Detection and Countermeasures for COTS Drones Adrian Stevens, IMT

Similar documents
ALL-IN-ONE DRONE SOLUTION FOR 3D MODELING

suas: Cybersecurity Threats, Vulnerabilities, and Exploits

Obstacle Avoiding Wireless Surveillance Bot

D. The bank s web server is using an X.509 certificate that is not signed by a root CA, causing the user ID and password to be sent unencrypted.

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

GETTING THE MOST OUT OF EVIL TWIN

PRODUCT GUIDE Wireless Intrusion Prevention Systems

DSIAC TECHNICAL INQUIRY RESPONSE

Wi-Net Window and Rogue Access Points

Lure10: Exploiting Windows Automatic Wireless Association Algorithm

The 8 th International Scientific Conference DEFENSE RESOURCES MANAGEMENT IN THE 21st CENTURY Braşov, November 14 th 2013

Mobile Concierge Services

Troubleshooting and Cyber Protection Josh Wheeler

How Insecure is Wireless LAN?

CYBER ATTACKS EXPLAINED: WIRELESS ATTACKS

Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

CWNA Exam PW0-100 certified wireless network administrator(cwna) Version: 5.0 [ Total Questions: 120 ]

THE VANGUARD LONG RANGE SURVEILLANCE DRONE BEST USED FOR SURVEILLANCE & SECURITY INSPECTION & DETECTION WILDLIFE & GAME

LESSON 12: WI FI NETWORKS SECURITY

Multipot: A More Potent Variant of Evil Twin

CENTRAL TEST AND EVALUATION INVESTMENT PROGRAM (CTEIP) PE D FY 1998 FY 1999 FY 2000 FY 2001 FY 2002 FY 2003 FY 2004 FY 2005

WIDS Technology White Paper

Worldwide Release. Your world, Secured ND-IM005. Wi-Fi Interception System

What is a Wireless LAN? The wireless telegraph is not difficult to understand. The ordinary telegraph is like a very long cat. You pull the tail in Ne

Hacker Academy UK. Black Suits, White Hats!

XA20/XA25 and VIXIA HF G30 Using Remote Browse

Mobile Security Fall 2013

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Troubleshooting Microsoft Windows XP-based Wireless Networks in the Small Office or Home Office

WIRELESS EVIL TWIN ATTACK

Hooray, w Is Ratified... So, What Does it Mean for Your WLAN?

Wireless Attacks and Countermeasures

Configuring Basic Wireless Settings on the RV130W

DJI MATRICE 600 Release Notes

Equipment. Remote Systems & Sensors. Altitude Imaging uses professional drones and sensors operated by highly skilled remote pilots

Wireless technology Principles of Security

Hacking Exposed Wireless: Wireless Security Secrets & Colutions Ebooks Free

Missouri University of Science and Technology ACM SIG-Security 2014 Wi-Fi Workshop Exploitation Handbook

This ethical hacking course puts you in the driver's seat of a hands-on environment with a systematic process.

PENETRATION TESTING OF AUTOMOTIVE DEVICES. Dr. Ákos Csilling Robert Bosch Kft., Budapest HUSTEF 15/11/2017

Frequently Asked Questions WPA2 Vulnerability (KRACK)

1. Press "Speed Test" to find out your actual uplink and downlink speed.

Penetration testing using Kali Linux - Network Discovery

Please read these instructions carefully before installing This will ensure an easy start and a great first customer experience with TS4 installation

Hacking UAVs: the integrity of Wi-Fi, Telemetry and RC links. Author: Mr. Xi Chen, Mr. Jeff Thomas

Advanced WiFi Attacks Using Commodity Hardware

Learn How to Configure EnGenius Wi-Fi Products for Popular Applications

DJI Assistant 2 Release Notes

A Practical, Targeted, and Stealthy attack against WPA-Enterprise WiFi

The modern car has 100 million lines of code and over half of new vehicles will be connected by 2020.

Preventing wireless deauthentication attacks over Networks

New Windows build with WLAN access

Today s challenge on Wireless Networking. David Leung, CISM Solution Consultant, Security Datacraft China/Hong Kong Ltd.

