This document discusses how drones could potentially be hacked through malware and network attacks. It describes how the Parrot AR.Drone 2.0 communicates over both radio frequency (RC) and WiFi networks and notes vulnerabilities in its protocols and software. Methods for infecting drones are proposed, such as modifying the Android control app to spread malware from a smart device to the drone or between drones when their networks overlap. The document provides technical details about the AR.Drone's hardware, software, and network configuration to support infecting it with malware.
3. 3
Speaker
Bio
• SEWORKS
Inc.
Chief
Technology
Officer
-‐ Develops
the
AnN-‐Decompiler
and
AnN-‐Reverse
Engineering
Tool
for
Android
and
Unity
applicaNons.
• WOWHACKER
Admin.
-‐ Qualified
for
DEFCON
CTF
hacking
contest
finals
five
Nmes.
-‐ Organized
SecuInside,
CodeGate,
ISEC
hacking
contests.
• Made
Android
and
Windows
mobile
anNvirus
applicaNons
in
2009.
• Presented
on
many
security
conferences
like
SecuInside
and
HITCON.
3Dongcheol
Hong
-‐
SEworks.Inc
4. 4
Abstract
• The
drone
systems
are
used
more
frequently
all
around
the
world.
• There
are
possibiliNes
that
the
drone
can
hack
into
other
computers
or
devices
• We
can
infect
a
malware
called
“HSDrone”
to
the
AR.Drone
2.0,
spread
malware
to
other
drones,
and
control
all
of
them.
4Dongcheol
Hong
-‐
SEworks.Inc
7. 7
RC
• 2.4GHz
3
or
4CH
• NEC
format
-‐ [Leader
Code][Custom
Code][Data
Code]
-‐ Leader
Code:
IniNalizaNon
of
a
signal
-‐ Custom
code:
IdenNfy
a
specific
device
-‐ Data
code
:
ExecuNon
code
• ZigBee
protocol
8. 8
ZigBee
• One
of
the
sensor
networks
• Security
support
• encrypNon
:
AES-‐CCM*
128
• Standard
:
802.15.4
No
Security
AES-‐CBC-‐MAC-‐32
~
128 Message
AuthenNcaNon
AES-‐CTR EncrypNon
Only
AES-‐CCM-‐32
~
128 Message
AuthenNcaNon
&
Enc
rypNon
9. 9
WIFI
• Recent
drone
systems
use
WIFI
connecNons,
which
are
now
used
widely
in
the
today’s
world.
• WIFI
connecNon
is
convenient
but
people
need
to
re-‐consider
about
its
security.
21. 21
Serial
connect
• UART
:
Target
host
pc
communicaNon.
• If
drone
does
not
support
pp
or
telnet,
serial
connecNon
has
to
be
used.
• It
was
broken
3
Nmes,
because
of
a
wrong
connecNon.
22. 22
Serial
connect
• Drone
mainboard
is
inside
the
boAom
cover.
RX
TX
GND
12V
23. 23
Pairing
• AR
Drone
has
a
pairing
system
for
security.
• Android
phone
support
pairing
mode.
iPhone
does
not
support.
• Default
Pairing
sesng
is
“off”.
•
iPhone Android
24. 24
Pairing
• Mac
address
check
• mac
address
access
do
not
permit
on
iOS
.
28. 28
AR.
Drone
• Parrot
AR.
Drone
is
a
commonly
and
widely
used
drone
in
the
world.
• Can
be
connected
through
smart
devices.
• Can
be
controlled
by
WIFI
connecNon
with
a
smart
device.
30. 30
How
to
infect
drone
1
Infect
Drone
Drone
malware
1.
Fake
App
can
infect
drone
2.
AAacker
can
infect
from
smart
device
at
the
drone's
networks
area.
Smart
Device
to
Drone
31. 31
How
to
infect
drone
2
Infected
Drone’s
network
area
Impacted
Drone
Normal
Drone
Normal
Drone’s
network
area
Infect
Drone
to
Drone
normal
drones
will
be
infected
if
a
infected
drone
enters
to
the
normal
drone’s
network
area.
