[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAC121272SPdhLRw26yaUp=f4kssBKYLfDQpPqdDnmj25k_p-dg@mail.gmail.com>
Date: Sun, 1 Feb 2015 16:09:47 +0530
From: Rahul Sasi <fb1h2s@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Maldrone for drones.
I wrote a blog post last week regarding a small project I was working on my
free time "Learning about Drones and security issues" . And a youtube demo
video titled "Maldrone first malware for drones". The blog is a preview of
few things I would be presenting at my upcoming talk at Nullcon
<http://nullcon.net/website/goa-15/about-speakers.php> .
Video: https://www.youtube.com/watch?v=5SlWdl4ZuAI
Blog: http://garage4hackers.com/entry.php?b=3105
Maldrone came as a by product of my attempt to build a generic tool to
debug drones. Since most drones I was experimenting were running on ARM
Linux, I decided to make a tool that would work on most of the civilian
drones out there. Later I added some functionality to make it act like a
backdoor[phun] and added it to my presentation.
The blog got a bit of media attention .Mainly because of two reasons.
1) It is related to Drones [Kind of interesting stuff]
2) Some guy crashed a phantom DJI drone into whitehouse lawn.
<http://edition.cnn.com/videos/cnnmoney/2015/01/29/money-dji-drone-white-house.cnnmoney>
So many online medias wrote different version of the story. And few
journalist directly contacted me .
As usual there were people who only followed news sites and never bothered
to read the actual blog. And came up with "n" number of ridiculous
questions. So I am sharing the actual blog here which has mentions to what
it does and references all previous work in same line as maldrone. Looking
forward to have discussion with people who are interested in drones and
drone security.
*Original Blog:*
http://garage4hackers.com/entry.php?b=3105
*Introduction:*
There are over 70 nations building remotely controllable drones. Most of
these drones are capable of making autonomous decisions. Countries buy
drones from there neighbors. What are the possibilities that there could be
a backdoor in the drone you brought. What are the possible ways you can
backdoor a drone. What would be the impact if a security issues is found in
a computer devices that make decisions of there own.
This is part of my ongoing research, some of it which I would be
answering/demonstrating at Nullcon this feb 7th, 2015
http://nullcon.net/website/goa-15/about-speakers.php .
*Maldrone: Backdoor for Drones.*
Features:
Maldrone will get silently installed on a drone.
Interact with with the device drivers and sensors silently.
Lets the bot master controller the drone remotely .
Escape from the Drone owner to Bot master.
Remote surveillance.
Spread to other drones *.
*Demo:*
In this we would show infecting a drone with Maldrone and expecting a
reverse tcp connection from drone. Once connection is established we can
interact with the software as well as drivers/sensors of drone directly.
There is an existing AR drone pioloting program. Our backdoors kills the
auto pilot and takes control. The Backdoor is persistent across resets .
https://www.youtube.com/watch?v=5SlWdl4ZuAI
For this research we are using Parrot Ar Drone 2.0 and DJI Phantom
.Maldrone is developed for AR drone arm linux .
In this demo we will install the drone with Maldrone. Once its installed.
The Maldrone will connect back to botmaster and wait for commands. Maldrone
can proxy the device driver and sensor communications. Maldrone could
interact with the drone communication and proxy data from the drone sensors
.
*Maldrone would be a good buddy for http://samy.pl/skyjack/
<http://samy.pl/skyjack/> .*Samy's skyjack is an exploit for parrot ardrone
. Maldrone is a payload and not an exploit. So once you hack a drone using
skyjack or any drone specific vulnerability. You then install Maldrone as a
backdoor.
*The idea: AR drone Introduction*
Ar drone quad-copter contains a 9 degrees-of-freedom (DOF) .
"Degrees Of Freedom" or "DOF" is a number of axis and sensors combined for
balancing a plane, a helicopter or a robot.
ref: http://playground.arduino.cc/Main/Wh...9DOF10DOF11DOF
<http://playground.arduino.cc/Main/WhatIsDegreesOfFreedom6DOF9DOF10DOF11DOF>
in-ertial measurements unit (IMU)
a) 6 DOF gyroscope and
b) 3 DOF magnetometer.
c) ul-trasound sensor[ used for low altitude measure-ments
d) a pressure sensor [Altitude measurement at all altitudes.
c) a GPS sensor.