DJI Phantom 3 - Standard Edition + Softshell Backpack

WLAN Security. Dr. Siwaruk Siwamogsatham. ThaiCERT, NECTEC

SharkFest'17 US. Basic workshop of. IEEE packet dissection. Megumi Takeshita

Managing Rogue Devices

Wireless Attacks and Defense. By: Dan Schade. April 9, 2006

Karthik Pinnamaneni COEN 150 Wireless Network Security Dr. Joan Holliday 5/21/03

Smart Attacks require Smart Defence Moving Target Defence

Spark Release Notes. What s New? Notes:

Cyber Hygiene and Awareness on a Practical Level

Sensor Fusion: Potential, Challenges and Applications. Presented by KVH Industries and Geodetics, Inc. December 2016

Added support for version matching between DJI Assistant 2 and flight control system.

CCNA 3 (v v6.0) Chapter 4 Exam Answers % Full

Multi-Layered Security Framework for Metro-Scale Wi-Fi Networks

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

Ethical Hacking and Countermeasures: Secure Network Operating Systems and Infrastructures, Second Edition

SPARK. Quick Start Guide V1.6

IoT and Smart Infrastructure efforts in ENISA

Contents. HackLinM manual 1.1 Summary 1.2. Technical specifications Default connection password Initial installation 1.

Connecting Tablo to Wi-Fi with PC

CE Advanced Network Security Wireless Security

Multi-Band (Ku, C, Wideband - Satcom, Narrowband Satcom) Telemetry Test System for UAV Application

BYOD: BRING YOUR OWN DEVICE.

Open WLANs the early results of WarDriving. Peter Shipley

WhatsUp Gold Wireless v16.4

802.11ac 3x3 Dual Band High-Powered Wireless Access Point/Client Bridge

Connect Securely in an Unsecure World. Jon Clay Director: Global Threat

ipad Navigation Map and FPV live video can be displayed with P-in-P (above) or Side-by-Side (below) layout. Custom Telemetry can be shown in either

LEAK DETECTION UTILIZING SMALL UNMANNED AERIAL SYSTEMS (SUAS) PRESENTED BY MATT HALKER

Troubleshooting Common Wi-Fi Problems

The WiMAX Technology

DJI Assistant 2 Release Notes

CEH: CERTIFIED ETHICAL HACKER v9

DJI Assistant 2 Release Notes

Chapter 24 Wireless Network Security

Overview of the Trimble TX5 Laser Scanner

Cyber Security Guidelines for Securing Home and Small Office Routers

Ruckus Wireless ZoneFlex (ZoneDirector and ZoneFlex Access Points) Release Notes. October 26, 2012

KODO Controller. Remote Access. Hutech Corporation Atlantic Ocean Dr., Unit B-17. Lake Forest, CA

Roberto Caboni Aldea Srl.

INSPIRE 1 Quick Start Guide V1.0

Wireless LAN Security (RM12/2002)

Chapter 11: Networks

Wireless access point spoofing and mobile devices geolocation using swarms of flying robots

Common Security Attacks on Drones

DJI MATRICE 600 PRO Release Notes

External Supplier Control Obligations. Cyber Security

Rugged Outdoor Wireless-N Access Point - 2.4GHz - PoE Powered - Metal IP67

Transcription:

A-TEMP-009-1 ISSUE 002 Detection and Countermeasures for COTS Drones Adrian Stevens, IMT 15 th Little Crow Conference, 18 May 2017

Presentation Overview Background Understanding the Threat Detection and Countermeasures Implementation Results Conclusion Future Work Dr Willie Gunter

Background Rapid growth of commercial drone market in recent years Increasing capabilities and decreasing cost Presents numerous risks and concerns, both in commercial and defence sectors Aircraft safety Spying/surveillance Airborne attack

Background Defence facilities remain vulnerable Various commercial solutions on offer, but efficacy is questionable: Radar Electro-optic Acoustic etc.

