View RSS Feed

Fb1h2s aka Rahul Sasi's Blog

Maldrone the First Backdoor for drones.

Rating: 67 votes, 4.82 average.
Hi Guys,

Introduction:

You read it right. I am going to give a quick demo for the first ever drone backdoor aka Maldrone [Malware Drone] .

There are over 70 nations building remotely controllable drones. Most of these drones are capable of making autonomous decisions. Countries buy drones from there neighbors. What are the possibilities that there could be a backdoor in the drone you brought. What are the possible ways you can backdoor a drone. What would be the impact if a security issues is found in a computer devices that make decisions of there own.

This is part of my ongoing research, some of it which I would be answering/demonstrating at Nullcon this feb 7th, 2015 http://nullcon.net/website/goa-15/about-speakers.php .

Maldrone: Backdoor for Drones.

Features:
Maldrone will get silently installed on a drone.
Interact with with the device drivers and sensors silently.
Lets the bot master controller the drone remotely .
Escape from the Drone owner to Bot master.
Remote surveillance.
Spread to other drones *.

Demo:

In this we would show infecting a drone with Maldrone and expecting a reverse tcp connection from drone. Once connection is established we can interact with the software as well as drivers/sensors of drone directly. There is an existing AR drone pioloting program. Our backdoors kills the auto pilot and takes control. The Backdoor is persistent across resets .




For this research we are using Parrot Ar Drone 2.0 and DJI Phantom .Maldrone is developed for AR drone arm linux .

In this demo we will install the drone with Maldrone. Once its installed. The Maldrone will connect back to botmaster and wait for commands. Maldrone can proxy the device driver and sensor communications. Maldrone could interact with the drone communication and proxy data from the drone sensors .


Maldrone would be a good buddy for http://samy.pl/skyjack/ .

Samy's skyjack is an exploit for parrot ardrone . Maldrone is a payload and not and exploit. So once you hack a drone using skyjack or any drone specific vulnerability. You then install Maldrone as a backdoor.


The idea: AR drone Introduction

Ar drone quad-copter contains a 9 degrees-of-freedom (DOF) .
"Degrees Of Freedom" or "DOF" is a number of axis and sensors combined for balancing a plane, a helicopter or a robot.
ref: http://playground.arduino.cc/Main/Wh...9DOF10DOF11DOF

in-ertial measurements unit (IMU)
a) 6 DOF gyroscope and
b) 3 DOF magnetometer.
c) ul-trasound sensor[ used for low altitude measure-ments
d) a pressure sensor [Altitude measurement at all altitudes.
c) a GPS sensor.

The access to these sensor data are made available via serial ports.

The Ar drone has a binary named program.elf which controls the entire drone using these nav-board data. This little program is smart enough to perform auto landing , flight stability and various other AR drone tricks.
Check out this video: https://www.youtube.com/watch?v=IcxBf-kegKo

Is Maldrone the first malware for drones?

Ar Drone also exposes a high level api , and this is open sourced. This would let you control the drone via AT commands. And could program the drone to do pretty much anything. Lot of previous researches and attempts to backdoor drones used this API . This would make the backdoor concept very generic to AR drone.

Ref previous works:

http://boingboing.net/2012/12/09/fly...irus-copt.html
http://www.cbronline.com/news/securi...ection-4483778

I am trying to build something more generic . The programs out there like the above use parrot drone api as a backdoor. Parrot drone is a toy and our research is no way specific to parrot. We are documenting generic ways on how you could backdoor a drone.

My idea of taking up this project was to learn how it is possible to backdoor robots and drones in general. So the best bet is to interact with the sensors and navigation data directly.

A good backdoor:

A lot of people are trying to build a custom firmware for parrot ar drone. Technically a custom modified firmware or a replacement for the AR drone program.elf is enough as a substitute for a backdoor. But what we have now are highly unstable. The entire operation of AR drone is done via program.elf which is not opensource. Reversing and figuring out the serial port communication seems really hard, even though I and few other have taken that route.

Ref:
http://blog.perquin.com/blog/ar-dron...f-replacement/
https://github.com/ardrone/ardrone
https://github.com/felixge/go-ardrone
http://embedded-software.blogspot.in...le-format.html

Building the Backdoor:

The drone controller program.elf interacts with the navigation board using the following serial ports.

/dev/ttyO0 —> rotors and leds
/dev/ttyO1 —> Nav board
/dev/ttyPA1 — > Motor driver
/dev/ttyPA2 —> accelerometer, gyrometer, and sonar sensors
/dev/video0 -->
/dev/video1 — > video4linux2 devices
/dev/i2c-0
/dev/i2c-1
/dev/i2c-2
/dev/usb-i2c

Name:  ida_re.jpg
Views: 12443
Size:  37.0 KB

program.elf like any other serial port programing uses linux syscall open to read devices . Since program.elf is using those ports, our backdoor would not be able to interact with those sensors. Since we do not have an ideal solution for replacing program.elf and accessing sensors.

Maldrone Idea.

Step 1: Kills program.elf
Step 2: Setup a proxy serial port for navboard and others.
Step 3: Redirect actual serial port communication to fake ports
Step 4: patch program.elf and make it open our proxy serial ports.
Step 5: Maldrone communicates to serial ports directly

Now all serial communication to navboard goes via Maldrone. He can intercept and modify data on the fly. It will connect to botserver and make it available for botmaster.

More technical details of the hack would be presented at Nullcon .
http://nullcon.net/website/goa-15/about-speakers.php

Disclaimer
What ever we are demonstrating is for educational purpose only.Working at Citrix has given me the flexibility to conduct research in an area i’m very passionate about. This “maldrone” research was conducted solely by me, Rahul Sasi, and does not reflect the products or vision of Citrix.

I am a very curious person . The objective of this research was to learn about Artificial Intelligence programming and get answers to few questions I had.

Attend my talk at Nullcon if you are interested. These are the following stuffs you would take away from my talk.

1) Drone aviations principles.
2) ARM Reversing
3) Linux Driver Communication and proxying.
4) DOS attacks on drones
5) Security vulnerabilities in drone


Regards,

Rahul Sasi
http://twitter.com/fb1h2s
Tags: None Add / Edit Tags
Categories
Uncategorized

Comments

  1. leeladitya's Avatar
    Hello sir,
    I have attended NULLCON-15 and ur talk is awesome.... I want thwe maldrone code so that i can work on it.. plz help me

Trackbacks

Total Trackbacks 0
Trackback URL: