1 00:00:04,250 --> 00:00:06,200 - [Narrator] Think you're special, 2 00:00:06,200 --> 00:00:08,620 one of the kind, we agree. 3 00:00:08,620 --> 00:00:12,353 The way you pursue your digital ambitions is unique to you. 4 00:00:12,353 --> 00:00:14,930 And so is your appetite for digital risk. 5 00:00:14,930 --> 00:00:17,090 Whether you're hyper connected your ecosystem, 6 00:00:17,090 --> 00:00:19,259 empowering a distributed workforce, 7 00:00:19,260 --> 00:00:24,090 rapidly leveraging Cloud, IoT, AI or other new technologies. 8 00:00:24,090 --> 00:00:27,770 RSA is here to help you manage digital risk your way 9 00:00:27,770 --> 00:00:29,980 at every stage of your journey. 10 00:00:29,980 --> 00:00:32,493 So, go ahead, be you. 11 00:00:32,493 --> 00:00:34,826 (whooshing) 12 00:00:39,510 --> 00:00:42,250 - Hello, and welcome to Drone Penetration Testing 13 00:00:42,250 --> 00:00:44,970 and Vulnerability Analysis Framework. 14 00:00:44,970 --> 00:00:46,339 If you're joining us live, 15 00:00:46,340 --> 00:00:48,900 our speakers are in the Slido chat discussion area, 16 00:00:48,900 --> 00:00:51,320 answering your questions right now. 17 00:00:51,320 --> 00:00:53,060 For audio or video issues, 18 00:00:53,060 --> 00:00:55,720 click the Technical Support button below. 19 00:00:55,720 --> 00:00:57,089 I'd now like to turn it over 20 00:00:57,090 --> 00:01:00,203 to Dr. Vivek Balachandran for the presentation. 21 00:01:04,040 --> 00:01:05,033 - Thank you Berta. 22 00:01:06,110 --> 00:01:08,200 Hi, my name is Vivek Balachandran. 23 00:01:08,200 --> 00:01:09,033 I'm assistant professor 24 00:01:09,033 --> 00:01:10,840 in Singapore Institute of Technology. 25 00:01:10,840 --> 00:01:14,210 Today, we will look into our recent work on 26 00:01:14,210 --> 00:01:15,770 drug penetration testing 27 00:01:15,770 --> 00:01:18,372 and vulnerability analysis framework. 28 00:01:21,330 --> 00:01:25,450 At the launch of RIE 2020 plan in Singapore, 29 00:01:25,450 --> 00:01:27,770 announcements were made regarding the future 30 00:01:27,770 --> 00:01:29,950 in four technology domains. 31 00:01:29,950 --> 00:01:33,300 The service and digital economy domain. 32 00:01:33,300 --> 00:01:36,363 One of the three focus areas is urban mobility. 33 00:01:37,420 --> 00:01:38,630 Urban mobility aims 34 00:01:38,630 --> 00:01:40,949 to fuse traditional transport engineering 35 00:01:40,950 --> 00:01:44,360 with autonomous technologies, real time analytics, 36 00:01:44,360 --> 00:01:48,887 modeling and simulation to transform how we plan routes 37 00:01:48,887 --> 00:01:52,570 and dynamically manage real time-traffic events. 38 00:01:52,570 --> 00:01:56,320 Although autonomous unmanned technologies have the potential 39 00:01:56,320 --> 00:01:58,470 to radically transform our economy 40 00:01:58,470 --> 00:02:00,820 and improve our livelihood, 41 00:02:00,820 --> 00:02:03,990 the inherent vulnerabilities both known and unknown, 42 00:02:03,990 --> 00:02:06,812 impose significant challenges to their deployment. 43 00:02:09,669 --> 00:02:13,619 The two main challenges to drone deployment include 44 00:02:13,620 --> 00:02:17,440 integrating drones safely into the airspace, as well as 45 00:02:17,440 --> 00:02:21,700 secure and reliable unmanned flight management technology 46 00:02:21,700 --> 00:02:25,881 to support flights and operations beyond line of sight. 47 00:02:25,882 --> 00:02:27,465 In April 2015 48 00:02:27,465 --> 00:02:29,780 (glitches muffles speaker) 49 00:02:29,780 --> 00:02:32,658 had approved the unmanned aircraft, 50 00:02:32,658 --> 00:02:35,118 which aims to regulate the use of drones 51 00:02:35,118 --> 00:02:36,023 with a clear set of rules. 52 00:02:36,023 --> 00:02:39,769 Drones, however, have a communications and control network 53 00:02:39,770 --> 00:02:42,470 based on WiFi, or radio frequency. 54 00:02:42,470 --> 00:02:47,470 Many also use, utilize existing IP-based operating systems. 55 00:02:47,690 --> 00:02:51,210 They are therefore affected by vulnerabilities 56 00:02:51,210 --> 00:02:54,069 that could give attackers full drone access 57 00:02:54,069 --> 00:02:55,057 to the database platform. 58 00:02:55,057 --> 00:02:58,392 Read and delete files or crash the database. 59 00:02:58,392 --> 00:02:59,620 At the operations level 60 00:02:59,620 --> 00:03:02,940 integrating an unmanned digitally-controlled drones 61 00:03:02,940 --> 00:03:04,940 safely into the airspace 62 00:03:04,940 --> 00:03:07,670 will require a clear awareness and understanding 63 00:03:07,670 --> 00:03:10,070 of the existing and potential vulnerabilities 64 00:03:10,070 --> 00:03:11,880 in it's control system, 65 00:03:11,880 --> 00:03:15,070 as well as its communication channels. 66 00:03:15,070 --> 00:03:17,730 Counter drone signal jammers are popular, 67 00:03:17,730 --> 00:03:21,329 but risky to deploy due to the interference 68 00:03:21,330 --> 00:03:25,780 with aircraft communications or law enforcement channels. 