CODE BLUE 2014 : Drone attack by malware and network hacking by DONGCHEOL HONG

Confidential to SEWORKS Copyright ©2014 SEWORKS Inc. All rights reserved.

SEWORKS  INC.  CTO  

WOWHACKER  TEAM      

[email protected]  

Dongcheol  Hong  

(hinehong)  

INFORMATION

Drone  aAack  by  malware  and  network  hacking

3  

Speaker  Bio

•  SEWORKS  Inc.  Chief  Technology  Officer  

-­‐  Develops  the  AnN-­‐Decompiler  and  AnN-­‐Reverse  Engineering  Tool  

for  Android  and  Unity  applicaNons.  

•  WOWHACKER  Admin.  

-­‐  Qualified  for  DEFCON  CTF  hacking  contest  finals  five  Nmes.  

-­‐  Organized  SecuInside,  CodeGate,  ISEC  hacking  contests.  

•  Made  Android  and  Windows  mobile  anNvirus  applicaNons  in  2009.  

•  Presented  on  many  security  conferences  like  SecuInside  and  HITCON.  

3 Dongcheol  Hong  -­‐  SEworks.Inc

4  

Abstract

•  The  drone  systems  are  used  more  frequently  all  around  the  world.  

•  There  are  possibiliNes  that  the  drone  can  hack  into  other  computers  or  

devices  

•  We  can  infect  a  malware  called  “HSDrone”  to  the  AR.Drone  2.0,  spread  

malware  to  other  drones,  and  control  all  of  them.  

4 Dongcheol  Hong  -­‐  SEworks.Inc

5  

Drone  hacking

•  Network    

-­‐  RC  :  Radio  controller  

-­‐  WIFI  :  smart  device  

•  Malware  

-­‐  Smart  applicaNon  

-­‐  Drone  executable  file  

•  GPS  or  Gyro  Sensor  jamming  

NETWORK Drone  aAack  by  malware  and  network  hacking

7  

RC

•  2.4GHz    3  or  4CH  

•  NEC  format    

-­‐  [Leader  Code][Custom  Code][Data  Code]  

-­‐  Leader  Code:  IniNalizaNon  of  a  signal  

-­‐  Custom  code:  IdenNfy  a  specific  device  

-­‐  Data  code  :  ExecuNon  code  

•  ZigBee  protocol  

8  

ZigBee

•  One  of  the  sensor  networks  

•  Security  support  

•  encrypNon  :  AES-­‐CCM*  128    

•  Standard  :  802.15.4  

No  Security AES-­‐CBC-­‐MAC-­‐32  ~  128 Message  AuthenNcaNon AES-­‐CTR EncrypNon  Only AES-­‐CCM-­‐32  ~  128 Message  AuthenNcaNon  &  Enc

rypNon

9  

WIFI

•  Recent  drone  systems  use  WIFI  connecNons,  which  are  now  used  widely  in  

the  today’s  world.  

•  WIFI  connecNon  is  convenient  but  people  need  to  re-­‐consider  about  its  

security.

INSIDE  THE  AR.DRONE Drone  aAack  by  malware  and  network  hacking

11  

Network

•  AR.  Drone  uses  WIFI  connecNon.  

12  

AR.Drone  Controller  

•  AR.  Drone  is  controlled  by  smart  device’s  App.    

13  

Telnet

•  AR.Drone  runs  a  telnet  daemon.  

14  

FTP

•  AR.Drone  runs  a  FTP  daemo  

•  Basic  directory  is  /data/video  

15  

program.elf

•  /bin/program.elf  is  an  important  file.  

•  Motor  will  not  funcNon  if  program.elf  process  is  killed  by  /bin/kk

16  

Network

•  Network  •  Atheros  chipset  :  ath0

17  

Processer  informaNon

•  ARM  processer  

18  

Network

•  drone  has  to  scan  other  drones.  

•  Master  mode  can  not  scan  wireless  networks.  

19  

Network

•  Ath0  do  not  support  key

20  

Decompile  on  Android  App

21  

Serial  connect

•  UART  :  Target  host  pc  communicaNon.    

•  If  drone  does  not  support  pp  or  telnet,  serial  connecNon  has  to  be  used.  

•  It  was  broken  3  Nmes,  because  of  a  wrong  connecNon.    

22  

Serial  connect

•  Drone  mainboard  is  inside  the  boAom  cover.

RX TX GND 12V

23  

Pairing

•  AR  Drone  has  a  pairing  system  for  security.    

•  Android  phone  support  pairing  mode.  iPhone  does  not  support.  

•  Default  Pairing  sesng  is  “off”.    

•   

iPhone Android

24  

Pairing

•  Mac  address  check  

•  mac  address  access  do  not  permit  on  iOS  .  

25  

Pairing

•  iptables  

26  

Pairing

DRONE  MALWARE Drone  aAack  by  malware  and  network  hacking

28  

AR.  Drone

•  Parrot  AR.  Drone  is  a  commonly  and  widely  used  drone  in  the  world.  

•  Can  be  connected  through  smart  devices.  

•  Can  be  controlled  by  WIFI  connecNon  with  a  smart  device.  

29  

Development  Environment

AR.  Drone  2.0  two  

GPS    

Beagle  board  

Laptop

30  

How  to  infect  drone  1

Infect

Drone

Drone  malware

1.  Fake  App  can  infect  drone

2.  AAacker  can  infect  from  smart  device  at  the  drone's  networks  area.

Smart  Device  to  Drone

31  

How  to  infect  drone  2

Infected  Drone’s  network  area

Impacted  Drone

Normal  Drone

Normal  Drone’s  network  area

Infect

Drone  to  Drone normal  drones  will  be  infected  if  a  infected  drone  enters  to  the  normal  drone’s  network  area.

32  

AcNvity

Infected  Drone’s  network  area

Impacted  Drone

Normal  Drone

Normal  Drone’s  network  area

1.  Malware  copy  2.  Motor  stop

1.  Copy  and  replicate  itself  2.  Shutdown  3.  Other  working  like  GPS,  DNS  Pharming

33  

Fake  app

HOW  TO  INFECT  -­‐  1  FROM  SMART  DEVICE

Drone  aAack  by  malware  and  network  hacking

35  

Controller  App  modificaNon

•  Recently,  a  lot  of  android  apps  are  modified  by  cracker.  

•  AR.  Drone  2.0  can  be  controlled  by  a  smartphone  app.  

•  Cracker  modifies  the  control  app  and  upload  on  the  internet.  

•  Medium  of  Spread  –  internet,  SMS,  E-­‐mail,  market,  etc.      

•  Drone  is  infected  when  a  person  uses  the  fake  app.

36  

Controller  App  modificaNon

•  We  can  modify  and  repackage  applicaNons  by  a  freeware  called  Apktool.  

37  

Controller  App  modificaNon

•  Smali  code  

38  

Android  malware

•  Using  thread  for  network  communicaNons  

•   AR.  Drone  2.0  IP  is  192.168.1.1

39  

FTP  upload  1

•  FTP  connecNon  

•  File  copy  

Asset  file

40  

FTP  upload  2

•  FTP  upload

41  

Telnet

•  ConnecNon  telnet  

•  Command  

42  

Malware

•  Inside  of  drone.    

HOW  TO  INFECT  -­‐  2  DRONE  TO  DRONE

Drone  aAack  by  malware  and  network  hacking

44  

Mode  change

•  Network  mode  can  be  changed  to  “managed”  using  iwconfig  command.    

45  

Scanning

•  We  can  scan  other  AR.Drone  and  AP.  

46  

Scanning

•  Change  network  to  “managed”  mode.  

•  Drone  repeat  scan  to  other  drones  using  fork  funcNon.  

47  

Connect  to  other  drone

•  Connect  if  other  AR.Drone’s  AP  exists  

48  

Connect  to  other  drone

•  Drone  succeeds  connecNng  to  another  drone’s  AP  

49  

Boot

•  Malware  has  to  execute  in  the  boot-­‐up  sequence.

50  

AcNon

•  Repeat  unNl  the  aAacker  drone  scans  to  other  drones.  

•  Connect  to  AR.Drone’s  AP  if  found.  

•  FTP  upload  itself.  

•  Telnet  connecNon.  

•  Permission  sesng(execute).  

•  boot  sesng.

51  

FTP  upload  itself

•  FTP  login  to  other  drone.  

•  Upload  itself

Reference  was  Cmdpp  source.

ACTIVITY Drone  aAack  by  malware  and  network  hacking

53  

Command

•  HSDrone  connect  socket.  

54  

Command

•  Make  a  directory  

•  Copy  

•  Permission  sesng  

55  

Command

•  kk  -­‐  Motor  will  be  stopped.  

•  Change  to  master  

56  

AT  Commands

•  Drone  command  using  UDP  5556  port  

AT*PCMD_MAG=21625,1,0,0,0,0,0,0<CR>AT*REF=21626,290717696<CR>  

AT*PCMD_MAG=xx,xx,−1085485875,xx,xx,xx,xx.  

57  

tcpdump

•  Install  tcpdump  on  drone.  

•  We  can  capture  the  network  packet  aper  that.  

•  192.168.1.5  is  controller’s  IP.

58  

Packet  capture

59  

ConfiguraNon

•   AlNtude  max  :  drone  can  go  fly  Nll  100000  (which  is  100  meters  from  the  

ground)  

•  We  can  fly  to  some  GPS  locaNon  with  no  obstacle    

         AT*CONFIG=605,"control:alNtude_max","3000"  

         AT*CONFIG=605,"control:alNtude_max",  "100000"

60  

GPS

-­‐  AR.  Drone  2.0  is  supports  GPS.  

-­‐  If  we  click  a  point  to  GPS  on  the  smart  device,  drone  will  move  to  the  

place  requested.  

-­‐  The  user  can  go  back  to  the  GPS  registered  "home“  by  pressing  the  

"home"  buAon.    

-­‐  Infected  drones  will  come  to  my  real  home  if  there  isn’t  any  obstacle.

61  

GPS

62  

DNS  Pharming

No  encrypNon  Default  password

Access  administrator  mode  from  wireless

•  Drones  can  change  some  vulnerable  AP’s  DNS  during  the  fly.  

63  

DNS  Server  change

•  Can  change  DNS  on  Administrator  mode

64  

dnsmasq

65  

dnsmasq

•  /etc/dnsmasq.conf  

•  8.8.8.8  is  Google  DNS  Server

66  

DNS

67  

Pharming

68  

episode1

•  Malware  replicated  itself  like  a  worm  and  somehow  destroyed  bootloader  and  

made  two  drones  brick.  

•  I  tried  serial  communicaNon  using  UART  in  order  to  repair  brick  drones,  but  

devices  was  not  even  able  to  boot  up.  

•  UART  does  not  work  when  UART  ports  are  misconfigured.  I  replaced  once  

because  UART  itself  was  a  problem,  and  replaced  again  because  the  UART  was  

broken  by  wrong  ports.  

•  One  drone  was  bought  in  Korea  and  another  drone  was  bought  in  other  

country.  The  problem  was  that  I  was  able  to  get  a  free  replacement  for  the  

drone  which  was  bought  in  Korea,  but  I  had  to  pay  for  the  drone’s  mainboard  

which  was  bought  outside  Korea,  since  it  does  not  support  any  A/S.  I  paid  

170$  overall.  

69  

episode2

•  Aper  malware  replicated  itself,  the  network  configuraNon  broke  out.  I  was  

not  able  to  control  the  drone  at  the  end  

•  I  had  to  wait  for  drone  to  drain  its  baAery  since  it  was  out  of  control.      

(drone  works  properly  for  around  10  minutes)

70  

Result

•  Drone  malware  (HSDrone  that  I’ve  made)  can  spread  through  wireless  

networks.    

-­‐  Smart  Device  to  Drone    -­‐  Drone  to  Drone  

•  Can  control  other  drone  UDP  network  command.      

•  Malware  can  aAack  AP  DNS  Pharming.  

•  Drone  malwares  like  this  one  could  spread  and  aAack  your  computers,  

APs,  smart  devices,  drones,  and  everything  in  the  future.  

•  It  is  dangerous,  drone  has  an  advantage  of  having  physical  distance  for  the  

aAack  to  be  done.  

Confidential to SEWORKS Copyright ©2014 SEWORKS Inc. All rights reserved.

71  

THANK  YOU