THE PARROT AR.DRONE 2.0

Nate Krussel, Maxine Major, and Theora Rice

Overview

Parrot AR Drone 2.0Purchased off Amazon

○ ~ $300 for everybody○ 2 day prime shipping

Works out of the box○ No assembly required, charge the battery,

download the application and fly○ Comes with special hull for flying indoors

Embedded Linux on SOC Atheros chipset

Overview

Free Flight AppRuns on Android and IOS

○ No Windows phone appUses gyros and accelerometers to control

the flightFailsafe: if hands not on device, drone

attempts to hover in place.

Early Thoughts

ExperimentsUse Wireshark to sniff trafficTake over drone control

○ App and PCHijack the videoHard crash the drone, similar to the

emergency landing built into the drone

Wireshark

Connected the AR.Drone wifi to sniff the trafficPattern Identification

Wireshark didn’t show any trafficARP packets, not much else

Wireshark

ConclusionWireshark couldn’t identify packets used to

transmit dataUsed a packet different from normal TCP/IP

and didn’t know how to display itNeed to use a raw packet dump and try to

analyze it that way

Drone Hacks \ Mods

Hack#1: Program Drone over Wi-fiNode.js

○ Platform built on Chrome’s Javascript runtimeInstall AR Drone module

○ Client for controlling AR Drone (nodecopter.com)

Save flight commands to file○ Auto-execute drone actions

This method also included untrusted .js files

Drone Hacks \ Mods Hack#2: Program Drone over Wi-fi

Packets sent as UDP/TCPSingle UDP contains 1+ command(s)

○ AT*REF: takeoff, landing, reset, stopPorts:

○ Port 5556- UDP packets with regular commands ○ Port 5554- Reply UDP data packets from AR.Drone○ Port 5555- Reply video stream packets from

AR.Drone○ Port 5559- TCP packets for critical data that cannot

be lost usually for configuration

Drone Hacks \ Mods

Hack#3: Exploration of internalsAirodump-ng capture of drone wifi

Revealed open access pointAireplay -0 deauth attack Arp scansNmapftp, telnet ports left open

Projecting Video …The Hard Way

Projecting Video …The Easy Way

Telnettelnet 192.168.1.1

ffplay (ffmpeg)ffplay tcp://192.168.1.1:5555

Video Demo

Optional Modifications

Blinking LED lights Upgraded Blades/Rotors Long-life replacement batteries

1000mAh standard, 1500mAh RF controller

… for lights, etc. Radio upgrade Prop axle brushing replacement Upgraded camera

Attacks

Using Telnet to get into the drone (no security, default is open)Typing “Reboot” will cause the drone to

restart, and it will fall, but can reconnect after it finishes restarting.

Attacks

Using TelnetUsing “netstat –pantu” then identifying the

connected person and their TCP stream.Then typing “Kill <pid>” will cause the drone

to fall out of the sky, it needs to be restarted before it will fly again from any user.

Attack 1 Demo

Hardening

RepeaterAR.Assist – Windows Wizard

○ Use to connect drone to WiFi hotspotNow locked to that hotspotCan be permanent

http://www.shellware.com/BlogEngine.Web/post/2011/02/12/ARAssist-Infrastructure-Wi-Fi-Enabling-Your-ARDrone-Made-Easy.aspx

Hardening

Reload the linux kernelLots of time and effort

Operation Stux2bu

Attack 1No security, reboot with lock-out capability

○ Responds to Telnet only

Attack 2With security, MAC Spoofing, Attack 1

Attack 3Jamming the signal

Attack 4Floss...in the rotors

Sources

http://www.shellware.com/BlogEngine.Web/post/2011/02/12/ARAssist-Infrastructure-Wi-Fi-Enabling-Your-ARDrone-Made-Easy.aspx

http://www.lawfareblog.com/2012/09/operation-stux2bu-layered-offense-and-defense-and-drone-cyberattacks/

https://www.robotappstore.com/Knowledge-Base/How-to-Program-ARDrone-Remotely-Over-WIFI/96.html

http://www.libcrack.so/2012/10/13/hacking-the-ar-drone-parrot/

http://dronemediaproject.com/resources-3/drone-hack/

http://dronescapes.com/dronepage3.html

http://droneflyers.com/2013/02/ar-drone-modifications/