69 00:03:25,780 --> 00:03:29,730 Drone manufacturers and retailers 70 00:03:29,730 --> 00:03:32,609 may be unaware or unaware of 71 00:03:32,610 --> 00:03:37,030 or even unwilling to divulge product risks or dangers. 72 00:03:37,030 --> 00:03:40,070 Hence, comprehensive vulnerability maps 73 00:03:40,070 --> 00:03:42,910 independently computed for specific drones 74 00:03:42,910 --> 00:03:44,329 would help considerably 75 00:03:44,330 --> 00:03:46,563 to enable selective and secure. 76 00:03:52,160 --> 00:03:56,290 In February 2017, Swann to vulnerabilities 77 00:03:56,290 --> 00:03:59,280 found in surveillance drones manufactured the drone. 78 00:03:59,280 --> 00:04:02,823 Which is a hardcoded password and an authentication bypass. 79 00:04:05,999 --> 00:04:08,019 Similarly, the announcement key 80 00:04:08,020 --> 00:04:10,930 comes weeks after it was revealed that the U.S. Army... 81 00:04:12,000 --> 00:04:14,640 Sorry, okay, 82 00:04:14,640 --> 00:04:16,839 DJI, a Chinese drone manufacturer 83 00:04:16,839 --> 00:04:18,640 launched a bug bounty program 84 00:04:18,640 --> 00:04:21,279 offering researchers as much as $30,000 85 00:04:22,310 --> 00:04:25,290 for spotting cyber vulnerabilities in it drones. 86 00:04:25,290 --> 00:04:27,720 Interestingly, this announcement came 87 00:04:27,720 --> 00:04:29,840 weeks after it was revealed 88 00:04:29,840 --> 00:04:33,270 that the U.S. Army barred the use of DJI drones 89 00:04:33,270 --> 00:04:35,233 over cyber security concerns. 90 00:04:36,560 --> 00:04:39,301 The same goes with DJI Phantom. 91 00:04:39,301 --> 00:04:41,090 DJI Phantom Three Professional drone. 92 00:04:41,090 --> 00:04:43,650 The DJI apps stores a database 93 00:04:44,640 --> 00:04:46,669 of no-fly zones. 94 00:04:46,670 --> 00:04:50,480 On iOS device, this is .flysafeplaces.db. 95 00:04:50,480 --> 00:04:53,340 The drone, however, may be attacked by GPS spoofing 96 00:04:54,220 --> 00:04:56,490 and made to land in a no-fly zone. 97 00:04:57,460 --> 00:04:59,630 Also, you can use WiFi attacks 98 00:04:59,630 --> 00:05:02,860 against Parrot AR, using Aireplay. 99 00:05:02,860 --> 00:05:05,490 So, Aireplay-NG is a popular attack tool 100 00:05:05,490 --> 00:05:08,480 dictionary-based attack tool for WiFi to passwords 101 00:05:08,480 --> 00:05:10,230 in the normal computer world. 102 00:05:10,230 --> 00:05:14,910 You can deploy the same thing for the Parrot AR drones, 103 00:05:14,910 --> 00:05:18,570 mostly because it uses a WiFi-based communication method 104 00:05:18,570 --> 00:05:20,420 between the drone and the controller. 105 00:05:22,580 --> 00:05:25,313 Thus, deauthenticating the user. 106 00:05:28,340 --> 00:05:32,049 So, one of the reasons why our solution is needed is that 107 00:05:32,050 --> 00:05:33,730 there is no centralized framework 108 00:05:33,730 --> 00:05:35,850 for drone penetration testing. 109 00:05:35,850 --> 00:05:38,650 There are independent works that exist in the literature. 110 00:05:38,650 --> 00:05:41,489 But, mostly these are academic pursuits. 111 00:05:41,490 --> 00:05:43,360 And in forum discussions 112 00:05:43,360 --> 00:05:47,670 where there are independent cybersecurity enthusiasts 113 00:05:47,670 --> 00:05:49,480 who find attacks, 114 00:05:49,480 --> 00:05:52,313 vulnerabilities and exploits against specific drones. 115 00:05:53,520 --> 00:05:57,400 A few companies are coming up with some framework these days 116 00:05:57,400 --> 00:06:01,880 but still it is a new area which is unexplored. 117 00:06:01,880 --> 00:06:03,409 So, our goal 118 00:06:03,410 --> 00:06:06,060 is to have an open source platform for drone attacks. 119 00:06:07,710 --> 00:06:09,471 Why open source? 120 00:06:09,471 --> 00:06:11,120 Because open source is the best method 121 00:06:11,120 --> 00:06:14,677 to have all the different attacks from all over the world, 122 00:06:14,677 --> 00:06:17,330 by all the cyber security enthusiasts 123 00:06:17,330 --> 00:06:21,840 to put in their works in one centralized platform. 124 00:06:21,840 --> 00:06:24,969 Which is easy to launch new attacks 125 00:06:24,970 --> 00:06:26,370 for different types of drones 126 00:06:26,370 --> 00:06:28,610 for a cyber security specialist, 127 00:06:28,610 --> 00:06:30,989 and for a security specialist 128 00:06:30,989 --> 00:06:35,390 who is not specialized in drone security. 129 00:06:35,390 --> 00:06:38,380 And for specialist cyber security professionals, 130 00:06:38,380 --> 00:06:41,140 it should be easy to add new attack modules. 131 00:06:41,140 --> 00:06:45,120 And you should have both a local and a server database. 132 00:06:45,120 --> 00:06:47,650 A local database because once you download 133 00:06:47,650 --> 00:06:49,120 Drone Attack tool, 134 00:06:49,120 --> 00:06:52,870 you need not need to depend on the internet connectivity, 135 00:06:52,870 --> 00:06:56,790 or the server connectivity for the attack to be launched. 