1 / 20

The Parrot AR.drone 2.0

Nate Krussel , Maxine Major, and Theora Rice. The Parrot AR.drone 2.0. Overview. Parrot AR Drone 2.0 Purchased off Amazon ~ $300 for everybody 2 day prime shipping Works out of the box No assembly required, charge the battery, download the application and fly

delora
Télécharger la présentation

The Parrot AR.drone 2.0

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Nate Krussel, Maxine Major, and Theora Rice The Parrot AR.drone 2.0

  2. Overview • Parrot AR Drone 2.0 • Purchased off Amazon • ~ $300 for everybody • 2 day prime shipping • Works out of the box • No assembly required, charge the battery, download the application and fly • Comes with special hull for flying indoors • Embedded Linux on SOC Atheros chipset

  3. Overview • Free Flight App • Runs on Android and IOS • No Windows phone app • Uses gyros and accelerometers to control the flight • Failsafe: if hands not on device, drone attempts to hover in place.

  4. Early Thoughts • Experiments • Use Wireshark to sniff traffic • Take over drone control • App and PC • Hijack the video • Hard crash the drone, similar to the emergency landing built into the drone

  5. Wireshark • Connected the AR.Drone wifi to sniff the traffic • Pattern Identification • Wireshark didn’t show any traffic • ARP packets, not much else

  6. Wireshark • Conclusion • Wireshark couldn’t identify packets used to transmit data • Used a packet different from normal TCP/IP and didn’t know how to display it • Need to use a raw packet dump and try to analyze it that way

  7. Drone Hacks \ Mods • Hack#1: Program Drone over Wi-fi • Node.js • Platform built on Chrome’s Javascript runtime • Install AR Drone module • Client for controlling AR Drone (nodecopter.com) • Save flight commands to file • Auto-execute drone actions • This method also included untrusted .js files

  8. Drone Hacks \ Mods • Hack#2: Program Drone over Wi-fi • Packets sent as UDP/TCP • Single UDP contains 1+ command(s) • AT*REF: takeoff, landing, reset, stop • Ports: • Port 5556- UDP packets with regular commands • Port 5554- Reply UDP data packets from AR.Drone • Port 5555- Reply video stream packets from AR.Drone • Port 5559- TCP packets for critical data that cannot be lost usually for configuration

  9. Drone Hacks \ Mods • Hack#3: Exploration of internals • Airodump-ng capture of drone wifiRevealed open access point • Aireplay -0 deauth attack • Arp scans • Nmap • ftp, telnet ports left open

  10. Projecting Video …The Hard Way

  11. Projecting Video …The Easy Way • Telnettelnet 192.168.1.1 • ffplay (ffmpeg)ffplay tcp://192.168.1.1:5555

  12. Video Demo

  13. Optional Modifications • Blinking LED lights • Upgraded Blades/Rotors • Long-life replacement batteries • 1000mAh standard, 1500mAh • RF controller • … for lights, etc. • Radio upgrade • Prop axle brushing replacement • Upgraded camera

  14. Attacks • Using Telnet to get into the drone (no security, default is open) • Typing “Reboot” will cause the drone to restart, and it will fall, but can reconnect after it finishes restarting.

  15. Attacks • Using Telnet • Using “netstat –pantu” then identifying the connected person and their TCP stream. • Then typing “Kill <pid>” will cause the drone to fall out of the sky, it needs to be restarted before it will fly again from any user.

  16. Attack 1 Demo

  17. Hardening • Repeater • AR.Assist – Windows Wizard • Use to connect drone to WiFi hotspot • Now locked to that hotspot • Can be permanent • http://www.shellware.com/BlogEngine.Web/post/2011/02/12/ARAssist-Infrastructure-Wi-Fi-Enabling-Your-ARDrone-Made-Easy.aspx

  18. Hardening • Reload the linux kernel • Lots of time and effort

  19. Operation Stux2bu • Attack 1 • No security, reboot with lock-out capability • Responds to Telnet only • Attack 2 • With security, MAC Spoofing, Attack 1 • Attack 3 • Jamming the signal • Attack 4 • Floss...in the rotors

  20. Sources • http://www.shellware.com/BlogEngine.Web/post/2011/02/12/ARAssist-Infrastructure-Wi-Fi-Enabling-Your-ARDrone-Made-Easy.aspx • http://www.lawfareblog.com/2012/09/operation-stux2bu-layered-offense-and-defense-and-drone-cyberattacks/ • https://www.robotappstore.com/Knowledge-Base/How-to-Program-ARDrone-Remotely-Over-WIFI/96.html • http://www.libcrack.so/2012/10/13/hacking-the-ar-drone-parrot/ • http://dronemediaproject.com/resources-3/drone-hack/ • http://dronescapes.com/dronepage3.html • http://droneflyers.com/2013/02/ar-drone-modifications/

More Related