Dronejack (TER Master WIC)

Dronejack is our master degree research project done at INRIA about drone security. We used Parrot drones (AR Drone) for this projet but I'm sure it can be applied to any drone with open communications.The purpose of this project is to show the vulnerabilities of these drones and how to secure them.

Table of Contents

• Security Vulnerabilities
  • Spoof navigation
    • How it works
    • How to use
  • Deauth attack and takeover the drone
    • Requirements
    • Getting started
  • Video spying
    • Record a video without user knowing
    • Realtime video streaming
• Cross compiling for AR Drone (ARM)
  • On linux system
  • Using Vagrant (Virtual Machine)
  • Compiling a first C program
• Securing the AR Drone
  • Securing the Wifi connection
    • Compiling WPA
    • Install and run WPA on the drone
• References

---

Security Vulnerabilities

Spoof navigation

The first basic attack apart from telnet : shutdown now (which might hurt the drone), is to spoof a navigation control packet using scapy.

How it works

@todo

How to use

You can find the python script under /attack/spoof-navcontrol/spoof.py. To use you'll need to connect to the drone wifi and get the drone and phone infos, such as ips and mac addresses.

python spoof.py [params]

Params :
--seq=X to manually set the sequence number (default: 999999)
--phoneip=X to manually set the owner device ip
--droneip=X to manually set the drone ip (default: 192.168.1.1)
--phonemac=X to set the owner device mac
--dronemac=X to set the drone mac (default: 90:03:b7:e8:55:72)

Deauth attack and takeover the drone

Web-based application to take control of a Parrot drone. It is greatly inspired by skyjack [5] for the takover part and drone-browser [6] for the interface and control.

Requirements

This app was made with and for Kali Linux. It requires a bunch of external tools which are available natively on Kali.

• Wireless adapter which supports monitor mode and raw packet injection
• NodeJs (and npm)
• Aircrack-ng
• Arp-scan

Getting started

1. Run node app.js
2. Follow CLI steps (scan, deauth, connect, init navigation)
3. Go to http://localhost:3000/
4. Takeover the drone

Video spying

The next attack is to spy on the video stream without the real user knowing. Because the video stream rely on TCP to send data to the first connected user we can't connect to it easily without disconnecting the owner. So the attack consist of spying on the wifi communication between the drone and the owner's phone (using wireshark)

Record a video without user knowing

1. start wireshark and filter video packets ip.src==192.168.1.1 and tcp.port==5555
2. capture packets for a while and save it capture.pcap
3. extract packets raw data tcptrace -e capture.pcap
4. convert dat files to avi ffmpeg -f h264 -i *.dat capture.avi

Realtime video streaming

1. be sure that the video streaming is up
2. You need to be root
3. ffmpeg must be installed
4. open the video while capturing the packets python capture_live_videostream.py | ffplay -window_title Video_Ar_Drone2.0 -framedrop -f h264 -i /dev/stdin

for an unlimited video capture, you should remove the count=5000 option in capture_live_videostream.py

Analyzing Video Stream Packets

@todo toutdoux

Cross compiling for AR Drone (ARM)

On linux system

The first step is to successfully compile a C program for AR Drone. To do that we'll need to install some packages first.

sudo apt-get update
sudo apt-get install build-essential linux-libc-dev wget bzip2 ncurses-dev git cmake cmake-curses-gui cmake-qt-gui config-manager wput

Then create a folder to put the toolchain files and binaries. Download the Code Sourcery ARM toolchain and extract it.

mkdir YOUR_PATH
cd YOUR_PATH
wget https://sourcery.mentor.com/public/gnu_toolchain/arm-none-linux-gnueabi/arm-2013.05-24-arm-none-linux-gnueabi-i686-pc-linux-gnu.tar.bz2
tar -xf arm-2013.05-24-arm-none-linux-gnueabi-i686-pc-linux-gnu.tar.bz2

For 64 bit linux you'll need to install these packages aswell

sudo apt-get install lib32z1 lib32ncurses5

Then you will need to set up environement variables to help finding the compiler, to do that create a setup file in your previously created folder, like touch setupARMCrossCompile

echo "Setting up the Cross Compiler Environment"

 # Path to bin directory of the compiler
export PATH="YOUR_PATH/arm-2013.05/bin":$PATH

 # prefix of all the tools in a toolchain
export CCPREFIX="YOUR_PATH/arm-2013.05/bin/arm-none-linux-gnueabi-"

Now make it executable and add it to your .bashrc

chmod +x YOUR_PATH/setupARMCrossCompile
echo "source YOUR_PATH/setupARMCrossCompile" >> ~/.bashrc

Close and Reopen the terminal. If you see Setting up the Cross Compiler Environment your compiler environemet should be setup.

