Hacking

a Professional
Drone
Nils Rodday
rodday@arcor.de
https://de.linkedin.com/in/nilsrodday
 Goal

The goal of this talk is to give insights into the security of

Unmanned Aerial Vehicles (UAVs) and to show that professional
UAVs are not as secure as one might think.

2
Agenda
The UAV

Attacks

Live Demonstration

Remediation

Impact

Lessons Learned

Q&A
3
 The UAV – Specifications
25k – 30k €
30k – 35k $

3kg Payload
Add-ons 7lb Payload

Advanced 30 – 45min
Features Endurance

4
 The UAV

Telemetry Box XBee 868LP link

GPS Receiver
Data flow
Data flow 802.11 WiFi link (WEP)
Video link

Not connected
(two separate devices)
Data flow

2.4 Ghz
Remote Control
Remote Control link
©IEEE

5
 The UAV – Wifi focus

XBee 868LP link

GPS Receiver
Data flow
Data flow 802.11 WiFi link (WEP)
Video link

Data flow

2.4 Ghz
Remote Control
link

6
 The UAV – Wifi attack
Attacker's tablet

Communication route
after attack

Original
communication
route

Original tablet

7
 The UAV – XBee focus

XBee 868LP link

GPS Receiver
Data flow
Data flow 802.11 WiFi link (WEP)
Video link

Data flow

2.4 Ghz
Remote Control
link

8
XBee – Chips

9
10
 XBee – Reading the manual...

1. API mode
2. Broadcast
3. Remote AT
Commands

It's not a bug, it's a feature 

11
 XBee – Man-in-the-Middle Attack
Attacker

Communication route

5. Remote AT Command:

3. Remote AT Command:
after attack

Change DH + DL

1. Broadcast
Write
Original
communication
route

Tablet Remote Control UAV

©IEEE
12
 What´s next?

We can read/send data on the XBee channel.

But what does that data stream mean?

13
Decompilation of Android APK

14
Decompilation of Android APK
Decimal –> Hex
36 24
87 57
73 49
70 46
73 49
paramByte XX
paramByte XX
paramByte XX
.
.
.

15
 Example Commands

24 57 49 46 49 XX XX XX

24 57 49 46 49 89 89 89 (Start-Engines)
24 57 49 46 49 58 58 58 (Auto-Takeoff)
24 57 49 46 49 97 97 97 (Enable Autopilot)

16
Demonstration
Remediation – XBee Onboard Encryption

 Secures Data ONLY on the XBee channel

 Prevents Remote-AT-Commands
 Mitigates Man-in-the-Middle

18
Remediation – Add. Hardware Encryption

 Does NOT prevent Remote-AT-Commands

 Does NOT mitigate Man-in-the-Middle
 Ensures CONFIDENTIALITY
19
Remediation – Application-layer Encryption

 Does NOT prevent Remote-AT-Commands

 Does NOT mitigate Man-in-the-Middle
 Ensures CONFIDENTIALITY
20
 Impact

• Cost of attack: 40$

• UAV is currently in use
• Multiple manufacturers are using similar
setups

21
Lessons Learned
Use strong
encryption

Alter passphrases

Test your product

22
 Credits

Prof. Dr. Aiko Pras Ruud Verbij

Dr. Ricardo de O. Schmidt Matthieu Paques

Atul Kumar
Annika Dahms
23
 Nils Rodday

https://de.linkedin.com/in/nilsrodday rodday@arcor.de

24
 Hacking
a Professional
Drone
Nils Rodday
rodday@arcor.de
https://de.linkedin.com/in/nilsrodday
26
• Slide 5 & 12: Photo credit to: 978-1-5090-0223-8/16/$31.00 © 2016 IEEE

27