*The access to these sensor data are made available via serial ports. *
The Ar drone has a binary named program.elf which controls the entire drone
using these nav-board data. This little program is smart enough to perform
auto landing , flight stability and various other AR drone tricks.
Check out this video: https://www.youtube.com/watch?v=IcxBf-kegKo
*Is Maldrone the first malware for drones?*
Ar Drone also exposes a high level api , and this is open sourced. This
would let you control the drone via AT commands. And could program the
drone to do pretty much anything. Lot of previous researches and attempts
to backdoor drones used this API . This would make the backdoor concept
very generic to AR drone.
*Ref previous works: *
http://boingboing.net/2012/12/09/fly...irus-copt.html
<http://boingboing.net/2012/12/09/flying-malware-the-virus-copt.html>
http://www.cbronline.com/news/securi...ection-4483778
<http://www.cbronline.com/news/security/hackers-to-target-firms-via-drone-infection-4483778>
I am trying to build something more generic . The programs out there like
the above use parrot drone api as a backdoor. Parrot drone is a toy and our
research is no way specific to parrot. We are documenting generic ways on
how you could backdoor a drone.
My idea of taking up this project was to learn how it is possible to
backdoor robots and drones in general. So the best bet is to interact with
the sensors and navigation data directly.
*A good backdoor:*
A lot of people are trying to build a custom firmware for parrot ar drone.
Technically a custom modified firmware or a replacement for the AR drone
program.elf is enough as a substitute for a backdoor. But what we have now
are highly unstable. The entire operation of AR drone is done via
program.elf which is not opensource. Reversing and figuring out the serial
port communication seems really hard, even though I and few other have
taken that route.
Ref:
http://blog.perquin.com/blog/ar-dron...f-replacement/
<http://blog.perquin.com/blog/ar-drone-program-elf-replacement/>
https://github.com/ardrone/ardrone
https://github.com/felixge/go-ardrone
http://embedded-software.blogspot.in...le-format.html
<http://embedded-software.blogspot.in/2010/12/plf-file-format.html>
*Building the Backdoor:*
The drone controller program.elf interacts with the navigation board using
the following serial ports.
/dev/ttyO0 —> rotors and leds
/dev/ttyO1 —> Nav board
/dev/ttyPA1 — > Motor driver
/dev/ttyPA2 —> accelerometer, gyrometer, and sonar sensors
/dev/video0 -->
/dev/video1 — > video4linux2 devices
/dev/i2c-0
/dev/i2c-1
/dev/i2c-2
/dev/usb-i2c
[image: Name: ida_re.jpg Views: 4501 Size: 37.0 KB]
program.elf like any other serial port programing uses linux syscall open
to read devices . Since program.elf is using those ports, our backdoor
would not be able to interact with those sensors. Since we do not have an
ideal solution for replacing program.elf and accessing sensors.
*Maldrone Idea.*
Step 1: Kills program.elf
Step 2: Setup a proxy serial port for navboard and others.
Step 3: Redirect actual serial port communication to fake ports
Step 4: patch program.elf and make it open our proxy serial ports.
Step 5: Maldrone communicates to serial ports directly
Now all serial communication to navboard goes via Maldrone. He can
intercept and modify data on the fly. It will connect to botserver and make
it available for botmaster.
More technical details of the hack would be presented at Nullcon .
http://nullcon.net/website/goa-15/about-speakers.php
*Disclaimer *What ever we are demonstrating is for educational purpose
only.Working
at Citrix has given me the flexibility to conduct research in an area i’m
very passionate about. This “maldrone” research was conducted solely by me,
Rahul Sasi, and does not reflect the products or vision of Citrix.
I am a very curious person . The objective of this research was to learn
about Artificial Intelligence programming and get answers to few questions
I had.
Regards,
Rahul Sasi
http://twitter.com/fb1h2s
http://www.linkedin.com/in/fb1h2s
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists