Conference DEFCON 23. "How I knocked down the annoying drone of a neighbor's child." Michael robinson
Thank you very much for coming to listen to me! What I’m going to talk about is different from the speeches of previous speakers. First, I want to thank the people who helped me in preparing this talk. Some of them were able to attend, some are not. These are Alan Mitchell, Ron McGuire, Chris Taylor and Katie Heritage, and a few others who wanted to remain anonymous, so their names are printed in black in this picture.
My neighbor really got me, and his child got me doubly! I am annoyed by his ... snot, you can replace "snot" with a more appropriate word of four letters! But the biggest problem arose when a neighbor guy had this very thing - a quadrocopter with a video camera.
')
This kid ran with him throughout the county day and night, and his drone crashed into every car, every house and every tree in its path. But the main thing for which he ran with him through the streets was this:
The little bastard believed that the Internet is needed in order to spy on naked neighbors through the windows of houses. My first reaction was simply to take and destroy this thing. But in the last speech it was already said that an attempt to bring down the drone would create a big problem for you. In addition, I do not want anyone to shoot down my own drone, but the idea of such an approach to solving a problem got me thinking.
I began to look for options for an adequate response. Maybe this?
The news showed that some guy in New England attached an automatic pistol to his self-made drone, or should I use a more solid option?
I saw that the very first shot was phenomenally accurate and ... well, nobody cares. Maybe I should show the boy that? But this is not cool at all.
So, I began to look for a way out of the situation, for which I studied a myriad of rules, each of which tried to regulate the use of nameless flying systems, which we call quadrocopters or drones. Most of these rules restrict the use of such systems for state or commercial purposes; in the latter case, registration of an aircraft is required at the FAA - the United States Federal Aviation Administration and obtaining a flight permit.
Imagine me testing my DJI Phantom 3 drone above the parking lot for this presentation. Then a guy from a special DHS unit controlling drones in the District of Columbia comes up to me, knocks me on the shoulder and says:
“Do you know what the rules say about this?”
- Yes!
- Do you do this for commercial purposes?
- Not!
- Fine, all the best!
And leaves.
Then I catch up with him and scream that I have a question! And he answers me that he has a whole bunch of problems with the guys who run their drones over the National Stadium and then lose them. I ask him: "How do you even find these guys?" To which he replies: “Easy! Most of the guys who lose these things come to the top of the hill with controllers in their hands and ask if I have seen their drones. ” I say: "Really?", And he says: "Well, yes, we are waiting for them in this place and catch them!"
So the non-commercial use of drones as a hobby is not regulated at all. True, there are regulations governing the no-fly zones over Washington and its center, the White House. It is forbidden to fly within a radius of 15 miles from Washington, 5 miles from airports, if you do not have permission to do so, and over military bases, because it can end badly.
In addition, it is forbidden to take off, land or crash on national parks. From a technical point of view, the airspace does not fall within the scope of the NPS national park services, but NPS may delay you due to security breaches, because your drone may fall on someone’s head, or due to excess noise. For example, some guy takes a sunset over the Grand Canyon from his drone, and then a man in Smokey Bear hat comes up to him, takes the drone and takes the guy with him.
A temporary ban on flights operates over zones of natural disasters, fires, over the venues of sports events, major gatherings and places visited by the president, a few hours before and after his visit.
It is forbidden to place weapons on the drone, since in this case a weapon system is created, it is also impossible to lift the drone above 400 feet (120 m) above the ground and release the flying drone beyond the line of sight. 16 states have their own rules about this.
I learned from that DHS guy that much of the airspace now falls under their jurisdiction and that the five-mile zone around the airports has practically blocked off all of New York, with the exception of a few parks. In addition, it is forbidden to fly over pedestrian areas, as there is a threat of a drone falling on a person.
Regarding the use of drones as a hobby, there are also a whole bunch of restrictions imposed by the Quality Requirements of model aircraft in accordance with the provisions of the FAA Modernization and Reform Act of 2012 (PL112-95, Section 336):
However, most people do not know anything about these rules, because everyone fraternally tries to invent them. The next slide shows all the no-fly zones over the east coast of the United States, and there are a hell of them.
If you register on the Parrots website, you will see a map with data on the use of the application for controlling drones using the Bibop controller, which are automatically transferred to the website from everyone who uses this program.
This is very interesting, because according to this map, about 2000 flights are registered in the zone of New York and as many flights over Washington. If we impose these cards on each other, we will see that people launch drones in restricted areas and know nothing about it.
This is all good, but the neighbor child continues to bother with his drone, so he did not read anything like that. Therefore, I wondered what should be done to ensure that his drone landed on the ground, gracefully or not so gracefully?
There are several ways to do this, one of which is shown on the next slide (the inscription “Johnny, droneshunter. Privacy protection”). Or use something more subtle, for example, to make an unsuccessful attempt to shoot nude behind someone else's window to knock the drone to the ground.
I decided to study in more detail the two most common models of drones. The first is Parrot Bibop. In front, it has a 1080p camera, is equipped with a 2 core P7 main processor and a 4 core video processor, 8 GB of memory, horizontal speeds of up to 45 miles per hour and running Linux with SDK.
A closer look at the specifications allowed me to discover something interesting: the drone generated its own WiFi signal and used the 802.11 standard! This meant that we had a flying router with a network protocol DHCP. Awesome!
Upon further study of the specification, I found another interesting thing: inside the drone there was a GPS / GLONASS module, using the American or Russian satellite navigation system. What happens if I try to spoil this chip? There are several things that can help with this.
This is the Free Flight 3 app for the Skycontroller controller, which is installed on your mobile device running Android or iOS. It is updated from the Bibop website, and there are no applications for managing the Parrot Bibop drone in the App Store mobile apps, so you can ignore the updates and not install them.
I thought about whether there are any teams that send the drone home. For example, he approached me, I waved in front of his camera, driving him away, and he flew back. It turned out that the drone has the function of returning home, Home Return Feature. It has an interesting feature. If the drone flies at a height of more than 10 m, then after activating this function, it flies straight home. If it is located low above the ground, for example, at a height of 2 m, then when this function is enabled, the drone automatically gains a height of about 10 m, stabilizes its position and only after that flies to the place from which it was launched.
So if you live in a house with GPS and you have a ceiling fan in your living room, turning on the return home function is not a good idea, as it can lead to disastrous consequences. This is happening too fast, this is how I lost my first drone.
Another item of documentation that caught my attention - if the Bibop drone loses connection with a smartphone or controller, it is sent home 30 seconds after the connection has been lost.
Then I wondered what would happen if:
This thing flies under its own MAC address and uses DHCP, it can be scanned using various devices, I used the Pineapple router. There is a basic connection of the tablet and drone over WiFi, which provides the connection of the application on the smartphone with the drone application.
I conducted the corresponding tests with my own drone, simply turning off WiFi, as a result of which the drone did not wait for any 30 seconds - it just fell like a stone to the ground, because the motors were "cut down" after losing the connection. I did 5 tests and lost 6 propellers. This is how it looks in the video - at first it hangs in the air, and after turning off the routers it just lands on the place over which it hung, no attempts to go home. Perhaps he believed that the house was located directly below it.
What else can you do? I guessed! Take a look at this slide.
The drone is a flying wireless access point. It has a default name, IP address, subnet mask, DHCP function and MAC address. No encryption protection, using the 9th WiFi channel. I scanned it with NMAP and found out that this is a real flying ftp server! All its 4 ports are open: 21 uses ftp, 23 is for Telnet, 51th is for La-maint and 44444 is unknown for what.
I connected 10 devices to the drone at the same time, and only one was able to “talk” with it - the other 9 “sat” and waited for their turn.
Since this is a flying ftp server, I used a set of UNIX command line utilities Busy Box v.1.20.2 and found two directories that interested me: media and thumb. In the first, the little monster kept its pirated video with the extension .mp4, in the second - the picture with the extension .jpg.
To connect via ftp, no authorization was required, so I sat and thought what would happen if I replaced his picture with a naked girl with something like this:
The day was definitely a success. I thought that I could pull all the videos that he had taken in the neighboring houses from the drone of this guy and just watch them just to find out what my neighbors look like.
But the drone also had a “wide open” Telnet port during the flight, which in general killed me. I researched port 23 using the Busy Box program, which I used the last time 3 years ago. Since then, about 10 updates have been released, which she refused to install, but despite this, she was able to give me a whole list of directories and files. Among them, I found the control parameters I was interested in.
So, I launched drone number 2 (by the way, it turned out that I was engaged in a very expensive project), and it hung in my kitchen. I went to Telnet through the Busy Box while the drone was hanging in the air, saw its IP address and thought what would happen if I enter this command: # ardrone3_shutdown.sh?
I sat at the table in my kitchen, the drone hung in the air, and as soon as I typed this command and pressed Enter, it abruptly pulled down and to the side and crashed into the plate!
I hoped that he would land gracefully near me, but it did not look graceful at all. If I were one of those tough guys who are caught by carbon-fiber shurikens flying in them ...
Here is how this process looked in the park. It did not land straight down, as it did when WiFi turned off. He made an incomprehensible maneuver to the side, then abruptly lurched to the side and fell to the ground with propellers downward so that he could not take off again. It looked as if we launched a malicious exploit, which sharply cut down all the processes and the backup did not work. As if the drone was flying along the wall and it was suddenly picked up by the upward flow, after which no one could guess where it would fly.
I was going to do something similar here, and when I launched my drone this morning, as many as 6 participants of our conference connected to my open Telnet network!
We continue our conversation. Next to me in the park was my colleague, and when he saw what had happened, he said: “Nothing big! Now, if you raised it 400 feet and threw it down ... ", to which I replied:" Then give me your drone! "
Let's see what can be done when the neighbor guy is with his drone in my yard. At the same time, my smartphone and its tablet are simultaneously connected to the same drone. Only he has a connection between the application on the tablet and the drone application, but I have no such connection. Let me remind you that I have already tried to connect 10 devices to the drone at the same time.
The next slide shows what is visible on the screen of my smartphone when the application properly manages the flight of the drone. I have access to the functions of a drone hovering at a height of one meter in the hotel lobby. Those present did not look happy watching my experiment.
But what picture at the same time is observed on the tablet screen when the application is running:
I could connect to the network, but my application on the tablet could not connect to the drone.
Then I had the idea to send a Deauth package to disconnect clients from the network, and as soon as I did this, the message “The connection is disconnecting ...” immediately appeared on the iPad screen and the picture stopped.
I asked myself the question of who will win in this race, who will be able to quickly connect to the network after a connection is broken - the drone pilot or I, holding my finger on the connection button. If the neighbor boy is on the street, he will first try to catch his home network WiFi or any other network, and then he wants to connect with his drone. If the connection with the drone is interrupted at this time, then he will sit there and try to connect to the network, as he will think that it’s not the connection to the drone that is broken, but the connection to the WiFi network. At the same time, the picture transmitted by the drone to the screen of its tablet will remain “frozen”.
At the same time, I will intercept the management of the drone, after which it will not be able to connect with it, since only one mobile device can control the drone at a time. I checked that when I sent the D-off package to my tablet, my wife’s smartphone continued to work with the drone normally. That is, I can interrupt the connection with the drone for a specific device.
And while that guy will deal with his connection, I will click on the EMERGENCY button located at the top of the screen, and the drone will immediately fall from heaven to earth.
So, if the device on which the Free Flight 3 application is launched is disconnected from the network, then after the connection is restored, by default it will not attempt to reconnect to the Bibop drone.
If you have extra money, you can buy Skycontroller, which expands the range of drone control. The next slide shows how it looks. As it turned out, this is another fully open access point.
In this case, the tablet connects to the controller Skycontroller, and already it connects directly to the drone. This means that we can “hit” with the Deauth package in two places - via the iPad-controller connection or via the Skycontroller-drone connection. In this case, the tablet is located in the docking station, it does not participate in the management and simply distributes the WiFi controller. If I turn it off, I can take control of both the controller and the drone. That is, the drone will be mine.
This option did not bother me, because, in extreme cases, I could do coding and write an exploit, but that would be superfluous, since Free Flight 3 is a completely open application.
Consider another option to intervene in the work of the drone, namely, an attempt to break the GPS-signal. I found a specification of frequencies that are used for the GPS network in the USA and for the GLONASS network in Russia. But there is one small problem - interfering with GPS signaling is against the law. According to the laws of the United States, for blocking such radio signals, a fine of $ 11,000 is awarded or imprisoned for a year. The FCC, the Federal Communications Commission, can impose a fine in the amount of $ 16,000 for each day of such violations or a maximum of $ 112,500 for every single case of interference with the GPS operation or for attempting such intervention.
You can report such cases to the FCC website by calling a special number on the “hot line”, after which they will try to correct the situation or find and punish the culprit.
I again turned to the DSH guy and said that I want to do some research in this area. He said: "You are not going to mention my name"? I replied: “Of course, not!”, And then he said: “they will never be able to catch you if you do this only once”!
I talked to a lawyer, and he explained to me that it was all the same illegal, even if I tried to do this for fun.
I turned to a police officer who told me the following: “If you carefully read the FCC rules, you will see that all these measures are designed so that turning off the signal does not cause anyone harm or harm. Thus, hypothetically, if you move 20 miles away from the city, you will wander into the forest thicket and take your tests there. ”
So let me introduce you to your new friend! You can see it on the next slide. Since the sale of any GPS jammers is illegal, this device is called the GPS Testing Generator, and anyone can buy it online for $ 25. It is specifically designed to block specific frequencies in the 1.56-1.58 and 1.217-1.237 MHz bands and operates at a distance of 20 m. If you try to carry out tests in public, the police will confiscate it.
If you use this “jammer” for the drone, after losing the GPS signal, it will not be able to move forward or backward and will simply hang in the air.
Catching the signal again, it does not activate the return home function, but simply remains hanging in the air at the same place. This is a very interesting thing! The drone does not "rewrite" the coordinates of the house after the loss of communication, it simply loses the ability to use the return home mode, even if this mode was activated earlier. Something like this happens when the drone flies under a bridge or thick trees. After losing the GPS signal, it simply hangs in place, and this becomes a big problem for the pilot.
Next, I tried to investigate the effects of the magnetic field. For this, I used magnets from HDD hard drives and was disappointed with the result - the magnetic field had no effect on the drone.
I note that traces of the Bibop drone control, such as date and time stamps, MAC address and serial number, remain in your IPhone as a file with the .pls extension, so you can resume control at any time or simply erase them.
Let's try to consider something more than Bibop. For example, take DJI Phantom 3, which was released last June.
In its specification it is indicated that because of the incidents that took place, it is allowed to use it only in certain geofences. It can fly a distance of 2 km from the pilot, develops a horizontal speed of up to 35 miles per hour and operates in two modes. Mode P limits the height and distance of the flight, and also uses the No Fly zone monitoring function for safety. In mode A, only a lifting height of 500 m is limited.
If this drone reaches the exclusion zone in mode A, but is switched to mode P, it will automatically lower the altitude, land and turn off the motors. He "understands" the standards of GPS and GLONASS. The DJI Pilot app gives you a hint: “You are in a no-fly zone,” after which the drone makes an automatic landing. Since this drone uses geolocation, it is very sensitive to electromagnetic radiation and needs regular calibration. The magnetic field affects the data of the compass, which degrades the characteristics of flight and can lead to a catastrophe.
Exposure to the influence of electromagnetic fields caught my attention!
DJI Pilot drone management program is not distributed through the App Store and can be downloaded from the official site. It automatically “looks in” at the DJI website and reminds the user of the need for an update, and he cannot ignore these updates.
When I went to this site, I received a message: "You can not take off until you install the latest update DJI Pilot"!
I said: "Aha!" and contacted 3 different technical support representatives.
I said what to do if I do not want to update the application? They answered, sorry, but we can not help you.
I said that I want to roll back to the previous version. I replied: "This is impossible!"
I said that I can not update the application. I was advised: "Remove the SD card and try again."
Unlike Bibop, Phantom 3 does not use WiFi, so it will not work in a similar way. I thought about how to “spoil” the GPS. If you carefully consider the program DJI Pilot, you can see a small database with the coordinates of fly-by zones, which in iOS was called flysafeplaces.db. As of July 24, 2015, it contained 10,914 records, each of which included:
I easily downloaded this database and started changing parameters. If your drone is in an undescribed, non-prohibited area, the picture on the display looks like this:
At the top is the indicator, and if it is green, this means that this zone is safe for flight. But if, hypothetically, someone turns on the GPS jammer, the picture will change to this:
The GPS signal is lost and the drone begins to drift in the air. In normal flight mode, I can use the diagnostics tab of the application and see the quality of the received HD video signal on various channels that the drone uses. GPS , , .
, . GPS , .
, , Phantom 3 . , , . , , , , .
, , , : « »! : « , »! HDD, , .
.
WiFi Death Parrot Bibop Skycontroller Phantom 3.
GPS Bibop , Phantom 3 , , . Bibop , « 3» .
.
, , . , .
, - , , . , - : « »!?
, , , , , Parrot Bibop.
, . - , « » « ».
. .
Question:
— GPS?
:
— . , GPS , , .
Question:
— - , , 1000 , , ?
:
— , Phantom 3 , 1500 . , , «» , , . , 500 . : «, »! .
, FAA , .
Question:
— , « 3» WiFi, ?
:
— Phantom 3 2,4-2,5 .
Question:
— , , ?
:
— , , .
Question:
— , ?
:
— Bibop Phantom 3 , , .
Question:
— , ?
:
— , , , .
Question:
— GPS , ?
:
— , Bidop , Phantom 3 , , , P, GPS, .
Phantom 3 , .
Question:
— , , GPS?
:
— , 22 Phantom 3 GPS .
Question:
— FAA, , , , ?
:
— Parrot – , . FFA , , «», . - GPS, . , - .
Question:
— , , ?
:
— , , , , , .
Question:
— , , - ?
:
— , WiFi, GPS. , , , .
Question:
— , « 3», ?
:
— . , , , , , . , , . , .
, «», « », , .
, . ? ? , 30% entry-level , : VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR4 240GB SSD 1Gbps $20 ? ( RAID1 RAID10, 24 40GB DDR4).
Dell R730xd 2 ? 2 Intel Dodeca-Core Xeon E5-2650v4 128GB DDR4 6x480GB SSD 1Gbps 100 $249 ! . c Dell R730xd 5-2650 v4 9000 ?
My neighbor really got me, and his child got me doubly! I am annoyed by his ... snot, you can replace "snot" with a more appropriate word of four letters! But the biggest problem arose when a neighbor guy had this very thing - a quadrocopter with a video camera.
')
This kid ran with him throughout the county day and night, and his drone crashed into every car, every house and every tree in its path. But the main thing for which he ran with him through the streets was this:
The little bastard believed that the Internet is needed in order to spy on naked neighbors through the windows of houses. My first reaction was simply to take and destroy this thing. But in the last speech it was already said that an attempt to bring down the drone would create a big problem for you. In addition, I do not want anyone to shoot down my own drone, but the idea of such an approach to solving a problem got me thinking.
I began to look for options for an adequate response. Maybe this?
The news showed that some guy in New England attached an automatic pistol to his self-made drone, or should I use a more solid option?
I saw that the very first shot was phenomenally accurate and ... well, nobody cares. Maybe I should show the boy that? But this is not cool at all.
So, I began to look for a way out of the situation, for which I studied a myriad of rules, each of which tried to regulate the use of nameless flying systems, which we call quadrocopters or drones. Most of these rules restrict the use of such systems for state or commercial purposes; in the latter case, registration of an aircraft is required at the FAA - the United States Federal Aviation Administration and obtaining a flight permit.
Imagine me testing my DJI Phantom 3 drone above the parking lot for this presentation. Then a guy from a special DHS unit controlling drones in the District of Columbia comes up to me, knocks me on the shoulder and says:
“Do you know what the rules say about this?”
- Yes!
- Do you do this for commercial purposes?
- Not!
- Fine, all the best!
And leaves.
Then I catch up with him and scream that I have a question! And he answers me that he has a whole bunch of problems with the guys who run their drones over the National Stadium and then lose them. I ask him: "How do you even find these guys?" To which he replies: “Easy! Most of the guys who lose these things come to the top of the hill with controllers in their hands and ask if I have seen their drones. ” I say: "Really?", And he says: "Well, yes, we are waiting for them in this place and catch them!"
So the non-commercial use of drones as a hobby is not regulated at all. True, there are regulations governing the no-fly zones over Washington and its center, the White House. It is forbidden to fly within a radius of 15 miles from Washington, 5 miles from airports, if you do not have permission to do so, and over military bases, because it can end badly.
In addition, it is forbidden to take off, land or crash on national parks. From a technical point of view, the airspace does not fall within the scope of the NPS national park services, but NPS may delay you due to security breaches, because your drone may fall on someone’s head, or due to excess noise. For example, some guy takes a sunset over the Grand Canyon from his drone, and then a man in Smokey Bear hat comes up to him, takes the drone and takes the guy with him.
A temporary ban on flights operates over zones of natural disasters, fires, over the venues of sports events, major gatherings and places visited by the president, a few hours before and after his visit.
It is forbidden to place weapons on the drone, since in this case a weapon system is created, it is also impossible to lift the drone above 400 feet (120 m) above the ground and release the flying drone beyond the line of sight. 16 states have their own rules about this.
I learned from that DHS guy that much of the airspace now falls under their jurisdiction and that the five-mile zone around the airports has practically blocked off all of New York, with the exception of a few parks. In addition, it is forbidden to fly over pedestrian areas, as there is a threat of a drone falling on a person.
Regarding the use of drones as a hobby, there are also a whole bunch of restrictions imposed by the Quality Requirements of model aircraft in accordance with the provisions of the FAA Modernization and Reform Act of 2012 (PL112-95, Section 336):
- aircraft model should only be used as a hobby or a means of recreation;
- model management should not violate the provisions of public safety within the programs of national public organizations;
- It is prohibited to operate a model weighing more than 55 pounds (24.5 kg), if this is not permitted by the relevant certificate;
- model control should not obstruct the control of other air assets;
- when flying within a 5-mile zone of the airport, the model operator must inform the airport’s dispatching service and follow it.
However, most people do not know anything about these rules, because everyone fraternally tries to invent them. The next slide shows all the no-fly zones over the east coast of the United States, and there are a hell of them.
If you register on the Parrots website, you will see a map with data on the use of the application for controlling drones using the Bibop controller, which are automatically transferred to the website from everyone who uses this program.
This is very interesting, because according to this map, about 2000 flights are registered in the zone of New York and as many flights over Washington. If we impose these cards on each other, we will see that people launch drones in restricted areas and know nothing about it.
This is all good, but the neighbor child continues to bother with his drone, so he did not read anything like that. Therefore, I wondered what should be done to ensure that his drone landed on the ground, gracefully or not so gracefully?
There are several ways to do this, one of which is shown on the next slide (the inscription “Johnny, droneshunter. Privacy protection”). Or use something more subtle, for example, to make an unsuccessful attempt to shoot nude behind someone else's window to knock the drone to the ground.
I decided to study in more detail the two most common models of drones. The first is Parrot Bibop. In front, it has a 1080p camera, is equipped with a 2 core P7 main processor and a 4 core video processor, 8 GB of memory, horizontal speeds of up to 45 miles per hour and running Linux with SDK.
A closer look at the specifications allowed me to discover something interesting: the drone generated its own WiFi signal and used the 802.11 standard! This meant that we had a flying router with a network protocol DHCP. Awesome!
Upon further study of the specification, I found another interesting thing: inside the drone there was a GPS / GLONASS module, using the American or Russian satellite navigation system. What happens if I try to spoil this chip? There are several things that can help with this.
This is the Free Flight 3 app for the Skycontroller controller, which is installed on your mobile device running Android or iOS. It is updated from the Bibop website, and there are no applications for managing the Parrot Bibop drone in the App Store mobile apps, so you can ignore the updates and not install them.
I thought about whether there are any teams that send the drone home. For example, he approached me, I waved in front of his camera, driving him away, and he flew back. It turned out that the drone has the function of returning home, Home Return Feature. It has an interesting feature. If the drone flies at a height of more than 10 m, then after activating this function, it flies straight home. If it is located low above the ground, for example, at a height of 2 m, then when this function is enabled, the drone automatically gains a height of about 10 m, stabilizes its position and only after that flies to the place from which it was launched.
So if you live in a house with GPS and you have a ceiling fan in your living room, turning on the return home function is not a good idea, as it can lead to disastrous consequences. This is happening too fast, this is how I lost my first drone.
Another item of documentation that caught my attention - if the Bibop drone loses connection with a smartphone or controller, it is sent home 30 seconds after the connection has been lost.
Then I wondered what would happen if:
- “Chop off” the WiFi signal coming from the controller;
- “Chop off” the GPS signal;
- apply a magnetic field?
- Let's try experimenting with a WiFi signal .;
This thing flies under its own MAC address and uses DHCP, it can be scanned using various devices, I used the Pineapple router. There is a basic connection of the tablet and drone over WiFi, which provides the connection of the application on the smartphone with the drone application.
I conducted the corresponding tests with my own drone, simply turning off WiFi, as a result of which the drone did not wait for any 30 seconds - it just fell like a stone to the ground, because the motors were "cut down" after losing the connection. I did 5 tests and lost 6 propellers. This is how it looks in the video - at first it hangs in the air, and after turning off the routers it just lands on the place over which it hung, no attempts to go home. Perhaps he believed that the house was located directly below it.
What else can you do? I guessed! Take a look at this slide.
The drone is a flying wireless access point. It has a default name, IP address, subnet mask, DHCP function and MAC address. No encryption protection, using the 9th WiFi channel. I scanned it with NMAP and found out that this is a real flying ftp server! All its 4 ports are open: 21 uses ftp, 23 is for Telnet, 51th is for La-maint and 44444 is unknown for what.
I connected 10 devices to the drone at the same time, and only one was able to “talk” with it - the other 9 “sat” and waited for their turn.
Since this is a flying ftp server, I used a set of UNIX command line utilities Busy Box v.1.20.2 and found two directories that interested me: media and thumb. In the first, the little monster kept its pirated video with the extension .mp4, in the second - the picture with the extension .jpg.
To connect via ftp, no authorization was required, so I sat and thought what would happen if I replaced his picture with a naked girl with something like this:
The day was definitely a success. I thought that I could pull all the videos that he had taken in the neighboring houses from the drone of this guy and just watch them just to find out what my neighbors look like.
But the drone also had a “wide open” Telnet port during the flight, which in general killed me. I researched port 23 using the Busy Box program, which I used the last time 3 years ago. Since then, about 10 updates have been released, which she refused to install, but despite this, she was able to give me a whole list of directories and files. Among them, I found the control parameters I was interested in.
So, I launched drone number 2 (by the way, it turned out that I was engaged in a very expensive project), and it hung in my kitchen. I went to Telnet through the Busy Box while the drone was hanging in the air, saw its IP address and thought what would happen if I enter this command: # ardrone3_shutdown.sh?
I sat at the table in my kitchen, the drone hung in the air, and as soon as I typed this command and pressed Enter, it abruptly pulled down and to the side and crashed into the plate!
I hoped that he would land gracefully near me, but it did not look graceful at all. If I were one of those tough guys who are caught by carbon-fiber shurikens flying in them ...
Here is how this process looked in the park. It did not land straight down, as it did when WiFi turned off. He made an incomprehensible maneuver to the side, then abruptly lurched to the side and fell to the ground with propellers downward so that he could not take off again. It looked as if we launched a malicious exploit, which sharply cut down all the processes and the backup did not work. As if the drone was flying along the wall and it was suddenly picked up by the upward flow, after which no one could guess where it would fly.
I was going to do something similar here, and when I launched my drone this morning, as many as 6 participants of our conference connected to my open Telnet network!
We continue our conversation. Next to me in the park was my colleague, and when he saw what had happened, he said: “Nothing big! Now, if you raised it 400 feet and threw it down ... ", to which I replied:" Then give me your drone! "
Let's see what can be done when the neighbor guy is with his drone in my yard. At the same time, my smartphone and its tablet are simultaneously connected to the same drone. Only he has a connection between the application on the tablet and the drone application, but I have no such connection. Let me remind you that I have already tried to connect 10 devices to the drone at the same time.
The next slide shows what is visible on the screen of my smartphone when the application properly manages the flight of the drone. I have access to the functions of a drone hovering at a height of one meter in the hotel lobby. Those present did not look happy watching my experiment.
But what picture at the same time is observed on the tablet screen when the application is running:
I could connect to the network, but my application on the tablet could not connect to the drone.
Then I had the idea to send a Deauth package to disconnect clients from the network, and as soon as I did this, the message “The connection is disconnecting ...” immediately appeared on the iPad screen and the picture stopped.
I asked myself the question of who will win in this race, who will be able to quickly connect to the network after a connection is broken - the drone pilot or I, holding my finger on the connection button. If the neighbor boy is on the street, he will first try to catch his home network WiFi or any other network, and then he wants to connect with his drone. If the connection with the drone is interrupted at this time, then he will sit there and try to connect to the network, as he will think that it’s not the connection to the drone that is broken, but the connection to the WiFi network. At the same time, the picture transmitted by the drone to the screen of its tablet will remain “frozen”.
At the same time, I will intercept the management of the drone, after which it will not be able to connect with it, since only one mobile device can control the drone at a time. I checked that when I sent the D-off package to my tablet, my wife’s smartphone continued to work with the drone normally. That is, I can interrupt the connection with the drone for a specific device.
And while that guy will deal with his connection, I will click on the EMERGENCY button located at the top of the screen, and the drone will immediately fall from heaven to earth.
So, if the device on which the Free Flight 3 application is launched is disconnected from the network, then after the connection is restored, by default it will not attempt to reconnect to the Bibop drone.
If you have extra money, you can buy Skycontroller, which expands the range of drone control. The next slide shows how it looks. As it turned out, this is another fully open access point.
In this case, the tablet connects to the controller Skycontroller, and already it connects directly to the drone. This means that we can “hit” with the Deauth package in two places - via the iPad-controller connection or via the Skycontroller-drone connection. In this case, the tablet is located in the docking station, it does not participate in the management and simply distributes the WiFi controller. If I turn it off, I can take control of both the controller and the drone. That is, the drone will be mine.
This option did not bother me, because, in extreme cases, I could do coding and write an exploit, but that would be superfluous, since Free Flight 3 is a completely open application.
Consider another option to intervene in the work of the drone, namely, an attempt to break the GPS-signal. I found a specification of frequencies that are used for the GPS network in the USA and for the GLONASS network in Russia. But there is one small problem - interfering with GPS signaling is against the law. According to the laws of the United States, for blocking such radio signals, a fine of $ 11,000 is awarded or imprisoned for a year. The FCC, the Federal Communications Commission, can impose a fine in the amount of $ 16,000 for each day of such violations or a maximum of $ 112,500 for every single case of interference with the GPS operation or for attempting such intervention.
You can report such cases to the FCC website by calling a special number on the “hot line”, after which they will try to correct the situation or find and punish the culprit.
I again turned to the DSH guy and said that I want to do some research in this area. He said: "You are not going to mention my name"? I replied: “Of course, not!”, And then he said: “they will never be able to catch you if you do this only once”!
I talked to a lawyer, and he explained to me that it was all the same illegal, even if I tried to do this for fun.
I turned to a police officer who told me the following: “If you carefully read the FCC rules, you will see that all these measures are designed so that turning off the signal does not cause anyone harm or harm. Thus, hypothetically, if you move 20 miles away from the city, you will wander into the forest thicket and take your tests there. ”
So let me introduce you to your new friend! You can see it on the next slide. Since the sale of any GPS jammers is illegal, this device is called the GPS Testing Generator, and anyone can buy it online for $ 25. It is specifically designed to block specific frequencies in the 1.56-1.58 and 1.217-1.237 MHz bands and operates at a distance of 20 m. If you try to carry out tests in public, the police will confiscate it.
If you use this “jammer” for the drone, after losing the GPS signal, it will not be able to move forward or backward and will simply hang in the air.
Catching the signal again, it does not activate the return home function, but simply remains hanging in the air at the same place. This is a very interesting thing! The drone does not "rewrite" the coordinates of the house after the loss of communication, it simply loses the ability to use the return home mode, even if this mode was activated earlier. Something like this happens when the drone flies under a bridge or thick trees. After losing the GPS signal, it simply hangs in place, and this becomes a big problem for the pilot.
Next, I tried to investigate the effects of the magnetic field. For this, I used magnets from HDD hard drives and was disappointed with the result - the magnetic field had no effect on the drone.
I note that traces of the Bibop drone control, such as date and time stamps, MAC address and serial number, remain in your IPhone as a file with the .pls extension, so you can resume control at any time or simply erase them.
Let's try to consider something more than Bibop. For example, take DJI Phantom 3, which was released last June.
In its specification it is indicated that because of the incidents that took place, it is allowed to use it only in certain geofences. It can fly a distance of 2 km from the pilot, develops a horizontal speed of up to 35 miles per hour and operates in two modes. Mode P limits the height and distance of the flight, and also uses the No Fly zone monitoring function for safety. In mode A, only a lifting height of 500 m is limited.
If this drone reaches the exclusion zone in mode A, but is switched to mode P, it will automatically lower the altitude, land and turn off the motors. He "understands" the standards of GPS and GLONASS. The DJI Pilot app gives you a hint: “You are in a no-fly zone,” after which the drone makes an automatic landing. Since this drone uses geolocation, it is very sensitive to electromagnetic radiation and needs regular calibration. The magnetic field affects the data of the compass, which degrades the characteristics of flight and can lead to a catastrophe.
Exposure to the influence of electromagnetic fields caught my attention!
DJI Pilot drone management program is not distributed through the App Store and can be downloaded from the official site. It automatically “looks in” at the DJI website and reminds the user of the need for an update, and he cannot ignore these updates.
When I went to this site, I received a message: "You can not take off until you install the latest update DJI Pilot"!
I said: "Aha!" and contacted 3 different technical support representatives.
I said what to do if I do not want to update the application? They answered, sorry, but we can not help you.
I said that I want to roll back to the previous version. I replied: "This is impossible!"
I said that I can not update the application. I was advised: "Remove the SD card and try again."
Unlike Bibop, Phantom 3 does not use WiFi, so it will not work in a similar way. I thought about how to “spoil” the GPS. If you carefully consider the program DJI Pilot, you can see a small database with the coordinates of fly-by zones, which in iOS was called flysafeplaces.db. As of July 24, 2015, it contained 10,914 records, each of which included:
- latitude and longitude;
- country identifier;
- city;
- location, for example, the White House;
- the radius of the area around this location;
- contour shape (usually a circle);
- warning (in bits);
- message about the termination of the flight (in bits);
- updated time stamp.
I easily downloaded this database and started changing parameters. If your drone is in an undescribed, non-prohibited area, the picture on the display looks like this:
At the top is the indicator, and if it is green, this means that this zone is safe for flight. But if, hypothetically, someone turns on the GPS jammer, the picture will change to this:
The GPS signal is lost and the drone begins to drift in the air. In normal flight mode, I can use the diagnostics tab of the application and see the quality of the received HD video signal on various channels that the drone uses. GPS , , .
, . GPS , .
, , Phantom 3 . , , . , , , , .
, , , : « »! : « , »! HDD, , .
.
WiFi Death Parrot Bibop Skycontroller Phantom 3.
GPS Bibop , Phantom 3 , , . Bibop , « 3» .
.
, , . , .
, - , , . , - : « »!?
, , , , , Parrot Bibop.
, . - , « » « ».
. .
Question:
— GPS?
:
— . , GPS , , .
Question:
— - , , 1000 , , ?
:
— , Phantom 3 , 1500 . , , «» , , . , 500 . : «, »! .
, FAA , .
Question:
— , « 3» WiFi, ?
:
— Phantom 3 2,4-2,5 .
Question:
— , , ?
:
— , , .
Question:
— , ?
:
— Bibop Phantom 3 , , .
Question:
— , ?
:
— , , , .
Question:
— GPS , ?
:
— , Bidop , Phantom 3 , , , P, GPS, .
Phantom 3 , .
Question:
— , , GPS?
:
— , 22 Phantom 3 GPS .
Question:
— FAA, , , , ?
:
— Parrot – , . FFA , , «», . - GPS, . , - .
Question:
— , , ?
:
— , , , , , .
Question:
— , , - ?
:
— , WiFi, GPS. , , , .
Question:
— , « 3», ?
:
— . , , , , , . , , . , .
, «», « », , .
, . ? ? , 30% entry-level , : VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR4 240GB SSD 1Gbps $20 ? ( RAID1 RAID10, 24 40GB DDR4).
Dell R730xd 2 ? 2 Intel Dodeca-Core Xeon E5-2650v4 128GB DDR4 6x480GB SSD 1Gbps 100 $249 ! . c Dell R730xd 5-2650 v4 9000 ?
Source: https://habr.com/ru/post/352942/
All Articles