Reverse engineering & hijacking toy quadcopters – All ur dr0nz r belong 2 me

Slide 1

Slide 1 text

Reverse engineering & hijacking toy quadcopters All your drones are belong to me…

Slide 2

Slide 2 text

Agenda •$whoami •Introduction •OSINT •The hard way •Over the air •Conclusion

Slide 3

Slide 3 text

$whoami •Yannick Formaggio (@TheLumberjHack) •IT Security researcher @ Istuary Innovation Labs (Downtown Vancouver) •Originally software vulnerability hunter (presented VxWorks RCE back in 2015) •RF/Hardware tickles my curiosity (always learning )

Slide 4

Slide 4 text

Introduction

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

My ultimate goal •Detecting the flying drone using RF •Take over the control •Bring it down/Push it away

Slide 8

Slide 8 text

Let’s reverse it !

Slide 9

Slide 9 text

What do we need? •Understand TX Communication protocol: •Determine modulation •Determine data/symbol rate •Determine frequencies of operation •Frequency hopping behavior if any •Determine packet format (size, header, payload, CRC…) •How to glue things together to make it happen

Slide 10

Slide 10 text

No content

Slide 11

Slide 11 text

OSINT Finding info without opening the box…

Slide 12

Slide 12 text

No content

Slide 13

Slide 13 text

No content

Slide 14

Slide 14 text

No content

Slide 15

Slide 15 text

No content

Slide 16

Slide 16 text

No content

Slide 17

Slide 17 text

What did we learn?

Slide 18

Slide 18 text

The hard way Let’s void some warranties

Slide 19

Slide 19 text

XN297LCU MCU

Slide 20

Slide 20 text

SPI pins

Slide 21

Slide 21 text

What’s SPI? • Serial Interface Bus • Synchronous communication • Used in embedded devices

Slide 22

Slide 22 text

No content

Slide 23

Slide 23 text

DROP THE BYTES!

Slide 24

Slide 24 text

T0: TX Power ON Interesting bytes on MOSI Packet ID

Slide 25

Slide 25 text

No content

Slide 26

Slide 26 text

XX: YY:ZZ:….:AA:…. Command name (1 byte) Payload (0-64bytes) Register address (5 LSBits) Payload (up to 64 bytes)

Slide 27

Slide 27 text

No content

Slide 28

Slide 28 text

What do we know now? •Data rate: 2Mbps •Channels: 2, 71, 73, 75, 77 (2 = binding channel, other 4 = ctrl channels) •Frequency hopping pace: every 3ms •Frequency hopping behavior: cyclic •CRC is enabled and it’s 2 bytes long (probably CRC16) •Packet length is 11 bytes

Slide 29

Slide 29 text

Over the air Let’s use some RF-Fu

Slide 30

Slide 30 text

No content

Slide 31

Slide 31 text

Original from: deviationTX forums

Slide 32

Slide 32 text

No content

Slide 33

Slide 33 text

From Marc Newlin @ HITB CommSec 2016 But… “The channel hopping is generally unpredictable, and Software Defined Radios are slower to retune than the nRF24L radios. This makes it difficult for an SDR based decoder to observe all of the transmitted packets.” – MouseJack, KeySniffer and Beyond by Marc Newlin

Slide 34

Slide 34 text

Binding packets

Slide 35

Slide 35 text

Control data packets

Slide 36

Slide 36 text

What can we do?

Slide 37

Slide 37 text

PIC of Arduino solution nRF24L01+ Arduino UNO

Slide 38

Slide 38 text

Promiscuous receiver • Technique presented in 2011 by Travis Goodspeed • Capture all bytes sent by nRF24 like chip using illegal register value • RF è bytes

Slide 39

Slide 39 text

Channel scanner •Cycle through all 83 channels to find some data •Display the channels where carrier wave is found •Drawbacks: • Data leak on adjacent channels è testing the power of the carrier (RF24.testRPD()) to remove false positives • 2.4GHz band is used by Wifi/Bluetooth, … è lot of interferences

Slide 40

Slide 40 text

VS. < $30CAD ~ $5,000CAD #

Slide 41

Slide 41 text

Receive and decode data •Tune the nRF24 using all the previous information we got earlier (SPI + Spectrum analysis) •Start sniffing the bytes…

Slide 42

Slide 42 text

TXID Some default sticks values Preamble (while binding) 11 Bytes packets Channel numbers

Slide 43

Slide 43 text

55:DC:05:DC:05:DC:05:DC:05:00:00 Aileron Elevator Throttle Rudder Rate Take-Off | Landing

Slide 44

Slide 44 text

Let’s try to hijack!

Slide 45

Slide 45 text

Hypotheses •Objective: we want to take over the control of a flying CX-10 WD •While reversing: • No authentication è spoofing TX ID should be a good start • No encryption (only data scrambling) • Similar protocols already reversed (previous CX-10 models) •Different papers talk about timing/race condition: • Send the commands before the original TX? • Talk louder than the original TX?

Slide 46

Slide 46 text

Other possible attacks •CX-10WD drone is a WiFi access point: •Vulnerable to wifi deauth (Aircrack-ng suite is your friend) •Jamming (illegal) the control channels: •Need RF power amplifier •4 ctrl channels are adjacent: maximum bandwidth needed is 13 MHz

Slide 47

Slide 47 text

No content

Slide 48

Slide 48 text

Conclusion

Slide 49

Slide 49 text

Conclusion •Lot of proven techniques •You can reproduce them on any IoT/Embedded device •We targeted toy quads (cheaper) •More expansive & famous ones also use similar transceiver è same techniques apply (might have to deal with encryption though)

Slide 50

Slide 50 text

Thanks ! •Shout-out to my new coworker Chi who helped me a lot •As well as Kevin2600 who found some really good papers/inspirations to get me started in the RF world

Slide 51

Slide 51 text

Questions?

Slide 52

Slide 52 text

Links & References • OSINT Reverse engineering of the ARFz – Marc Newlin • Mousejack – Marc Newlin • GW008 Drone reverse thread – @goebish • Reverse Engineering a Quadcopter RC Series (4 parts)

Slide 53

Slide 53 text

No content