136 00:06:56,790 --> 00:06:57,623 A server database 137 00:06:57,623 --> 00:07:00,193 for everyone to contribute their own attacks. 138 00:07:04,490 --> 00:07:06,713 So, we've name this framework as DRAT, 139 00:07:07,770 --> 00:07:09,549 or drone attack tool, 140 00:07:09,550 --> 00:07:11,540 and it is developed in Kali Linux 141 00:07:11,540 --> 00:07:13,020 as a penetration testing tool, 142 00:07:13,020 --> 00:07:16,469 and a vulnerability analysis tool for drones. 143 00:07:16,470 --> 00:07:18,453 It has a local database, as I said earlier, 144 00:07:18,453 --> 00:07:21,500 with a search function and report creation feature. 145 00:07:21,500 --> 00:07:23,360 A search function is simply because 146 00:07:23,360 --> 00:07:26,870 if you want to find, if a specific drone, 147 00:07:26,870 --> 00:07:28,960 and a specific attack for this drone exist, 148 00:07:28,960 --> 00:07:32,599 you can search it among all the different attacks 149 00:07:32,600 --> 00:07:34,160 in the database. 150 00:07:34,160 --> 00:07:36,810 The two modes for this particular framework, 151 00:07:36,810 --> 00:07:39,050 a user mode and admin mode. 152 00:07:39,050 --> 00:07:42,390 The user mode helps you launch existing attacks 153 00:07:42,390 --> 00:07:47,390 from the database and create a report automatically for you. 154 00:07:47,860 --> 00:07:50,340 Admin mode is mostly for the professionals 155 00:07:51,280 --> 00:07:52,469 to add new attacks. 156 00:07:52,470 --> 00:07:56,540 So, when you have a new attack for a specific drone, 157 00:07:56,540 --> 00:07:58,300 you create the script for that 158 00:07:59,260 --> 00:08:03,287 and then call the script from within this framework. 159 00:08:04,720 --> 00:08:07,640 So, there is a method to add the script onto the framework, 160 00:08:07,640 --> 00:08:08,712 in the admin mode. 161 00:08:12,710 --> 00:08:14,989 So, this is how it looks in general, 162 00:08:14,990 --> 00:08:19,990 you can see that there are different types of connectivity 163 00:08:20,400 --> 00:08:23,700 between a drone and the controller. 164 00:08:23,700 --> 00:08:25,363 It will be mostly WiFi-based, 165 00:08:26,305 --> 00:08:28,650 other's will be RF-based connectivity as well. 166 00:08:28,650 --> 00:08:30,822 There are different protocols used, 167 00:08:30,822 --> 00:08:34,309 like acoustic modeling etcetera. 168 00:08:34,309 --> 00:08:37,500 But basically, there is a controller and a drone, 169 00:08:37,500 --> 00:08:39,850 and there's a connectivity protocol between them. 170 00:08:39,850 --> 00:08:42,020 And we launched different types of attacks 171 00:08:42,950 --> 00:08:45,920 using the same mode of communication 172 00:08:45,920 --> 00:08:49,520 used between the controller and the drone. 173 00:08:49,520 --> 00:08:52,290 So, in this left side of the slide, 174 00:08:52,290 --> 00:08:56,099 you can see our drone, DRAT in action. 175 00:08:56,100 --> 00:08:59,923 A specific action against Hubsan Drones is launched. 176 00:09:01,120 --> 00:09:02,663 When the attack is launched, 177 00:09:03,586 --> 00:09:06,036 you can see the script is running the background. 178 00:09:07,210 --> 00:09:09,870 On this terminal, you can disable that aspect 179 00:09:09,870 --> 00:09:12,030 if you don't want to see what's happening behind. 180 00:09:12,030 --> 00:09:16,097 And at the end of it, it will pop up asking you a question, 181 00:09:16,097 --> 00:09:18,720 "Do you want a report based on the attack?" 182 00:09:18,720 --> 00:09:20,770 And it will give you the report. 183 00:09:20,770 --> 00:09:22,480 And at the same time, disable the **drop 184 00:09:22,480 --> 00:09:25,590 if the drone is susceptible to that vulnerability. 185 00:09:26,990 --> 00:09:30,250 So, the control flow diagram of DRAT look like this. 186 00:09:30,250 --> 00:09:31,820 That has two different modes, 187 00:09:31,820 --> 00:09:33,593 a user mode and an admin mode. 188 00:09:35,032 --> 00:09:37,790 As we discussed earlier, the user can select 189 00:09:37,790 --> 00:09:40,839 which mode he wants the platform to work. 190 00:09:40,840 --> 00:09:44,000 And once they are selected, you'll go to that mode. 191 00:09:44,000 --> 00:09:46,950 In the user mode, there are three different routes 192 00:09:46,950 --> 00:09:48,623 that the user can take. 193 00:09:49,930 --> 00:09:53,510 Number one, which is about the user attacks. 194 00:09:53,510 --> 00:09:55,280 It's mostly an informative speech 195 00:09:55,280 --> 00:09:58,490 where it helps you understand what this drone is about, 196 00:09:58,490 --> 00:10:00,150 who developed this drone, 197 00:10:00,150 --> 00:10:02,920 What is the licensing of this drone, 198 00:10:02,920 --> 00:10:07,069 attack framework and how to use this. 199 00:10:07,070 --> 00:10:09,310 How to install the readme file etcetera 200 00:10:09,310 --> 00:10:11,250 can be found in the User Mode. 201 00:10:12,340 --> 00:10:15,910 And then the other two modes are basically attacks. 