27 Dongcheol Hong - SEworks.Inc
Controller App modification
• We can modify and repackage applications by freeware called Apktool.
28 Dongcheol Hong - SEworks.Inc
Controller App modification
• Smali code
Dongcheol Hong - SEworks.Inc 29
Android malware
• Using thread for network communications
• AR. Drone 2.0 IP is 192.168.1.1
30 Dongcheol Hong - SEworks.Inc
FTP upload 1
• FTP connection
• File copy
31 Dongcheol Hong - SEworks.Inc
Asset file
FTP upload 2
• FTP upload
32 Dongcheol Hong - SEworks.Inc
Telnet
• Connection telnet
• Command
33 Dongcheol Hong - SEworks.Inc
Malware
34 Dongcheol Hong - SEworks.Inc
• Inside of drone.
HOW TO INFECT - 2 DRONE TO DRONE
Drone malware attack
35 Dongcheol Hong - SEworks.Inc
Scanning
• Change network to “managed” mode.
• Drone repeat scan to other drones using fork function.
36 Dongcheol Hong - SEworks.Inc
Connect to other drone
• Connect if other AR.Drone’s AP exists
37 Dongcheol Hong - SEworks.Inc
Connect to other drone
• Drone succeeds connecting to another drone’s AP
38 Dongcheol Hong - SEworks.Inc
Boot
• Malware has to execute in the boot-up sequence.
39 Dongcheol Hong - SEworks.Inc
Action
• Repeat until attacker drone scans to other drones.
• Connect to AR.Drone’s AP if found.
• FTP upload itself.
• Telnet connection.
• Permission setting(execute).
• boot setting.
40 Dongcheol Hong - SEworks.Inc
FTP upload itself
• FTP login to other drone.
• Upload itself
Reference was Cmdftp source.
41 Dongcheol Hong - SEworks.Inc
ACTIVITY
Drone malware attack
42 Dongcheol Hong - SEworks.Inc
Command
• HSDrone connect socket.
43 Dongcheol Hong - SEworks.Inc
Command
• Make a directory
• Copy
• Permission setting
44 Dongcheol Hong - SEworks.Inc
Command
• kk
- Motor will be stopped.
• Change to mode master
45 Dongcheol Hong - SEworks.Inc
AT Commands
• Drone command using UDP 5556 port
AT*PCMD_MAG=21625,1,0,0,0,0,0,0<CR>AT*REF=21626,290717696<CR>
AT*PCMD_MAG=xx,xx,−1085485875,xx,xx,xx,xx.
Dongcheol Hong - SEworks.Inc 46
AT Commands
• We can see the developer guide on this command information.
Dongcheol Hong - SEworks.Inc 47
Configuration
• Altitude max : drone will be 100000 (100 meters from the ground)
• We can fly to some GPS location with no obstacle
AT*CONFIG=605,"control:altitude_max","3000"
AT*CONFIG=605,"control:altitude_max", "100000"
Dongcheol Hong - SEworks.Inc 48
tcpdump
• Install tcpdump on drone.
• We can capture the network packet after that.
• 192.168.1.5 is controller’s IP.
Dongcheol Hong - SEworks.Inc 49
Packet capture
Dongcheol Hong - SEworks.Inc 50
GPS
- AR. Drone 2.0 is supports GPS.
- If we click a point to GPS on the smart device, drone will go to
that place.
- The user can go back to the GPS registered "home“ by pressing
the "home" button.
- Infected drones will come to my real home if there isn’t any
obstacle.
51 Dongcheol Hong - SEworks.Inc
GPS
Dongcheol Hong - SEworks.Inc 52
DNS Pharming
• Drones can change some vulnerable AP’s DNS during the fly.
Dongcheol Hong - SEworks.Inc 53
AP
Dongcheol Hong - SEworks.Inc 54
No encryption Default password
Access administrator mode from wireless
DNS Server change
• Can change DNS on Administrator mode
Dongcheol Hong - SEworks.Inc 55
dnsmasq
Dongcheol Hong - SEworks.Inc 56
dnsmasq
• /etc/dnsmasq.conf
• 8.8.8.8 is Google DNS Server
Dongcheol Hong - SEworks.Inc 57
DNS
Dongcheol Hong - SEworks.Inc 58
Pharming
Dongcheol Hong - SEworks.Inc 59
Result
• Drone malware (HSDrone that I’ve made) can spread through wireless networks. - Smart Device to Drone - Drone to Drone
• Can control other drone UDP network command. • Malware can attack AP DNS Pharming. • Drone malwares like this one could spread and
attack your computers, APs, smart devices, drones, and everything in the future.
• It is dangerous, drone has an advantage of having physical distance for the attack to be done.
Dongcheol Hong - SEworks.Inc 60
Thank you.
Dongcheol Hong [email protected]