AUTEL smart drones have a vulnerability to unauthorised breaches of no-fly zones
The vulnerability involves the item: AUTEL Intelligent UAV-EVO NANO Series
https://www.autelrobotics.com/
Shenzhen AUTEL Intelligent Aviation Technology Co., Ltd. was founded on 29 May 2014, which is a company focusing on the research, development, production and sales of drones, and its main business scope includes the production of civil avionics equipment, automatic control equipment, civil unmanned aerial vehicles, radio data transmission systems, filming equipment, camera products, electronic components, and computer software. AUTEL drones currently occupy 7 per cent of the global market share.
0x01 Attack Scenarios and harm from vulnerabilities
There are two roles in a scenario where drone use is considered, the vendor (who manages the cloud), and the operator (who controls the drone via a remote control). When you buy an autel-NANO drone you get a drone body as well as a remote control, which has to be connected to a mobile phone and clocked to a specific app on the phone (AutelSky) for use. We assume that the manufacturer is benign, while the operator may be malicious and will try to get the drone to fly in no-fly zones as much as possible.
Normally drones are not allowed to take off in no-fly zones (e.g. airports) that are preset by the manufacturer, but we found that it is possible to break out of the no-fly zones by hitting the app in the hands of the operator.
Attackers can ignore the no-fly zones (covering all airports, nuclear power plants, prisons, and other sensitive areas) set by the manufacturers in advance, and allow the drones to take off and fly in the no-fly zones. Attackers can cause airliners to crash or use drones for classified surveys.
0x02 Attack step
-
reverse AutelSky APP and find package com.autel.drone.sdk.expose.module.flight.controller;
-
find public void setNFZEnable(CallbackWithNoParam callbackWithNoParam, boolean z) function;
-
through frida hook, call this function when the app starts and set the second parameter to false.
-
At this time, open the APP on the mobile phone to connect the remote control, the drone can take off and fly freely in the no-fly zone.
0x03 Vulnerability Testing Procedure
Autel Drone Model: NANO Drone
Firmware Version: 1.6.5
Remote Control Firmware Version: 1.6.5
You can download APP from google play or https://www.autelrobotics.com/download/app/
First way to test
I have repackaged the Autel Sky APP via frida persistence and uploaded the apk file to this repository(autel_frida_sign.apk). You can install the zip and put the frida_script.js file(uploaded in repository too) in the data/local/tmp directory of your Android phone.
Launch the APP to turn on the remote control, you can find that the drone can still take off when it is in the no-fly zone.
Second way to test
Because the remote control has to be connected through the type-c port of the mobile phone, you need to use remote adb + remote Frida to complete the wireless hook (the mobile phone needs to be rooted)
Remote adb pairing command:
adb tcpip 5555
adb connect [ip address :port]
Remote frida command:
./frida-server -l 0.0.0.0.:8888
Use this js to complete the hook (the file is already in the repository).
After the configuration is done, launch the APP to turn on the remote control, you can find that the drone can still take off when it is in the no-fly zone.
This vulnerability has been given a CNVD(China National Vulnerability Database) number.