202 00:10:15,910 --> 00:10:18,240 So, you can select the drone attacks. 203 00:10:18,240 --> 00:10:20,950 You can go into the available drones 204 00:10:20,950 --> 00:10:23,210 that is available on the database. 205 00:10:23,210 --> 00:10:25,750 So, right now we have like four to five drones 206 00:10:25,750 --> 00:10:27,720 that you can launch the attack against. 207 00:10:27,720 --> 00:10:29,610 We hope once we launch this, 208 00:10:29,610 --> 00:10:32,483 and once the open-source community start contributing, 209 00:10:33,546 --> 00:10:35,280 it blows up. 210 00:10:35,280 --> 00:10:37,199 And it will show all the available drones. 211 00:10:37,200 --> 00:10:39,140 And once you select the available drone, 212 00:10:39,140 --> 00:10:41,870 the next thing that will be asked to the user is, 213 00:10:41,870 --> 00:10:43,813 which connectivity to be used. 214 00:10:43,813 --> 00:10:45,189 Do you want to attack it on WiFi? 215 00:10:45,190 --> 00:10:47,093 Do you want to attack it on RF? 216 00:10:47,093 --> 00:10:49,430 Do you have any other mode of connectivity? 217 00:10:49,430 --> 00:10:52,818 Do you have some information regarding the connectivity? 218 00:10:52,818 --> 00:10:54,900 Do you know the MAC address? 219 00:10:54,900 --> 00:10:57,819 Do you know the username and password? 220 00:10:57,820 --> 00:11:00,120 So, the more information that you give, 221 00:11:00,120 --> 00:11:01,560 the more easier the attack will be. 222 00:11:01,560 --> 00:11:03,479 So, if you know the username and password, 223 00:11:03,480 --> 00:11:05,640 the number of attacks that is available for you 224 00:11:05,640 --> 00:11:07,760 will be way more than if you don't know 225 00:11:07,760 --> 00:11:09,569 the username and the password 226 00:11:09,570 --> 00:11:11,753 for the drone connectivity. 227 00:11:12,610 --> 00:11:14,720 Once you give the connectivity options, 228 00:11:14,720 --> 00:11:17,330 then it gives all the attacks that is available 229 00:11:18,540 --> 00:11:20,439 with the information that you gave. 230 00:11:20,440 --> 00:11:22,170 And you could just click the attack 231 00:11:22,170 --> 00:11:24,000 that you wanna launch the attack, 232 00:11:24,000 --> 00:11:26,000 and the attack will execute. 233 00:11:26,000 --> 00:11:27,360 At the end of the attack, 234 00:11:27,360 --> 00:11:30,750 it will give a prompt back to the user saying that 235 00:11:30,750 --> 00:11:31,680 the attack is finished, 236 00:11:31,680 --> 00:11:34,120 it is either successful or unsuccessful. 237 00:11:34,120 --> 00:11:35,800 And the report is generated, 238 00:11:35,800 --> 00:11:37,510 you can go and look for the report 239 00:11:37,510 --> 00:11:38,492 in the Report menu. 240 00:11:39,370 --> 00:11:40,920 That comes to the third option, 241 00:11:41,815 --> 00:11:45,200 which is the report mode. 242 00:11:45,200 --> 00:11:46,940 The user goes goes to the reports 243 00:11:46,940 --> 00:11:51,390 and search for this particular report that is generated 244 00:11:51,390 --> 00:11:54,893 and export that into a CSV and end of process. 245 00:11:57,840 --> 00:12:00,193 Admin mode is a bit, little different. 246 00:12:02,176 --> 00:12:03,190 A bit different. 247 00:12:03,190 --> 00:12:04,490 It has two different modes, 248 00:12:04,490 --> 00:12:06,133 which is managed drones and managed attacks. 249 00:12:06,133 --> 00:12:08,230 This is basically because sometimes 250 00:12:08,230 --> 00:12:09,783 when you create a new attack, 251 00:12:10,700 --> 00:12:13,400 they may not be any single attack against that drone. 252 00:12:13,400 --> 00:12:16,510 And that drone may not even be in our framework. 253 00:12:16,510 --> 00:12:18,400 In this case, you may need to add 254 00:12:18,400 --> 00:12:20,420 that new particular type of drone 255 00:12:22,281 --> 00:12:24,949 onto the framework. 256 00:12:24,950 --> 00:12:25,890 So, when you don't see, 257 00:12:25,890 --> 00:12:27,810 so if you want to add a specific attack 258 00:12:27,810 --> 00:12:32,109 against a specific drone, you can look for that drone. 259 00:12:32,110 --> 00:12:36,070 And if it is not there, it add that drone, right? 260 00:12:36,070 --> 00:12:37,460 Once you add that drone 261 00:12:37,460 --> 00:12:39,860 as an option into the draft framework, 262 00:12:39,860 --> 00:12:42,230 then you can add different attacks 263 00:12:42,230 --> 00:12:44,400 against that drone, right? 264 00:12:44,400 --> 00:12:47,600 Similarly, you can remove drones from the attack framework. 265 00:12:47,600 --> 00:12:50,910 So, you feel that certain attacks are not anymore valid. 266 00:12:50,910 --> 00:12:54,160 You don't want to lose your local database space. 267 00:12:54,160 --> 00:12:57,100 So, you can delete all those unwanted drones 268 00:12:57,100 --> 00:12:58,603 from your local databases. 