Impact
A Dynamic Host Configuration Protocol (DHCP) starvation attack is a Denial of Service (DoS) attack that exhausts all available IP addresses on a drone’s DHCP server by generating a large number of packets and disguising them as legitimate connections after an attacker is able to access the drone’s internal network.
If this vulnerability is exploited, all devices that attempt to connect to the drone’s internal network after the attacker's device is connected are denied access to the internal network. In other words, a drone owner won’t be able to connect to the drone network after the attack. Through this vulnerability, the attacker can forcibly deny the owner access to the drone’s services.
Summary
This vulnerability is caused by the DHCP provided by Wi-Fi–based commercial drones. Since DHCP does not provide mutual authentication, if an attacker sends a large number of packets that manipulate the DISCOVER packet trying to connect to the drone’s DHCP server, the DHCP server runs out of available IP addresses by mistaking malformed packets for legitimate requests.
By exploiting this vulnerability, an attacker can send a large number of manipulated DHCP connection packets to the drone’s DHCP server, and the drone’s DHCP server would then allocate assignable IP addresses to fake devices. As a result, the IP address pool that can be assigned by the drone’s DHCP server will be exhausted, and even if a legitimate device requests a connection to the drone’s DHCP server, the device would not be assigned an IP address. Hence, the drone denies connections from legitimate devices, and the services provided by the drone are similarly denied.
This vulnerability must be preceded by an attacker connecting to the drone network, using attacks such as Wi-Fi password cracking.
Analysis
A DHCP starvation attack targets the DHCP server that exhausts all IP addresses that can be assigned from the server by manipulating the DISCOVER message. DHCP in Wi-Fi–based drones allocates IP addresses based on MAC addresses. However, DHCP does not provide a mutual authentication process to determine whether the connecting MAC address is the legitimate MAC address of the device. Therefore, if an attacker sends a large number of DHCP DISCOVER packets containing fake MAC addresses to the drone, the drone exhausts all available IP addresses by mistaking the manipulated packets as legitimate requests. Consequently, the drone does not have an IP address to assign to a device attempting a legitimate connection after this attack. The following figure shows the DHCP connection process.
Fig 1. DHCP connection process
A DHCP connection process begins with the client sending a DHCP DISCOVER packet to a drone’s DHCP server to request an assignable IP address. The DHCP server delivers the assignable IP address to the client in an OFFER packet, and the client sends a REQUEST packet, including the content that the corresponding address will be used for, to the DHCP server to use the IP address suggested by the DHCP server. Finally, the DHCP server allocates the IP address to the client by delivering the ACK packet based on the REQUEST packet received from the client.
In this process, if a malicious attacker penetrates the drone’s internal network using attack techniques such as password cracking and continuously sends manipulated DISCOVER packets to the drone, the drone continuously sends corresponding OFFER packets. Accordingly, if a malicious attacker uses an attack technology such as password cracking to break into the drone's internal network and continuously delivers the manipulated DISCOVER packet to the drone, the drone continuously transmits the corresponding OFFER packet. A vulnerability thereby exhausts all allocated IP addresses in the drone.
Based on the conceptual analysis results of this vulnerability, we used DHCPig to demonstrate how this vulnerability can be exploited. DHCPig is an open-source tool that manipulates and attacks DHCP connection packets using Scapy, the Python-based library. We used this tool to analyze the DHCP connection process for the DJI Spark drone, which relied on Wi-Fi. We tried a DHCP starvation attack using DHCPig tool, and the results of capturing REQUEST packets using the Wireshark tool are shown in the following figure.
Fig 2. Example of a full packet attempting a DHCP starvation attack using the Wireshark tool
Fig 3. Example of REQUEST packets attempting DHCP starvation attacks
The figure above shows REQUEST packets captured when a DHCP starvation attack was attempted using the DHCPig tool. The captured packet shows that the DHCP Server Identifier is 0.0.0.0. However, during the legitimate connection process, the DHCP Server Identifier must be specified as 192.168.2.1, corresponding to the drone’s IP address. Therefore, we determined that the DHCP starvation attack cannot be performed in a drone environment with the publicly available DHCPig and have it optimized as a wireless tool for the drone environment by modifying the source codes of the DHCPig. Based on the optimized tool we implemented, we tried the DHCP starvation attack again, the source codes of which are shown in the following figure.
Fig 4. Example of DHCPig source codes
Fig 5. Example of the optimized source code we implemented
To explain a part of the source code of the DHCPig tool, “server_id”—i.e., DHCP Server Identifier—is specified in the field where the REQUEST packet is generated using Scapy, a Python-based library. Accordingly, the starvation attack was attempted again by modifying the corresponding part to the drone’s IP address.
Fig 6. REQUEST packets when running a DHCPig tool and the optimized tool we implemented (left: published DHCPig tool, right: optimized tool)
On the left side of the figure is the REQUEST packet when the published DHCPig is running, whereas the right side of the figure shows the REQUEST packet when the optimized tool we implemented is running. The IP address of the drone was successfully specified in the DHCP Server Identifier field when the optimized tool we implemented was executed. This attack’s result demonstrated the experimental results of a successful DHCP starvation attack based on drones. The attack result is shown in the following figure.
Fig 7. Legitimate connections are denied before a DHCP starvation attack.
First, one of the characteristics of the DJI Spark drone is explained. Then, if a device is connected to the drone, a warning message of “Connection failed” is displayed since this drone only connects to one device.
The following figure shows the Wi-Fi connection status after the DHCP starvation attack.
Fig 8. Connection is denied after a DHCP starvation attack.
As shown in the figure, after attempting a DHCP starvation attack, a warning message of "Couldn't get IP address" is displayed if a user tries to connect to the drone’s internal network. After that, even if a legitimate device attempts to connect to the drone, access to the drone’s internal network is rejected. This experiment result demonstrates a successful DHCP starvation attack on the DJI Spark drone.
Discoverer(s)/Credits
Kyungroul Lee/South Korea/carpedm@mnu.ac.kr
Wontae Jung/south korea/dnjsxo4354@mokpo.ac.kr
Junkwon Lee/south korea/kwonl57@mokpo.ac.kr
Jiin Jeong/south korea/ddd0444@cu.ac.kr
Impact
A Dynamic Host Configuration Protocol (DHCP) starvation attack is a Denial of Service (DoS) attack that exhausts all available IP addresses on a drone’s DHCP server by generating a large number of packets and disguising them as legitimate connections after an attacker is able to access the drone’s internal network.
If this vulnerability is exploited, all devices that attempt to connect to the drone’s internal network after the attacker's device is connected are denied access to the internal network. In other words, a drone owner won’t be able to connect to the drone network after the attack. Through this vulnerability, the attacker can forcibly deny the owner access to the drone’s services.
Summary
This vulnerability is caused by the DHCP provided by Wi-Fi–based commercial drones. Since DHCP does not provide mutual authentication, if an attacker sends a large number of packets that manipulate the DISCOVER packet trying to connect to the drone’s DHCP server, the DHCP server runs out of available IP addresses by mistaking malformed packets for legitimate requests.
By exploiting this vulnerability, an attacker can send a large number of manipulated DHCP connection packets to the drone’s DHCP server, and the drone’s DHCP server would then allocate assignable IP addresses to fake devices. As a result, the IP address pool that can be assigned by the drone’s DHCP server will be exhausted, and even if a legitimate device requests a connection to the drone’s DHCP server, the device would not be assigned an IP address. Hence, the drone denies connections from legitimate devices, and the services provided by the drone are similarly denied.
This vulnerability must be preceded by an attacker connecting to the drone network, using attacks such as Wi-Fi password cracking.
Analysis
A DHCP starvation attack targets the DHCP server that exhausts all IP addresses that can be assigned from the server by manipulating the DISCOVER message. DHCP in Wi-Fi–based drones allocates IP addresses based on MAC addresses. However, DHCP does not provide a mutual authentication process to determine whether the connecting MAC address is the legitimate MAC address of the device. Therefore, if an attacker sends a large number of DHCP DISCOVER packets containing fake MAC addresses to the drone, the drone exhausts all available IP addresses by mistaking the manipulated packets as legitimate requests. Consequently, the drone does not have an IP address to assign to a device attempting a legitimate connection after this attack. The following figure shows the DHCP connection process.
Fig 1. DHCP connection process
A DHCP connection process begins with the client sending a DHCP DISCOVER packet to a drone’s DHCP server to request an assignable IP address. The DHCP server delivers the assignable IP address to the client in an OFFER packet, and the client sends a REQUEST packet, including the content that the corresponding address will be used for, to the DHCP server to use the IP address suggested by the DHCP server. Finally, the DHCP server allocates the IP address to the client by delivering the ACK packet based on the REQUEST packet received from the client.
In this process, if a malicious attacker penetrates the drone’s internal network using attack techniques such as password cracking and continuously sends manipulated DISCOVER packets to the drone, the drone continuously sends corresponding OFFER packets. Accordingly, if a malicious attacker uses an attack technology such as password cracking to break into the drone's internal network and continuously delivers the manipulated DISCOVER packet to the drone, the drone continuously transmits the corresponding OFFER packet. A vulnerability thereby exhausts all allocated IP addresses in the drone.
Based on the conceptual analysis results of this vulnerability, we used DHCPig to demonstrate how this vulnerability can be exploited. DHCPig is an open-source tool that manipulates and attacks DHCP connection packets using Scapy, the Python-based library. We used this tool to analyze the DHCP connection process for the DJI Spark drone, which relied on Wi-Fi. We tried a DHCP starvation attack using DHCPig tool, and the results of capturing REQUEST packets using the Wireshark tool are shown in the following figure.
Fig 2. Example of a full packet attempting a DHCP starvation attack using the Wireshark tool
Fig 3. Example of REQUEST packets attempting DHCP starvation attacks
The figure above shows REQUEST packets captured when a DHCP starvation attack was attempted using the DHCPig tool. The captured packet shows that the DHCP Server Identifier is 0.0.0.0. However, during the legitimate connection process, the DHCP Server Identifier must be specified as 192.168.2.1, corresponding to the drone’s IP address. Therefore, we determined that the DHCP starvation attack cannot be performed in a drone environment with the publicly available DHCPig and have it optimized as a wireless tool for the drone environment by modifying the source codes of the DHCPig. Based on the optimized tool we implemented, we tried the DHCP starvation attack again, the source codes of which are shown in the following figure.
Fig 4. Example of DHCPig source codes
Fig 5. Example of the optimized source code we implemented
To explain a part of the source code of the DHCPig tool, “server_id”—i.e., DHCP Server Identifier—is specified in the field where the REQUEST packet is generated using Scapy, a Python-based library. Accordingly, the starvation attack was attempted again by modifying the corresponding part to the drone’s IP address.
Fig 6. REQUEST packets when running a DHCPig tool and the optimized tool we implemented (left: published DHCPig tool, right: optimized tool)
On the left side of the figure is the REQUEST packet when the published DHCPig is running, whereas the right side of the figure shows the REQUEST packet when the optimized tool we implemented is running. The IP address of the drone was successfully specified in the DHCP Server Identifier field when the optimized tool we implemented was executed. This attack’s result demonstrated the experimental results of a successful DHCP starvation attack based on drones. The attack result is shown in the following figure.
Fig 7. Legitimate connections are denied before a DHCP starvation attack.
First, one of the characteristics of the DJI Spark drone is explained. Then, if a device is connected to the drone, a warning message of “Connection failed” is displayed since this drone only connects to one device.
The following figure shows the Wi-Fi connection status after the DHCP starvation attack.
Fig 8. Connection is denied after a DHCP starvation attack.
As shown in the figure, after attempting a DHCP starvation attack, a warning message of "Couldn't get IP address" is displayed if a user tries to connect to the drone’s internal network. After that, even if a legitimate device attempts to connect to the drone, access to the drone’s internal network is rejected. This experiment result demonstrates a successful DHCP starvation attack on the DJI Spark drone.
Discoverer(s)/Credits
Kyungroul Lee/South Korea/carpedm@mnu.ac.kr
Wontae Jung/south korea/dnjsxo4354@mokpo.ac.kr
Junkwon Lee/south korea/kwonl57@mokpo.ac.kr
Jiin Jeong/south korea/ddd0444@cu.ac.kr