32. 32
AcNvity
Infected
Drone’s
network
area
Impacted
Drone
Normal
Drone
Normal
Drone’s
network
area
1.
Malware
copy
2.
Motor
stop
1. Copy
and
replicate
itself
2. Shutdown
3. Other
working
like
GPS,
DNS
Pharming
34. HOW
TO
INFECT
-‐
1
FROM
SMART
DEVICE
Drone
aAack
by
malware
and
network
hacking
35. 35
Controller
App
modificaNon
• Recently,
a
lot
of
android
apps
are
modified
by
cracker.
• AR.
Drone
2.0
can
be
controlled
by
a
smartphone
app.
• Cracker
modifies
the
control
app
and
upload
on
the
internet.
• Medium
of
Spread
–
internet,
SMS,
E-‐mail,
market,
etc.
• Drone
is
infected
when
a
person
uses
the
fake
app.
36. 36
Controller
App
modificaNon
• We
can
modify
and
repackage
applicaNons
by
a
freeware
called
Apktool.
55. 55
Command
• kk
-‐ Motor
will
be
stopped.
• Change
to
master
56. 56
AT
Commands
• Drone
command
using
UDP
5556
port
AT*PCMD_MAG=21625,1,0,0,0,0,0,0<CR>AT*REF=21626,290717696<CR>
AT*PCMD_MAG=xx,xx,−1085485875,xx,xx,xx,xx.
57. 57
tcpdump
• Install
tcpdump
on
drone.
• We
can
capture
the
network
packet
aper
that.
• 192.168.1.5
is
controller’s
IP.
59. 59
ConfiguraNon
•
AlNtude
max
:
drone
can
go
fly
Nll
100000
(which
is
100
meters
from
the
ground)
• We
can
fly
to
some
GPS
locaNon
with
no
obstacle
AT*CONFIG=605,"control:alNtude_max","3000"
AT*CONFIG=605,"control:alNtude_max",
"100000"
60. 60
GPS
-‐ AR.
Drone
2.0
is
supports
GPS.
-‐ If
we
click
a
point
to
GPS
on
the
smart
device,
drone
will
move
to
the
place
requested.
-‐ The
user
can
go
back
to
the
GPS
registered
"home“
by
pressing
the
"home"
buAon.
-‐ Infected
drones
will
come
to
my
real
home
if
there
isn’t
any
obstacle.
68. 68
episode1
• Malware
replicated
itself
like
a
worm
and
somehow
destroyed
bootloader
and
made
two
drones
brick.
• I
tried
serial
communicaNon
using
UART
in
order
to
repair
brick
drones,
but
devices
was
not
even
able
to
boot
up.
• UART
does
not
work
when
UART
ports
are
misconfigured.
I
replaced
once
because
UART
itself
was
a
problem,
and
replaced
again
because
the
UART
was
broken
by
wrong
ports.
• One
drone
was
bought
in
Korea
and
another
drone
was
bought
in
other
country.
The
problem
was
that
I
was
able
to
get
a
free
replacement
for
the
drone
which
was
bought
in
Korea,
but
I
had
to
pay
for
the
drone’s
mainboard
which
was
bought
outside
Korea,
since
it
does
not
support
any
A/S.
I
paid
170$
overall.
69. 69
episode2
• Aper
malware
replicated
itself,
the
network
configuraNon
broke
out.
I
was
not
able
to
control
the
drone
at
the
end
• I
had
to
wait
for
drone
to
drain
its
baAery
since
it
was
out
of
control.
(drone
works
properly
for
around
10
minutes)
70. 70
Result
• Drone
malware
(HSDrone
that
I’ve
made)
can
spread
through
wireless
networks.
-‐ Smart
Device
to
Drone
-‐ Drone
to
Drone
• Can
control
other
drone
UDP
network
command.
• Malware
can
aAack
AP
DNS
Pharming.
• Drone
malwares
like
this
one
could
spread
and
aAack
your
computers,
APs,
smart
devices,
drones,
and
everything
in
the
future.
• It
is
dangerous,
drone
has
an
advantage
of
having
physical
distance
for
the
aAack
to
be
done.