269 00:13:00,050 --> 00:13:01,680 The same goes with attacks. 270 00:13:01,680 --> 00:13:03,109 You can add specific attacks. 271 00:13:03,110 --> 00:13:05,500 You can add attacks which are generic to all drones. 272 00:13:05,500 --> 00:13:07,245 You can add specific attacks 273 00:13:07,245 --> 00:13:08,870 which are specific a specific drone. 274 00:13:08,870 --> 00:13:10,220 You can remove all attacks. 275 00:13:10,220 --> 00:13:11,870 You can remove attacks which are specific 276 00:13:11,870 --> 00:13:12,993 to specific drones. 277 00:13:17,240 --> 00:13:19,220 Okay, now let us briefly look into 278 00:13:19,220 --> 00:13:21,040 what are the different types of attacks 279 00:13:21,040 --> 00:13:23,829 that we have already have in this game. 280 00:13:23,830 --> 00:13:26,920 So, mainly three different types of drones 281 00:13:28,505 --> 00:13:31,157 are aimed at or targeted at, 282 00:13:31,157 --> 00:13:35,103 which are Tello Digital Drones, Hubsan drones, 283 00:13:36,064 --> 00:13:38,730 and DJI Mavic Pro and Mavic Enterprise. 284 00:13:38,730 --> 00:13:40,760 So, all the attacks that is launched 285 00:13:40,760 --> 00:13:42,310 against Mavic Enterprise 286 00:13:42,310 --> 00:13:44,392 works on Mavic Pro two as well. 287 00:13:45,590 --> 00:13:48,820 So, let us look into each specifically 288 00:13:48,820 --> 00:13:50,933 and go through each of that one by one. 289 00:13:51,930 --> 00:13:53,109 The Tello attacks 290 00:13:56,030 --> 00:13:58,740 basically means attacks against DJI Tello drone. 291 00:13:58,740 --> 00:14:03,160 So, Tello has an open UDP port on 9999 for communication. 292 00:14:03,160 --> 00:14:05,880 So, we sent junk packets to the port 293 00:14:05,880 --> 00:14:07,970 to disturb the live video feed 294 00:14:07,970 --> 00:14:09,883 at least for four seconds and more. 295 00:14:11,250 --> 00:14:15,513 Hence, intermittent frozen video will happen. 296 00:14:16,580 --> 00:14:21,580 This means that you can completely freeze 297 00:14:21,890 --> 00:14:23,340 the drone controls this video 298 00:14:24,388 --> 00:14:27,663 and the video is completely disturbed 299 00:14:27,663 --> 00:14:28,950 and no one can see what's happening 300 00:14:29,849 --> 00:14:31,020 and the drone will be disabled. 301 00:14:31,020 --> 00:14:34,163 To do this you need to know the drone's IP address. 302 00:14:35,410 --> 00:14:38,350 The second attack on drones, Tello drones 303 00:14:39,915 --> 00:14:42,500 is Wi-Fi WPA2 password crack. 304 00:14:42,500 --> 00:14:45,220 This is very similar to our password crack attack 305 00:14:45,220 --> 00:14:48,553 that we launched against any WiFi-based system. 306 00:14:50,070 --> 00:14:52,430 This is the reason why this works on Tello is that 307 00:14:52,430 --> 00:14:56,099 Tello works over the normal WiFi protocol. 308 00:14:56,100 --> 00:14:59,000 And we can launch a dictionary attack using Aircrack-ng. 309 00:14:59,000 --> 00:15:00,590 So, the attack is very similar 310 00:15:00,590 --> 00:15:05,033 to the normal WiFi password crack attack using Aircrack-ng. 311 00:15:05,950 --> 00:15:07,820 Just that, you have to cater it, 312 00:15:07,820 --> 00:15:11,053 fine tune it for that drone's hardware. 313 00:15:12,360 --> 00:15:14,693 The third attack against digital is DJI Tello, 314 00:15:16,010 --> 00:15:18,030 is DoS or denial of service. 315 00:15:18,030 --> 00:15:19,010 What happens here is 316 00:15:19,010 --> 00:15:21,410 we disrupt the command from the controller, 317 00:15:21,410 --> 00:15:23,410 and we authenticate the controller. 318 00:15:23,410 --> 00:15:26,962 So, the controller completely loses control over the drone. 319 00:15:26,962 --> 00:15:29,460 The drone will still be flying or whatever it is doing 320 00:15:29,460 --> 00:15:32,370 and the behavior of the drone is erratic after that. 321 00:15:32,370 --> 00:15:36,210 We cannot predict what the drone will do after that 322 00:15:36,210 --> 00:15:38,287 because the controller completely loses control 323 00:15:38,287 --> 00:15:40,130 over the drone. 324 00:15:40,130 --> 00:15:44,450 The last one which is an effective attack is 325 00:15:44,450 --> 00:15:45,390 line of sight attack. 326 00:15:45,390 --> 00:15:47,210 It is similar to video disruption attack 327 00:15:47,210 --> 00:15:50,083 but not as dangerous as video disruption. 328 00:15:51,210 --> 00:15:54,941 In this case, we disrupt the video transmission, 329 00:15:54,941 --> 00:15:57,830 by ARP for ARP poisoning. 330 00:15:57,830 --> 00:16:01,770 But the controller still has control over the drone. 331 00:16:01,770 --> 00:16:04,920 The only thing is that the controller cannot see 332 00:16:04,920 --> 00:16:06,120 anything from the camera. 333 00:16:06,120 --> 00:16:08,980 The live stream from the camera is completely disturbed. 334 00:16:08,980 --> 00:16:11,320 So, the controller still have control, 335 00:16:11,320 --> 00:16:14,710 but he has to use his line of sight 336 00:16:14,710 --> 00:16:18,450 to bring the drone back to wherever the drone started. 