Using Vagrant (Virtual Machine)

1. install vagrant
2. install virtualbox
3. init the vm vagrant init ardronedev http://files.vagrantup.com/precise32.box
4. launch the vm vagrant up
5. connect to vm vagrant ssh

Then in the vm install the needed programs and tools

 # compiling programs and curl
sudo apt-get install build-essential curl
 # retrieve arm toolchain from code sourcery
curl -OL https://sourcery.mentor.com/public/gnu_toolchain/arm-none-linux-gnueabi/arm-2013.05-24-arm-none-linux-gnueabi-i686-pc-linux-gnu.tar.bz2
 # extract it
tar -xf arm-2013.05-24-arm-none-linux-gnueabi-i686-pc-linux-gnu.tar.bz2
 # add ownership
chown -R vagrant:vagrant arm-2013.05
 # remove archive to save space
rm -rf arm-2013.05-24-arm-none-linux-gnueabi-i686-pc-linux-gnu.tar.bz2

To pass files to the vagrant box you can use scp (winSCP for instance) :

• host : 127.0.0.1
• port : 2222
• id : vagrant
• pass : vagrant

Compiling a first C program

It's now time to make your first C program and test it on your drone.

 #include <stdio.h>
int main(){
 printf("Hello Drone\n");
 return 0;
}

Compile, put it on the drone (FTP) and run the program (TELNET) to see if it works.

arm-none-linux-gnueabi-gcc hello.c -o Drone_hello

 ## [...] Connect to the drone Wifi, transfer the file via ftp then :
telnet 192.168.1.1
cd /data/video
chmod +x Drone_hello
./Drone_hello

It should print Hello Drone in the telnet console.

Securing the AR Drone

Securing the Wifi connection

Compiling WPA

Now that we have a working dev environement, we can compile a real program to put on our drone. Here are the steps to compile wp_supplicant wich can be use to secure the wifi between the phone and the drone.

 # Download and extract wpa_supplicant
curl -OL http://hostap.epitest.fr/releases/wpa_supplicant-2.0.tar.gz
tar -zxf wpa_supplicant-2.0.tar.gz

 # Copy the default .config file
cd wpa_supplicant-2.0/wpa_supplicant/
cp defconfig .config
nano .config

Remove or comment the line CONFIG_DRIVER_NL80211=y and add those lines a the bottom

 # [...]

 # Driver interface for Linux drivers using the nl80211 kernel interface
 #CONFIG\_DRIVER\_NL80211=y

 # [...]

export SOURCERY=/home/ vagrant /arm􀀀2013.05
export TOOL_PREFIX="${SOURCERY}/ bin /arm􀀀none􀀀l inux􀀀gnueabi "
export CXX="${TOOL_PREFIX}􀀀g++"
export AR="${TOOL_PREFIX}􀀀ar "
export RANLIB="${TOOL_PREFIX}􀀀r a n l i b "
export CC="${TOOL_PREFIX}􀀀gcc "
export LINK="${CXX}"

Save and close the file (ctrl+x) and run make. If everything run without errors, you should have three generated binary in the current folder wpa_supplicant, wpa_cli, wpa_passphrase

Install and run WPA on the drone

@todo

References

• [1] Hacking and securing the AR.Drone 2.0 quadcopter - Johann Pleban & Reiner Creutzburg
• [2] ARDrone corruption - Eddy Deligne
• [3] AR.Drone: security threat analysis and exemplary attack totrack persons - Fred Samlanda, Jana Fruthb, Mario Hildebrandtb, Tobias Hoppeb, Jana Dittmann
• [4] Node AR Drone
• [5] Skyjack - Samy Kamkar
• [6] Drone Browser
• [7] Let's hack a drone! - Mark Szabó