Photo by Mike Senese
Please note: The information presented here is for educational purposes. As with all guides covering network and computer security, the techniques should only be performed on devices that you own or have permission to operate on. This tutorial is designed to help users understand the security implications of using unprotected wireless communications by exploring its use in a popular drone model: the Parrot AR.Drone 2.0.
It’s illegal to access computer systems that you don’t own or to damage other people’s property. As we continue the public dialogue on drone regulations, it’s critical to understand as many aspects of the issue as we can to include social impact, policy, privacy and of course, security. We hope that manufacturers take steps to improve the security of their products and users continue to educate themselves on the capabilities and vulnerabilities of emerging technologies. Make: and the author take no responsibility resulting from the inappropriate or illegal actions that result from abuse of any of the techniques discussed.
==============
Quadcopters capable of transmitting high-quality video are making it possible to affordably record unique perspectives. But these “unmanned aircraft systems,” as the FAA calls them, have posed new challenges in security, safety, and privacy, and many experts caution pilots to consider the implications of increased drone usage. In addition to the concern of constant surveillance, there’s the possibility that businesses (or hackers) can collect location information from mobile devices by using roving drones.
As a result, a cottage industry is forming for anti-drone technology. These devices come in a range of sizes, from plane-mounted to handheld tools. I will show you how to build our own rig to execute a particular network-based attack against one type of quadcopter control: Wi-Fi.
A Word of Caution
While I won’t touch on signal jamming or directed energy, it’s worth noting that jamming creates serious safety risks and is illegal. Additionally, the computer-based techniques that we’ll cover should only be done on networks and devices that you own, or have permission to experiment on.
Why 802.11?
Wi-Fi is a key interface for many current quadcopters. Some use it as the interface between the controller and a tablet displaying mapping and telemetry data. A few drones, such as Parrot’s Bebop and AR.Drone 2.0, are entirely controlled via Wi-Fi. This type of system lowers the barriers to entry into the drone space since pilots can use their own devices for control, but it does create interesting security situations since existing network-based attacks can now be used against these devices. Modern drones are essentially flying computers, so many of the attacks that were developed for use against traditional computer systems are also effective. The AR.Drone 2.0 in particular has many impressive features and sensors that users can access, and its low cost makes it an ideal platform for experimentation and learning.
How it Works
The AR.Drone 2.0 creates an access point that the user can connect to via a smartphone. The access point that it creates is named ardrone2_ followed by a random number. This access point by default is open and offers no authentication or encryption. Once a user connects the device to the access point, he or she can launch the app to begin control of the drone. This process, though convenient for the user, makes it easy to take control of the drone. The AR.Drone 2.0 is so hackable, in fact, that there are communities and competitions focused on modifying this particular drone.
Our Test
Using a laptop computer, USB Wi-Fi card, and our new antenna, we’ll explore a very simple attack. Power on the AR.Drone 2.0 and have a friend fly it around using the app. After a few seconds, its access point should also show up in your available wireless networks. Connect to the network and start up your favorite terminal application. The default gateway address for this network will have an address of 192.168.1.1. You’ll be able to telnet to this address since the service is, unfortunately, left wide open on this system.
Telnet is an older protocol for accessing remote computers. At this point, you can explore the system, or shut it off entirely without the legitimate user knowing what’s going on. Using a combination of freely available network tools, you can easily perform all these steps from your computer.
Now we’ll look at how you might automate this attack with a Raspberry Pi, a touchscreen, and a couple of Bash scripts.
I used a great tutorial provided by Adafruit (learn.adafruit.com/adafruit-pitft-28-inch-resistive-touchscreen-display-raspberry-pi) to set up my Raspberry Pi with a touchscreen, so that I could launch my attacks with a click. Assuming that you have a Pi already set up, let’s walk through how you could automate this.
The first step is to log into your Pi using SSH.
Change directory to the Pi’s desktop (or wherever you want) so that the scripts are easy to find and click.
Using your favorite text editor, create a new file. I named this join_network.sh because I’ll be using this to make the Pi automatically join the AR.Drone 2.0 access point.
Add these 8 lines to your script. On line 7, enter the full name of the AR.Drone 2.0 access point. Once you’re done, save everything.
You’re now going to automate the connection that you tested before and send an additional command to shut the drone down. Start by creating another script. I called mine poweroff.sh.
Add these lines to your script. This initiates a telnet connection to the drone, which is located at 192.168.1.1, and sends the command of poweroff, which tells the drone (which is a computer after all) to shut everything down.
Now make sure that the scripts are executable. Do this by typing sudo chmod u+x filename. Check this for both of the files; we can verify that they are now executable by typing ls -la and looking for the read, write, execute permissions rwx associated with the file.
The two scripts are ready to use. Be sure that no people or fragile items are below the drone when you’re testing. Have fun!
Photo by Hep Svadja
Build a Cantenna
Boost your wireless signal with a directional antenna made from a can
In a wireless world, connectivity is king. A good antenna attached to your wireless device will boost your signal and dramatically extend your range. In less than an hour, you can build your own directional “cantenna” to connect to distant wireless hot spots or interact with wireless devices like some of the drones featured in this issue.
1. Calculate
The toughest part about this build is calculating the best location for mounting the radio connector, and the correct length of the wire element for ideal performance of the antenna. Fortunately, there are lots of online resources to help you with the math, such as csgnetwork.com/antennawncalc.html. The illustration below gives an overview of how the measurements are calculated.
Given the dimensions of the can, about 100mm in diameter, the Type N connector needs to be mounted 44mm from the bottom of the can. The frequency we’re interested in is in the 2.4GHz band, so the total height of the copper wire needs be roughly 31mm.
2. Measure and mark
Step shots by Brent Chapman
Measure 44mm up from the bottom of your can, and mark the position for the N connector with a permanent marker. (I measured 44mm down from the top of my cookie tin, which has a replaceable lid that I used as the back of my antenna.)
3. Drill holes
On the mark you made, drill a hole so that your N connector can fit snugly. It’s good to start with a small bit and work your way up until the hole is just large enough. Once you’re done, sand the area around the hole to ensure good contact with the connector.
Test-fit the connector and mark the 4 mounting holes. Drill these to match the machine screws you’ll use to mount the connector. Or skip the screws and just solder the connector to the can.
4. Solder the wire to the N connector
You need to prepare the connector before it’s mounted. Take a 4″ piece of straight copper wire — the straighter the better — and remove any coatings.
Now you’re going to solder that short copper wire to the top of the connector. It’s a little tricky; I used helping hands to position everything before soldering it in place.
After soldering the wire to the connector, test-fit again and then trim the wire to the distance you calculated in Step 1. In my case, that was 31mm.
5. Mount the Connector
If you didn’t solder the connector to the can, tighten the machine screws from the outside of the can into their nuts inside. If needed, you can cut the bottom off the can for access, then tape it back in place when you’re done. There — you have a brand new cantenna.
6. Connect to Wi-Fi card and enjoy
Screw the pigtail cable into your card and the N connector. Your cantenna is ready to use.
Going Further
You can add a coat of paint to make it more tactical, or add a handle or mount it on a tripod for precise aiming.
Other Drone-Related Possibilities
This is just the tip of the iceberg — there are a number of things that an attacker could do. These include modifying or deleting system files, intercepting video and sensor feeds, rerouting the drone to alternate locations, or a combination of these. Hacker and Maker Samy Kamkar, the person behind security projects like RollJam and MagSpoof, even released a project designed to allow an attacker drone to autonomously seek out any Parrot drones within Wi-Fi range, disconnect the real user and initiate a new connection that is controlled by the attacker drone. The end result essentially is an army of “zombie” drones.
We also tested a range of drones at the Make: office that rely on some form of Wi-Fi connectivity for their operation. All of the drones tested were susceptible to deauthentication (deauth) and disassociation attacks, which forced all users off the drone’s access point, resulting in a loss of connectivity to the drone.