337 00:16:18,450 --> 00:16:20,140 So, this makes his life a bit harder 338 00:16:20,140 --> 00:16:23,280 because it's drone is a bit further away. 339 00:16:23,280 --> 00:16:26,410 He has no idea what the drone is trying to see. 340 00:16:26,410 --> 00:16:30,053 So, in the case, it can be used in different ways. 341 00:16:30,982 --> 00:16:34,510 For instance, if you are looking at a drone that is invading 342 00:16:34,510 --> 00:16:35,703 into your territory, 343 00:16:36,744 --> 00:16:37,760 you disturb the line of sight 344 00:16:37,760 --> 00:16:40,890 and see what the controller of the drone 345 00:16:40,890 --> 00:16:42,689 is trying to make the drone do. 346 00:16:42,690 --> 00:16:45,320 Is he trying to bring it back home? I don't know. 347 00:16:45,320 --> 00:16:47,480 So, you can follow the drone without the controller 348 00:16:47,480 --> 00:16:49,480 knowing that you're following the drone. 349 00:16:51,307 --> 00:16:54,060 Hubsan attacks are a bit more sophisticated 350 00:16:54,060 --> 00:16:55,319 than DJI Tello. 351 00:16:55,320 --> 00:17:00,320 Simply because DJI Tello was one of the easiest 352 00:17:00,490 --> 00:17:03,010 that we encountered among the different drones. 353 00:17:03,010 --> 00:17:05,960 The security mechanisms were a bit more relaxed 354 00:17:05,960 --> 00:17:10,960 in DJI Tello compared to Hubsan or Mavic Pro Enterprise. 355 00:17:11,440 --> 00:17:14,960 Hubsan attack, the same attack that he created for Tello, 356 00:17:14,960 --> 00:17:19,130 for WiFi-WPA attack works in Hubsan attack as well. 357 00:17:19,130 --> 00:17:22,760 So, the same attack mistakes could work for Hubsan. 358 00:17:22,760 --> 00:17:24,087 It's exactly the same. 359 00:17:24,087 --> 00:17:25,629 And then, the second attack 360 00:17:25,630 --> 00:17:27,240 that we have launched against Hubsan 361 00:17:27,240 --> 00:17:28,810 is Authentication Flooding, 362 00:17:28,810 --> 00:17:30,899 So, we use Mac spoofing, 363 00:17:30,900 --> 00:17:33,820 and the tool has the same Mac as a client controller. 364 00:17:33,820 --> 00:17:36,419 We make sure that the tool has the same Mac address. 365 00:17:38,386 --> 00:17:41,263 And this enables multiple connections to the drone. 366 00:17:42,130 --> 00:17:44,050 And now is instead of 367 00:17:45,480 --> 00:17:47,620 the drone connecting from the controller, 368 00:17:47,620 --> 00:17:50,810 I can flood connection request from a system 369 00:17:50,810 --> 00:17:53,293 using different programs within my system. 370 00:17:54,350 --> 00:17:57,800 And authentication flooding will bring down the drone 371 00:17:57,800 --> 00:18:00,223 and disconnecting the controller from the drone. 372 00:18:01,860 --> 00:18:04,409 The last one, which is a flagship as of now 373 00:18:04,410 --> 00:18:08,040 is Mavic Enterprise Pro or Mavic Pro two. 374 00:18:08,040 --> 00:18:11,830 Where we have a few attacks that were created, 375 00:18:11,830 --> 00:18:14,263 GPS spoofing, firmware modification, 376 00:18:15,120 --> 00:18:16,520 DJI app reverse engineering. 377 00:18:18,130 --> 00:18:19,200 GPS spoofing is 378 00:18:22,490 --> 00:18:25,050 you need a hardware for GPS spoofing 379 00:18:25,050 --> 00:18:26,419 along with the... 380 00:18:28,672 --> 00:18:29,740 With the Drudge framework. 381 00:18:29,740 --> 00:18:31,510 So, this information will be given 382 00:18:31,510 --> 00:18:34,607 when you open the draft framework of that particular attack. 383 00:18:36,818 --> 00:18:38,287 So, the attack will say, "For this attack to work, 384 00:18:38,287 --> 00:18:42,250 "you may need to connect HackRF in this format." 385 00:18:42,250 --> 00:18:43,730 So, it will be giving some instruction 386 00:18:43,730 --> 00:18:46,480 how to launch this attack when you need extra hardware. 387 00:18:47,760 --> 00:18:51,140 So, what we did was, we used HackRF hardware 388 00:18:51,140 --> 00:18:53,120 to spoof the GPS coordinate 389 00:18:55,498 --> 00:18:57,598 which is transmitted with the GPS STS sim. 390 00:18:58,880 --> 00:19:01,920 So, every country has their own no-fly zones. 391 00:19:01,920 --> 00:19:03,900 Well, in Singapore there are specific areas 392 00:19:03,900 --> 00:19:05,670 which are no-fly zones, 393 00:19:05,670 --> 00:19:07,290 like the Changi Airport. 394 00:19:07,290 --> 00:19:10,159 You cannot fly anything near the Changi Airport. 395 00:19:10,160 --> 00:19:13,100 There are specific military establishments, 396 00:19:13,100 --> 00:19:14,810 you cannot fly anything near that. 397 00:19:14,810 --> 00:19:16,760 There are specific areas where you cannot fly. 398 00:19:16,760 --> 00:19:17,879 So, what we can do 399 00:19:17,880 --> 00:19:21,850 is to change or to spoof the GPS coordinates 400 00:19:21,850 --> 00:19:24,082 as one of the no-fly zone areas. 