Embed Size (px)
Citation preview
Drone WarsHow to weaponize your
droneJose L. Quiñones, BS
MCSA, RHCSA, CEHv8, GPEN, GCIH
About me
•UPR School of Medicine – IT Director•Obsidis Consortia, Inc. – President• Security BSides Puerto Rico – Organizer• Init6 - InfoSecurity User Group – Founder & Mentor• Technical Instructor - “The Cleaner”• Information Security Council - “Jedi Master”
What’s a UAV, UAS, MAVS …“Drone”?• Unmanned aerial vehicles (UAVS), also known as drones, are aircraft
either controlled by ‘pilots’ from the ground or increasingly, autonomously following a pre-programmed mission. • While there are dozens of different types of drones, they basically fall
into categories like: • those that are used for reconnaissance and surveillance purposes• those that are armed with missiles and bombs.• those created by the model aircraft community just for fun• those used for commercial, experimental or special purposes
https://www.faa.gov/uas/
These are not the drones your are
looking for …
Yep, this is it!
Parts of a Drone
• Frame• Flight Controller• Power Distribution• Electronic Speed Controllers (ESC)• Motors• Propellers• FPV receiver/transmitter• RC receiver/transmitter
Flight Controllers
• Multi-Wii• Based on Wii controller electronics, hard to setup but reliable. Configuration software is just a
bunch of sketches, and its really cheap. Has wide support for multiple peripherals
• APM• 8-bit old architecture, hard to setup but reliable. Open source solid software (ArduCopter),
really cheap. Supports bi-copter configuration (Avatar)
• CC3D• 32 bit architecture, open source software (open pilot), and cheap. You have to know how to fly.
• PixHawk• 32-bit, the evolution of the APM, Open source software (PX4), not for beginners. Numerous
options but expensive
• Naza m v2 /Lite• 32-bit, proprietary software, easy to set up and super stable. Limited options and expensive
RC Controller (9x)
• Models• Turnigy, FlySky, FrySky
• Channels• 6-9 minimum
• Standard transmitter/receiver • 2.4 Ghz• +/- 1 mile range
• Long Range• UHF multi kilometer range
FAA Rules of Engagement
• Always fly below 400 feet• If you are 5 miles from an airport notify the tower• Do not intentionally fly over unprotected persons or moving
vehicles, and remain at least 25 feet away•Must have clear vision of your aircraft at all times• Do not fly near or over sensitive infrastructure• Follow AMA’s safety guideline and privacy policy
… It will crash
Vulnerabilities
• Drone Jacking• 3DR (915Mhz ) radio telemetry can be intercepted and hijacked• http://samy.pl/skyjack/• Hak5 Hacking Drones
• https://www.youtube.com/watch?v=xKfY0PmKDRE
• DoS• Parrot AR /Phantom and other Wi-Fi enabled drones can be “pwn-down”• 2.4 Ghz Jamming is possible
• Surveillance• 5.8 Ghz video can be intercepted
Digital Video
• Cameras• GoPro / SJ4000• SLR
• Accessories• 3D Gimbal• Video Transmitter (5.8 Ghz)• goggles or monitor
Wireless Tech
• Wi-Fi hardware• Wi-Fi Pineapple Mark IV, V• Alfa Networks AWUS036XXX• High gain antennas (7, 9, 11, 27dbi)
• Blue tooth• Ubertooth One• SENA UD100 Industrial Bluetooth USB Adapter
• SDR-RTL• DVB-T TV tuner dongle based on the RTL2832U chipset
• Other RF tools• 915Mhz 3DR telemetry receiver• 5.8 Ghz video receiver
ARM Dev board
• Raspberry Pi• Cubieboard• Arduino• Neo GPS
Dev board comparison: http://codefidelio.org/?p=842
Electronics
• DC-to-DC voltage converter• Convert 3s/4s battery voltage to usable level 5V (DevBoard) - 12V (Pineapple)
• Power cables• Draw power from power distribution unit directly to Pineapple and DevBoard
• DC filter• Motors might introduce noise in the DC current making it unstable for some
applications.
• Lots of Velcro & Tie wraps• Just keeping things together
Calling back using the cloud
• Setup key exchange for SSH auth on all devices• ssh-keygen• ssh-copy-id [email protected]
•Use reverse SSH tunnel using 3G modem• ssh –R 8443:localhost:22 [email protected]
•Connect to my Linux VPS (Digital Ocean Droplet)• ssh [email protected]
• Connect to flying Drone thru the reverse connection to monitor or execute custom attacks• ssh localhost –p 8443
Call back script
Make it a mission
It all about location, location, location• Wigle.net API• Uses ESSID• https://wigle.net/wiki/index.cgi?API
• Google Maps API• https://developers.google.com/maps/
• Hubert’s iSniff-GPS• Apple private API uses BSSID• https://github.com/hubert3/iSniff-GPS
• Larry Pesce’s loc-nogps• https://github.com/haxorthematrix/loc-nogps
If it fits - it sniffs: Adventures in WarShipping
Larry PesceDerbycon 2014
http://www.irongeek.com/i.php?page=videos/derbycon4/t104-if-it-fits-it-sniffs-adventures-in-warshipping-larry-pesce
Thanks!
http://codefidelio.org@josequinones
