-
Notifications
You must be signed in to change notification settings - Fork 0
OpenWERX Drone Challenge January 2016
License
p3n3troot0r/droneslayers
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
This repository contains the project files of the droneslayers team for the SOCOM OpenWERX Drone Challenge in January 2017. The challenge was to identify vulnerabilities and write exploits for the Phantom III Standard model. https://www.youtube.com/watch?v=gZxcN4yR0uc A summary of what we've done: 1. telnet There is an open telnet server on the controller, 192.168.1.1 over which telemetry data is relayed to the app/drone. We developed a full grammar for the operational control data, which is contained in telnet/telnet.py. Files with telnet captures and parsing scripts are contained in the telnet/ directory. We found that telnet data was not encrypted at the endpoints, but the stream was encrypted using the drone's OpenWRT installation's arc4 module: https://wiki.openwrt.org/doc/devel/packages/kmod-crypto-arc4 Therefore it is difficult to inject into the stream, however using an approach like: http://thehackernews.com/2015/07/crack-rc4-encryption.html OR by spending more time identifying the location of the keys on the drone/controller's filesystem it is possible to inject arbitrary commands within the derived grammar. 2. FTP By decompiling the DJIGO apk file, we located the root password to an FTP server hosted on the controller, 192.168.1.1 with the password "Big~9China". This provides root FTP access to the filesystem, allowing the ability to modify things like: - /etc/shadow and /etc/passwd to modify the root Linux password - the /proc folder, which stores information needed by all running processes - WiFi SSID/password - DNS server to upload location/video data to Additionally there is a completely unprotected FTP server on the camera at ftp://192.168.1.3 where absolutely anyone can connect, having authenticated with the drone's wifi network using the password "12341234", and read/write video feed and WiFi configuration data. 3. pwcracking This was an effort to brute force the root Linux password using a parallelized version of John the Ripper on a 324 node heterogeneous supercluster. The pwcracking directory contains all sorts of wordlists (a few were too large for github) we found and attempted to combine, including pinyin-based and amalgamations of industry breach dumps, using clever john.conf configurations - unfortunately after ten days of running in parallel on two user accounts, the password still had not been cracked and we discontinued. 4. SDR/Wireshark There is a lot of traffic to eavesdrop on between the controller, the drone, and the phone running the DJIGO app. We used a HackRF One with the GNU Radio suite, including gqrx and grc, to listen to the RF communications in the 2.4GHz band (WiFi centered at 2.437GHz) and 5.8GHz band (authentication and possibly NTSC video feed). Unfortunately all these capture files violated Github's size limit (50mb). Using wireshark it is possible to listen to the ARC4-encrypted telnet packets (as 802.11 packets), and realize that the transmission pattern is identical to the drone/controller telnet communication pattern. This led us to investigate further and realize that the drone/ctrl was using OpenWRT's ARC4 module. 5. Hardware/logic - CANBUS Operational commands are translated onboard from telnet packets to CAN messages, which can be decoded by attaching a logic analyzer (we used Saelae logic). The baud rate is around 258064, and using this the logic analysis software produced data such as that found in logic/. Messages can then be correlated to functions and replayed via physical attachment to the CAN network, using the pins shown in logic/pin19.jpeg. An extension of this finding would be determining how to wirelessly inject CAN traffic. - I2C A hidden I2C bus was identified onboard responsible for communications between the GPS and compass modules. An extension of this would be determining how to wirelessly inject GPS data into this for GPS spoofing. 6. Apk (Geofencing) Using apktool (rating 2/5) we decompiled the DJIGO Android application and located the geofencing data, found in - res/raw/flyforbid.json - assets/flyforbid_airmap/* The file assets/flyforbid_airmap/flyforbid_airmap27.json contains the entry for BWI/Thurgood Marshall airport, the airport located a few miles from our research facility. We increased the radius by an order of magnitude and when recompiled this disables the drone's ability to fly. Using a similar approach, all geofencing zones can be modified, deleted, or expanded upon.
About
OpenWERX Drone Challenge January 2016
Resources
License
Stars
Watchers
Forks
Releases
No releases published