401 00:19:25,320 --> 00:19:27,322 And immediately once you do this, 402 00:19:30,399 --> 00:19:32,110 the civilian GPS is 403 00:19:34,124 --> 00:19:36,340 work something similar to WiFi, 404 00:19:36,340 --> 00:19:38,270 whichever the strongest signal, 405 00:19:38,270 --> 00:19:40,110 it takes a stronger signal. 406 00:19:40,110 --> 00:19:42,340 So, our GPS signal will be the stronger 407 00:19:42,340 --> 00:19:44,129 because that is closest to the drone. 408 00:19:44,130 --> 00:19:46,350 So, the drone will think that, 409 00:19:46,350 --> 00:19:49,889 instead of flying in a fly zone which it is 410 00:19:49,890 --> 00:19:52,503 all of a sudden it is a no-fly zone. 411 00:19:52,503 --> 00:19:55,879 And the drone's automatic landing procedure comes in, 412 00:19:55,880 --> 00:19:58,273 kicks in and it lands. 413 00:20:00,250 --> 00:20:03,660 Other attack that we have launched against Mavic Enterprise 414 00:20:03,660 --> 00:20:06,110 is based on firmware modification. 415 00:20:06,110 --> 00:20:08,340 So, we change the form of modification. 416 00:20:08,340 --> 00:20:09,970 By changing the configuration values, 417 00:20:09,970 --> 00:20:11,860 we can tweak the configuration values. 418 00:20:11,860 --> 00:20:12,909 So, when the drone is flying, 419 00:20:12,910 --> 00:20:15,110 we can change the configuration values 420 00:20:15,110 --> 00:20:18,580 of say break sensitivity from point six to point two. 421 00:20:18,580 --> 00:20:19,510 So, all of a sudden, 422 00:20:19,510 --> 00:20:22,680 you expect the drone to stop at a certain speed 423 00:20:22,680 --> 00:20:25,980 and it does not stop and then go and hit something 424 00:20:25,980 --> 00:20:27,730 on the left side or right side. 425 00:20:27,730 --> 00:20:30,800 So, we can change different configuration values 426 00:20:30,800 --> 00:20:34,680 to make the drone behave erratically. 427 00:20:34,680 --> 00:20:37,170 You can discuss more on this, on this Slido. 428 00:20:37,170 --> 00:20:39,470 Oh, I'll be available on Slido right now. 429 00:20:39,470 --> 00:20:40,900 So, if you have other questions, 430 00:20:40,900 --> 00:20:45,100 please feel free to throw questions at me. 431 00:20:45,100 --> 00:20:49,250 Finally, what we did was looking at the security 432 00:20:49,250 --> 00:20:52,063 of the Android application, which DJI provides. 433 00:20:53,321 --> 00:20:57,260 So, DJI Mavic Pro in itself looks like a very strong 434 00:20:59,510 --> 00:21:03,020 security concerned development, 435 00:21:03,020 --> 00:21:05,480 but the app is not. 436 00:21:05,480 --> 00:21:06,730 At least for us. 437 00:21:06,730 --> 00:21:10,910 So, we managed to bypass the authentication 438 00:21:10,910 --> 00:21:12,730 mechanism in the DJI app. 439 00:21:12,730 --> 00:21:15,530 Which means you can log in offline, 440 00:21:15,530 --> 00:21:18,280 you don't need the username and password 441 00:21:18,280 --> 00:21:21,300 to connect to the drone from the app, the changed app. 442 00:21:21,300 --> 00:21:23,820 So we reverse engineered the app, 443 00:21:23,820 --> 00:21:27,580 changed the code, which leads to authentication. 444 00:21:27,580 --> 00:21:31,060 And now the repackaged application 445 00:21:31,060 --> 00:21:32,409 can connect to any drone, 446 00:21:32,410 --> 00:21:34,453 not just supported drones on the app. 447 00:21:35,676 --> 00:21:36,527 Tello unsupported drones as well. 448 00:21:36,527 --> 00:21:39,730 And you don't need authentication mechanism to connect. 449 00:21:39,730 --> 00:21:42,870 We removed some functions like, all in function, 450 00:21:42,870 --> 00:21:45,370 updating the firmware, a bit false. 451 00:21:45,370 --> 00:21:46,520 These things were removed 452 00:21:46,520 --> 00:21:49,840 so that we can work with the old firmware 453 00:21:50,780 --> 00:21:51,730 in the drone. 454 00:21:51,730 --> 00:21:53,670 So, we don't need firmware updates 455 00:21:53,670 --> 00:21:54,503 or sometimes it says, 456 00:21:54,503 --> 00:21:58,270 "You cannot run the drone without updating the firmware." 457 00:21:58,270 --> 00:21:59,430 That doesn't happen to us 458 00:21:59,430 --> 00:22:01,230 because we have changed that option. 459 00:22:02,160 --> 00:22:03,820 So, these are some of the tags that we have 460 00:22:03,820 --> 00:22:05,143 in Mavic Enterprise Pro. 461 00:22:06,850 --> 00:22:07,884 More to come. 462 00:22:07,884 --> 00:22:10,580 There are a few engineers and a few of my students 463 00:22:10,580 --> 00:22:13,720 and myself, we're working on a few other drones. 464 00:22:13,720 --> 00:22:17,150 Right now we are working on a DJI Mavic Mini, 465 00:22:17,150 --> 00:22:19,760 DJI Phantom, Accord drone 466 00:22:19,760 --> 00:22:23,280 on different attacks like GPS jamming, replay attack, 467 00:22:23,280 --> 00:22:25,310 GPS spoofing with router smartphone, 468 00:22:25,310 --> 00:22:29,350 sniffing the USB traffic between the RC and mobile form. 469 00:22:29,350 --> 00:22:31,399 So, remote controller and the mobile phone, 470 00:22:31,400 --> 00:22:32,390 It's a funny part 471 00:22:32,390 --> 00:22:36,310 because, one, most of the drones, 472 00:22:36,310 --> 00:22:38,010 it comes with the controller. 