Beyond Drones
Photo by Hep Svadja
The DIY “cantenna” is incredibly useful for vastly extending range of connectivity. Using the Raspberry Pi rig we’ve just assembled, an attacker could reprogram the computer to perform a number of attacks, such as a deauth attack against a coffee shop hot spot. How is this useful? Well, consider the following scenario: An attacker sets up a fake access point called “Better Wi-Fi” that is designed to collect credentials. Customers are content using the real coffee shop’s connection so there’s no reason for them to join the attacker’s fake network. Knowing this, the attacker uses his rig to deliver the deauth against the real access point to force all the users off. The users can no longer reach the real access point, and in need of internet connectivity they connect to the evil (but convincing sounding) hot spot and their account credentials are collected.
How to Protect Yourself
The first step, of course, is educating yourself on the capabilities of your drone, its limitations, and good security practices. There are advantages to using Wi-Fi, for example, as the means to control machines, but there are many things to consider from a security point of view, such as wireless security protocols, encryption, and open ports. For more sensitive applications, there are far more secure options when it comes to command-and-control. Always ask permission and tinker safely!
this article assumes the drone’s wifi is left unsecured, which 90% of drones won’t have, all drones have an option to set a passkey and WPA security etc.
Assuming the WIFI is open, why not just use your phone? Plenty of telnet clients available for free (you’d just need to telnet in and run poweroff, skipping 90% of the work in this article). Since the drone’s operator is supposedly using a mobile phone to control it you’d just have to be as far from it as he/she is and you could get control (no need for antenna).
Thirdly, running poweroff through telnet won’t work on all but a few drones, it’s not a catch-all.
It didn’t assume, it used the available example and didn’t generalize past that.
+1 Hah! I see the law of unintended consequences applies. The FAA made a power grab on the definition of “aircraft” so, technically, you’re absolutely correct! Little jimmy in his bedroom with a quadcopter is subject to 5 years in jail and a 10K fine if he steps on it and breaks a roto
Parrot updated the Bebop’s OS in April’16..try this now. Additionally, if the attack disables a FAA registered drone (or one operated by a registered operator) the attacker is risking fines and imprisonment. Today’s laws do not fully differentiate between drone aircraft and full-sized passenger aircraft..yet. Drones are the Newsman’s new theme song..they love to paint hate. https://www.law.cornell.edu/uscode/text/18/32
Hah! I see the law of unintended consequences applies. The FAA made a power grab on the definition of “aircraft” so, technically, you’re absolutely correct! Little jimmy in his bedroom with a quadcopter is subject to 5 years in jail and a 10K fine if he steps on it and breaks a rotor.
Of course it would never be prosecuted, but the FAA really shouldn’t have promulgated things this way, but made a sensible framework. They just don’t seem to be adapting very well, although more recently progress seems to be ramping up.
oh its way worse than that. the Definition of an aircraft according to http://www.faa-aircraft-certification.com/faa-definitions.html is ” Aircraft. A device that is used or intended to be used for flight in the air.” you could argue that since a baseball flies through the air after being thrown that it is a device intended for flight in the air therefore if the batter hits or even attempts to hit the ball with the bat he has interfered with the flight of an aircraft and committed a felony according to federal law
https://www.law.cornell.edu/uscode/text/18/32
Fortunately the courts have not interpreted it that way, but yeah, I’d like a total stem-to-stern redo on the FAR’s.
A baseball would be a stretch since it does not generate lift adequate to glide, nor is it propelled by an engine. A Frisbee however is in fact intended to fly. Your point is a good one none the less, there have been cases that seem to defy sanity in the past; not specific to FAA law. There is, however, a concept that judges must consider called “Jurisprudence”, one could easily argue that such a case would violate both ‘Natural Law’ and ‘Legal Realism’. Any attorney worth a dollar would be able to have the case throw out.
