Skip to content

Drone-Lab/Dronetag-vulnerability

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
 
 
 
 

Repository files navigation

Dronetag-vulnerability

Dronetag v1.5.2 CVE-2024-22520

https://dronetag.cz/

The Drone Scanner App is a complementary application for Dronetag hardware, which is a transmitter.Drone scanner App has been downloaded 50,000 times on Google Play.

Drone Scanner is an application designed to scan the surrounding environment to obtain data from unmanned aerial vehicles' broadcasts, such as identity and location. It collects data and presents it to users on a map.

Drone Scanner can track all aircraft nearby using the Direct Remote ID standard. It provides real-time data of drones on a detailed map, highlighting specific flight areas. Devices that can be viewed include drones broadcasting remote identification according to the requirements of the Federal Aviation Administration (FAA) and the European Union, as well as devices equipped with a drone tag (an additional transmitter).

1 图片2

0x01: Attack Scenario

The Drone Scanner App receives data packets generated by Dronetag devices mounted on drones, following the Droneid protocol, and displays detailed information about nearby drones on the user's mobile device.

Attackers can craft such data packets themselves and broadcast them using a transmitter. The app does not authenticate the authenticity of the data packets and directly displays them on the mobile interface.

0x02: Vulnerability Impact

  • Attackers can launch a flood attack, generating a large number of ghost drone signals, thereby preventing users from identifying genuine drone signals in the app.
  • Attackers can impersonate benign Remote ID signals, concealing their identity and engaging in illicit activities.

This goes against the original design intent of Dronetag and poses a security risk, impacting government efforts to regulate and secure unmanned aerial vehicles, leading to safety incidents.

0x03: Attack Steps 0x01

  • Write code to control the format of WiFi or Bluetooth packets as per requirements and burn the code into a microcontroller with WiFi or Bluetooth modules.
  • On the app, detect the ghost drone signal we've set, including Remote ID, drone location, posture, speed, and other information.

0x04: Attack Testing

Testing vulnerability on esp32-s3 microcontroller and Dronetag v1.5.2

Esp32-s3 microcontroller

Method one:

  • Download Drone Scanner from google Play
  • Directly burn the modified RemoteID.bin file in the directory into the microcontroller.
  • Start the microcontroller. it will broadcast the fake drone information that I previously set.

I changed the drone id to ABCD123456789 (These pieces of information were originally designed for law enforcement to detect unauthorized drones):

Esp32-s3 microcontroller

Here is the video about testing:

verify.the.vulnerability.mp4

Method two: You can modify and build the microcontroller code yourself to send the content you specify.

  • Download ArduRemoteID source code, https://github.com/ArduPilot/ArduRemoteID

  • By modifying the default value of wifi_rate in the /home/iko/arduremoteid/RemoteIDModule/RemoteIDModule.ino file, trigger the function to make the microcontroller broadcast WiFi beacon packets.

  • Use the network card in promiscuous mode to capture the broadcasted beacon packets, which can be set on channel 6 within the range of channels 1-13. The app can receive the RemoteID from the WiFi beacon.

  • Then, modify parameters such as location and RemoteID according to your preferences.

Esp32-s3 microcontroller

0x05: Additional Information

CNVD(China National Vulnerability Database) has assigned a vulnerability identifier to this issue (CNVD-C-2023-940819) and plans to publicly disclose it on January 4, 2024.

Esp32-s3 microcontroller

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published