473 00:22:38,010 --> 00:22:41,070 And because mobile phones is an integral part 474 00:22:41,070 --> 00:22:42,600 of all of our lives nowadays, 475 00:22:42,600 --> 00:22:45,149 they give an option to connect your mobile phone 476 00:22:45,150 --> 00:22:46,490 to the controller 477 00:22:46,490 --> 00:22:49,910 and use an application on your mobile phone 478 00:22:49,910 --> 00:22:52,550 to control the controller, right? 479 00:22:52,550 --> 00:22:54,710 It is completely not needed 480 00:22:54,710 --> 00:22:56,780 if you just want to control the drone, 481 00:22:56,780 --> 00:22:58,399 but most drones have this. 482 00:22:58,400 --> 00:23:01,090 But this opens up a new area to attack, 483 00:23:01,090 --> 00:23:03,419 which is a flawed phone. 484 00:23:03,420 --> 00:23:05,600 Now, what is this malicious program 485 00:23:05,600 --> 00:23:09,040 that is running on the phone along with the DJI app? 486 00:23:09,040 --> 00:23:11,230 Then can we take control of the drone? 487 00:23:11,230 --> 00:23:12,540 So, that is what we're working on, 488 00:23:12,540 --> 00:23:13,673 we're sniffing this USB traffic 489 00:23:13,673 --> 00:23:16,690 between the controller and mobile phone 490 00:23:16,690 --> 00:23:19,690 to see what kind of attacks that we can launch then. 491 00:23:19,690 --> 00:23:21,780 And finally, we are also doing an attack 492 00:23:21,780 --> 00:23:24,870 on video streaming protocol called RTSP protocol. 493 00:23:24,870 --> 00:23:27,023 So that it our kind of work. 494 00:23:28,447 --> 00:23:30,197 More work will be added to it soon. 495 00:23:32,700 --> 00:23:35,620 So, what can we get from this? 496 00:23:35,620 --> 00:23:39,080 I mean, I said what we did, what we have blah, blah, blah, 497 00:23:39,080 --> 00:23:41,360 but I'm sure that you are not interested... 498 00:23:41,360 --> 00:23:43,209 As intriguing as it is, 499 00:23:43,210 --> 00:23:46,023 you wanna know, when you can have a hands on this thing. 500 00:23:46,912 --> 00:23:48,440 Soon, very soon. 501 00:23:48,440 --> 00:23:52,890 This is a project which is funded by our university, 502 00:23:52,890 --> 00:23:54,670 and a few organizations 503 00:23:54,670 --> 00:23:56,870 which include our government entity as well. 504 00:24:00,712 --> 00:24:04,210 We need need the permission to release it as open source 505 00:24:04,210 --> 00:24:05,620 to the public. 506 00:24:05,620 --> 00:24:08,283 We have in principle permission from them. 507 00:24:10,862 --> 00:24:12,243 The IP rights belong to us. 508 00:24:13,703 --> 00:24:16,490 But, we are soon having a review with the organizations 509 00:24:16,490 --> 00:24:21,020 and the user before we released our GitHub code as public. 510 00:24:21,020 --> 00:24:24,050 So, that will happen soon in a couple of months. 511 00:24:24,050 --> 00:24:26,940 By the time this presentation is over, 512 00:24:26,940 --> 00:24:29,360 it should most probably be there. 513 00:24:29,360 --> 00:24:30,193 What can you get? 514 00:24:30,193 --> 00:24:33,670 You can get an open source drawn pen testing framework, 515 00:24:33,670 --> 00:24:36,270 with readily available attack polyfills. 516 00:24:36,270 --> 00:24:38,160 And how can it contribute to it? 517 00:24:38,160 --> 00:24:41,970 Once it is public, you can add your own attack modules, 518 00:24:41,970 --> 00:24:45,000 you can probably fix some of the problems 519 00:24:45,000 --> 00:24:46,660 that our modules have. 520 00:24:46,660 --> 00:24:50,450 Maybe like, there are instances of video freezing attack. 521 00:24:50,450 --> 00:24:52,393 It started as a video. 522 00:24:53,560 --> 00:24:55,300 Man the middle attack for the video, 523 00:24:55,300 --> 00:24:58,223 to grab the video without the controller knowing it, 524 00:24:59,140 --> 00:25:00,070 but it didn't work. 525 00:25:00,070 --> 00:25:04,480 We had to be satisfied with video freezing, 526 00:25:04,480 --> 00:25:05,880 but it is well documented 527 00:25:05,880 --> 00:25:07,500 so you can see what went wrong. 528 00:25:07,500 --> 00:25:08,940 You can add more things 529 00:25:08,940 --> 00:25:11,260 and make sure that we could grab the video 530 00:25:11,260 --> 00:25:12,847 and not just froze the video. 531 00:25:13,840 --> 00:25:17,493 So, with that, I will stop my short presentation. 532 00:25:19,670 --> 00:25:21,020 Thank you for listening to me. 533 00:25:21,020 --> 00:25:23,250 Thank you RSA for giving me this opportunity 534 00:25:23,250 --> 00:25:28,250 to share this platform to this reputed panel and audience. 535 00:25:28,950 --> 00:25:33,030 And any questions, please feel free to email me 536 00:25:33,030 --> 00:25:35,057 or ask in the Slido. 537 00:25:36,850 --> 00:25:37,683 Thank you