Background Considered the vulnerability of SAN facilities due to location: Beaches Tourist attractions Recreational areas Scenic drives IMT Undertook to investigate simple, low cost methods for detection and jamming Received reports of two separate unconfirmed incidences of drones near dockyard

Understanding the Threat Survey of low-cost cots drones with good outdoor flight capabilities. Identified two popular systems: DJI Phantom Parrot Bebop 2 Bebop chosen as initial test subject: Very low cost Ease of access Target market: amateur users (less likely to know law)

Understanding the Threat Parrot Bebop 2 Specifications: 25 minutes flight time Weight 500 g 14 MP still camera 1080p Video with stabilisation Speed: 70 km/h Altitude: 150 m Control via Wi-Fi (500 m smartphone, 2 km Skycontroller) Payload capabilities: unspecified

Understanding the Threat Understanding the Bebop control system is key to exploiting vulnerabilities: 2.4 GHz or 5 GHz Wi-Fi link to controller Functions as an access point (AP) with controller as client device Controlled via smart phone or Skycontroller Built-in GPS for autonomous ( waypoint ) navigation and return-to-home

Detection Use of Wi-Fi can be exploited for detection: Drone broadcasts its Service Set Identifier (SSID) continuously Media Access Control (MAC) address can be obtained Either of the above can be used to identify its presence.

Detection: SSID Default SSID prefix of Bebop 2 drone is: Bebop2 Merely need to scan for presence of AP with matching SSID What if the user has changed the SSID? Scan MAC addresses instead (easy) Use other techniques Matching SSID and MAC address would provide higher level of detection confidence

Detection: MAC Address MAC address consists of 48 bit number unique to every Wi-Fi device (e.g. A0:14:3D:C1:A1:FF) First 24 bits: Organisationally Unique Identifier (OUI) OUI assigned to hardware manufacturer for identification Manufacturer PARROT SA PARROT SA PARROT SA PARROT SA PARROT SA SZ DJI TECHNOLOGY CO.,LTD OUI 90:3A:E6 90:03:B7 A0:14:3D 00:26:7E 00:12:1C 60:60:1F

Detection: Implementation How do we obtain this info? Look to penetration testing and Wi-Fi hacking techniques Requirements: Computer Linux Operating System Special Wi-Fi adapter Allows extraction of additional (meta) data, packet injection, etc.

Countermeasures Two options: Inhibit control Assume control Inhibiting control can be accomplished by jamming of the Wi-Fi band Will NOT be popular with legitimate Wi-Fi users (or local authorities)

Countermeasures What other options do we have? Wi-Fi Hacking: The Evil Twin Access Point Scan for, and identify, the SSID and MAC of the drone AP Create an Evil Twin AP by cloning the SSID and MAC of the drone AP Forcibly disconnect the controller from the drone through a deauthentication attack If the Evil Twin s power level is higher than that of the drone, the controller will connect to the Evil Twin instead Drone operator is now unable to communicate with the drone Transfer of control of the drone now becomes possible

Implementation Hardware: Computer Special Wi-Fi adaptor Yagi (high gain) antenna Software: Linux distribution for penetration testing

Implementation

Implementation Wi-Fi adaptor placed into monitor to inspect nearby Wi-Fi signals Continually scans and captures AP info Presence of SSID or OUI of interest can then be detected and flagged

Implementation Once identified, create the evil twin using MAC address and SSID obtained from the previous OUI and SSID scan

Implementation Begin the deauthentication attack, to disconnect the operator from the drone

Results

Results

Results

Results

Results Only detection and deauthentication was implemented (no transfer of control) Operator was unable regain control until after attack was stopped The big question What happens to the drone??

Results Return-to-home function means the drone navigates back to where it took off from Navigation path depends on selected geofencing parameters (maximum altitude) Some possible risks associated Transfer of control could solve this Probably also means transfer of liability

Conclusion Implementation of simple detection and countermeasures for Wi-Fi based drones can easily be achieved Limited to Parrot Bebop drones (for now) Evil Twin attack is effective and has no impact on other Wi-Fi users If attack is persistent, drone attempts to safely return to home Minimal Hardware requirements, extremely low cost System could be very effective in protecting against curiosity Protection against other drones would require much more work

Future Work Implementation on a Raspberry Pi Investigate and implement transfer of control Look into detection of DJI drones No work planned for 2017. May continue as a background activity. However, investigation into Electro Optic Detection to take place

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback