This document discusses how drones could potentially be hacked through malware and network attacks. It describes how the Parrot AR.Drone 2.0 communicates over both radio frequency (RC) and WiFi networks and notes vulnerabilities in its protocols and software. Methods for infecting drones are proposed, such as modifying the Android control app to spread malware from a smart device to the drone or between drones when their networks overlap. The document provides technical details about the AR.Drone's hardware, software, and network configuration to support infecting it with malware.

1. Confidential to SEWORKS
Copyright ©2014 SEWORKS Inc. All rights reserved.
SEWORKS
INC.
CTO
WOWHACKER
TEAM
hinehong@seworks.co.kr
Dongcheol
Hong
(hinehong)

2. INFORMATION
Drone
aAack
by
malware
and
network
hacking

3. 3
Speaker
Bio
• SEWORKS
Inc.
Chief
Technology
Officer
-­‐ Develops
the
AnN-­‐Decompiler
and
AnN-­‐Reverse
Engineering
Tool
for
Android
and
Unity
applicaNons.
• WOWHACKER
Admin.
-­‐ Qualified
for
DEFCON
CTF
hacking
contest
finals
five
Nmes.
-­‐ Organized
SecuInside,
CodeGate,
ISEC
hacking
contests.
• Made
Android
and
Windows
mobile
anNvirus
applicaNons
in
2009.
• Presented
on
many
security
conferences
like
SecuInside
and
HITCON.
3Dongcheol
Hong
-­‐
SEworks.Inc

4. 4
Abstract
• The
drone
systems
are
used
more
frequently
all
around
the
world.
• There
are
possibiliNes
that
the
drone
can
hack
into
other
computers
or
devices
• We
can
infect
a
malware
called
“HSDrone”
to
the
AR.Drone
2.0,
spread
malware
to
other
drones,
and
control
all
of
them.
4Dongcheol
Hong
-­‐
SEworks.Inc

5. 5
Drone
hacking
• Network
-­‐ RC
:
Radio
controller
-­‐ WIFI
:
smart
device
• Malware
-­‐ Smart
applicaNon
-­‐ Drone
executable
file
• GPS
or
Gyro
Sensor
jamming

6. NETWORK
Drone
aAack
by
malware
and
network
hacking

7. 7
RC
• 2.4GHz
3
or
4CH
• NEC
format
-­‐ [Leader
Code][Custom
Code][Data
Code]
-­‐ Leader
Code:
IniNalizaNon
of
a
signal
-­‐ Custom
code:
IdenNfy
a
specific
device
-­‐ Data
code
:
ExecuNon
code
• ZigBee
protocol

8. 8
ZigBee
• One
of
the
sensor
networks
• Security
support
• encrypNon
:
AES-­‐CCM*
128
• Standard
:
802.15.4
No
Security
AES-­‐CBC-­‐MAC-­‐32
~
128 Message
AuthenNcaNon
AES-­‐CTR EncrypNon
Only
AES-­‐CCM-­‐32
~
128 Message
AuthenNcaNon
&
Enc
rypNon

9. 9
WIFI
• Recent
drone
systems
use
WIFI
connecNons,
which
are
now
used
widely
in
the
today’s
world.
• WIFI
connecNon
is
convenient
but
people
need
to
re-­‐consider
about
its
security.

10. INSIDE
THE
AR.DRONE
Drone
aAack
by
malware
and
network
hacking

11. 11
Network
• AR.
Drone
uses
WIFI
connecNon.

12. 12
AR.Drone
Controller
• AR.
Drone
is
controlled
by
smart
device’s
App.

13. 13
Telnet
• AR.Drone
runs
a
telnet
daemon.

14. 14
FTP
• AR.Drone
runs
a
FTP
daemo
• Basic
directory
is
/data/video

15. 15
program.elf
• /bin/program.elf
is
an
important
file.
• Motor
will
not
funcNon
if
program.elf
process
is
killed
by
/bin/kk

16. 16
Network
• Network
• Atheros
chipset
:
ath0

17. 17
Processer
informaNon
• ARM
processer

18. 18
Network
• drone
has
to
scan
other
drones.
• Master
mode
can
not
scan
wireless
networks.

19. 19
Network
• Ath0
do
not
support
key

20. 20
Decompile
on
Android
App

21. 21
Serial
connect
• UART
:
Target
host
pc
communicaNon.
• If
drone
does
not
support
pp
or
telnet,
serial
connecNon
has
to
be
used.
• It
was
broken
3
Nmes,
because
of
a
wrong
connecNon.

22. 22
Serial
connect
• Drone
mainboard
is
inside
the
boAom
cover.
RX
TX
GND
12V

23. 23
Pairing
• AR
Drone
has
a
pairing
system
for
security.
• Android
phone
support
pairing
mode.
iPhone
does
not
support.
• Default
Pairing
sesng
is
“off”.
•
iPhone Android

24. 24
Pairing
• Mac
address
check
• mac
address
access
do
not
permit
on
iOS
.

25. 25
Pairing
• iptables

26. 26
Pairing

27. DRONE
MALWARE
Drone
aAack
by
malware
and
network
hacking

28. 28
AR.
Drone
• Parrot
AR.
Drone
is
a
commonly
and
widely
used
drone
in
the
world.
• Can
be
connected
through
smart
devices.
• Can
be
controlled
by
WIFI
connecNon
with
a
smart
device.

29. 29
Development
Environment
AR.
Drone
2.0
two
GPS
Beagle
board
Laptop

30. 30
How
to
infect
drone
1
Infect
Drone
Drone
malware
1.
Fake
App
can
infect
drone
2.
AAacker
can
infect
from
smart
device
at
the
drone's
networks
area.
Smart
Device
to
Drone

31. 31
How
to
infect
drone
2
Infected
Drone’s
network
area
Impacted
Drone
Normal
Drone
Normal
Drone’s
network
area
Infect
Drone
to
Drone
normal
drones
will
be
infected
if
a
infected
drone
enters
to
the
normal
drone’s
network
area.

32. 32
AcNvity
Infected
Drone’s
network
area
Impacted
Drone
Normal
Drone
Normal
Drone’s
network
area
1.
Malware
copy
2.
Motor
stop
1. Copy
and
replicate
itself
2. Shutdown
3. Other
working
like
GPS,
DNS
Pharming

33. 33
Fake
app

34. HOW
TO
INFECT
-­‐
1
FROM
SMART
DEVICE
Drone
aAack
by
malware
and
network
hacking

35. 35
Controller
App
modificaNon
• Recently,
a
lot
of
android
apps
are
modified
by
cracker.
• AR.
Drone
2.0
can
be
controlled
by
a
smartphone
app.
• Cracker
modifies
the
control
app
and
upload
on
the
internet.
• Medium
of
Spread
–
internet,
SMS,
E-­‐mail,
market,
etc.
• Drone
is
infected
when
a
person
uses
the
fake
app.

36. 36
Controller
App
modificaNon
• We
can
modify
and
repackage
applicaNons
by
a
freeware
called
Apktool.

37. 37
Controller
App
modificaNon
• Smali
code

38. 38
Android
malware
• Using
thread
for
network
communicaNons
•
AR.
Drone
2.0
IP
is
192.168.1.1

39. 39
FTP
upload
1
• FTP
connecNon
• File
copy
Asset
file

40. 40
FTP
upload
2
• FTP
upload

41. 41
Telnet
• ConnecNon
telnet
• Command

42. 42
Malware
• Inside
of
drone.

43. HOW
TO
INFECT
-­‐
2
DRONE
TO
DRONE
Drone
aAack
by
malware
and
network
hacking

44. 44
Mode
change
• Network
mode
can
be
changed
to
“managed”
using
iwconfig
command.

45. 45
Scanning
• We
can
scan
other
AR.Drone
and
AP.

46. 46
Scanning
• Change
network
to
“managed”
mode.
• Drone
repeat
scan
to
other
drones
using
fork
funcNon.

47. 47
Connect
to
other
drone
• Connect
if
other
AR.Drone’s
AP
exists

48. 48
Connect
to
other
drone
• Drone
succeeds
connecNng
to
another
drone’s
AP

49. 49
Boot
• Malware
has
to
execute
in
the
boot-­‐up
sequence.

50. 50
AcNon
• Repeat
unNl
the
aAacker
drone
scans
to
other
drones.
• Connect
to
AR.Drone’s
AP
if
found.
• FTP
upload
itself.
• Telnet
connecNon.
• Permission
sesng(execute).
• boot
sesng.

51. 51
FTP
upload
itself
• FTP
login
to
other
drone.
• Upload
itself
Reference
was
Cmdpp
source.

52. ACTIVITY
Drone
aAack
by
malware
and
network
hacking

53. 53
Command
• HSDrone
connect
socket.

54. 54
Command
• Make
a
directory
• Copy
• Permission
sesng

55. 55
Command
• kk
-­‐ Motor
will
be
stopped.
• Change
to
master

56. 56
AT
Commands
• Drone
command
using
UDP
5556
port
AT*PCMD_MAG=21625,1,0,0,0,0,0,0<CR>AT*REF=21626,290717696<CR>
AT*PCMD_MAG=xx,xx,−1085485875,xx,xx,xx,xx.

57. 57
tcpdump
• Install
tcpdump
on
drone.
• We
can
capture
the
network
packet
aper
that.
• 192.168.1.5
is
controller’s
IP.

58. 58
Packet
capture

59. 59
ConfiguraNon
•
AlNtude
max
:
drone
can
go
fly
Nll
100000
(which
is
100
meters
from
the
ground)
• We
can
fly
to
some
GPS
locaNon
with
no
obstacle
AT*CONFIG=605,"control:alNtude_max","3000"
AT*CONFIG=605,"control:alNtude_max",
"100000"

60. 60
GPS
-­‐ AR.
Drone
2.0
is
supports
GPS.
-­‐ If
we
click
a
point
to
GPS
on
the
smart
device,
drone
will
move
to
the
place
requested.
-­‐ The
user
can
go
back
to
the
GPS
registered
"home“
by
pressing
the
"home"
buAon.
-­‐ Infected
drones
will
come
to
my
real
home
if
there
isn’t
any
obstacle.

61. 61
GPS

62. 62
DNS
Pharming
No
encrypNon
Default
password
Access
administrator
mode
from
wireless
• Drones
can
change
some
vulnerable
AP’s
DNS
during
the
fly.

63. 63
DNS
Server
change
• Can
change
DNS
on
Administrator
mode

64. 64
dnsmasq

65. 65
dnsmasq
• /etc/dnsmasq.conf
• 8.8.8.8
is
Google
DNS
Server

66. 66
DNS

67. 67
Pharming

68. 68
episode1
• Malware
replicated
itself
like
a
worm
and
somehow
destroyed
bootloader
and
made
two
drones
brick.
• I
tried
serial
communicaNon
using
UART
in
order
to
repair
brick
drones,
but
devices
was
not
even
able
to
boot
up.
• UART
does
not
work
when
UART
ports
are
misconfigured.
I
replaced
once
because
UART
itself
was
a
problem,
and
replaced
again
because
the
UART
was
broken
by
wrong
ports.
• One
drone
was
bought
in
Korea
and
another
drone
was
bought
in
other
country.
The
problem
was
that
I
was
able
to
get
a
free
replacement
for
the
drone
which
was
bought
in
Korea,
but
I
had
to
pay
for
the
drone’s
mainboard
which
was
bought
outside
Korea,
since
it
does
not
support
any
A/S.
I
paid
170$
overall.

69. 69
episode2
• Aper
malware
replicated
itself,
the
network
configuraNon
broke
out.
I
was
not
able
to
control
the
drone
at
the
end
• I
had
to
wait
for
drone
to
drain
its
baAery
since
it
was
out
of
control.
(drone
works
properly
for
around
10
minutes)

70. 70
Result
• Drone
malware
(HSDrone
that
I’ve
made)
can
spread
through
wireless
networks.
-­‐ Smart
Device
to
Drone
-­‐ Drone
to
Drone
• Can
control
other
drone
UDP
network
command.
• Malware
can
aAack
AP
DNS
Pharming.
• Drone
malwares
like
this
one
could
spread
and
aAack
your
computers,
APs,
smart
devices,
drones,
and
everything
in
the
future.
• It
is
dangerous,
drone
has
an
advantage
of
having
physical
distance
for
the
aAack
to
be
done.

71. Confidential to SEWORKS
Copyright ©2014 SEWORKS Inc. All rights reserved.
71
THANK
YOU