I agree with what you are saying. the problem with the law is it is so broad. its how you define the parameters, after all a hot air balloon is not propelled by an engine but you would class it as an aircraft. where as an AR drone as mentioned above cannot glide if you remove power it falls from the sky. so does it fail to be an aircraft because it cannot generate lift adequate to glide as you say about the baseball. The FAA definition I posted above is way too broad a definition it allows for misinterpretation as I have deliberately done above. its not just an American failing either here in Britain the government has instigated some stupid laws that are way too broad in their wording. for example a new law that comes into effect at the end of May 2016 effectively bans gasoline and makes anyone selling it a drug dealer. the psychoactive substances act defines an illegal substance as ” a substance that produces a psychoactive effect in a person if, by stimulating or depressing the person’s central nervous system, it affects the person’s mental functioning or emotional state; and references to a substance’s psychoactive effects are to be read accordingly.” since inhaling Gasoline produces hallucinations it is a banned substance according to the letter of the law. now I realise that this goes against the intent of the law, the point is that the law as it stands does not allow interpretation as yet
I think that the judiciary are being deliberately vague in the wording of the laws to enable them to cover all bases and that case law will eventually sort the situation out but at the moment its a mess
It appears that there’s two laws at play: the “spirit of the law”, and the “letter of the law”.
There’s a law in Hawaii that states if you put a blue colored light “upon” your vehicle/motorcycle/bicycle that you are in violation of the law. The exception being if the light was OEM.
This means if I change my factory radio to one that has a blue volume knob, I’m in violation of the law. This would be the “letter of the law”. Of course, if I were ticketed, any reasonable judge or magistrate would throw this out because the intent of the law was to make it illegal to add blue lights to your vehicle to appear as a police officer. Clearly, only changing the radio is not violating the spirit of the law.
This is one reason I hate “vague” laws. On the other hand, if it were written specifically and explicitly, law books would be even more full of indecipherable text and language that nobody would be able to understand.
I would point out that a baseball is ALL about the use of lift. That is what makes it’s trajectory change, it is a difference of degree, not kind, from the Frisbee. {Which also has no engine}
but to make the analogy even worse, after the ball IS hit, catching it in the air would also be a crime. :-)
Never be prosecuted. Yes it will. Let’s see… get good video. Post video on YouTube. Video goes viral. FAA decides to make an example. Four (4) steps to becoming a felon. The guy flying the quad gets a misdemeanor. The guy ‘shooting it down’ gets the FELONY. The guy who built this project is the guy who gets screwed.
Would this same principle apply to hijacking a bluetooth speaker? A bunch of people where I live are a bit too fond of blasting music over their bluetooth speaker bricks, and attempts at diplomacy haven’t yielded any fruit. I figure a few 13500 hertz tones at their volume of choice ought to teach them a valuable lesson about playing their music too loud.
Well, as much as it’s probably a just application, you’re still in legal hot water if you’re ever caught. Bluetooth pairing is different, but can be either pretty well guarded or laughably easy to infiltrate, depending on the particular device.
Generally speaking, the longer and more detailed the disclaimer, the better the project.
Amen :P
Awsome tutorial!!!
Isn’t this special. An active duty Army Cyber Warfare officer provides a step by step guide to doing something illegal, trying to cover his behind by saying, “the computer-based techniques that we’ll cover should only be done on networks and devices that you own, or have permission to experiment on.” Effectively, he’s saying “here’s how to hack into a particular wifi network but, gosh, don’t do it unless it’s your own network.” Isn’t there an Army standrad of conduct ethics rule that would cover this?
You fail to understand how cyber security works. Much like our current crop of politicians. If anything this soldier has improved security by raising awareness. Obscurity is not security, it simply does not work that way. Trying to quash bug reports or criticism of these systems provides fertile ground for exploits and defeats the objective of security.
And the 1st amendment also has something to say on the matter, which in my mind also points out the strength of a republic. Open expression is security.
You fail to understand how being on active duty affects what you can say and do in the public sphere. Crying ‘the 1st Amendment!’ won’t help. Seen it many times, and open expression is not generally loved when it runs counter to what your higher-ups want.
You assume however that this is contrary to what his higher ups want.
Dude, this is basic computer security stuff….it has nothing to do with military technology. Completely unrelated.
Thanks Make: all the users of WiFi drones now have a get out of jail free card .”you see your honour someone following the instructions detailed in Make: took control of my drone flew it out of my control and caused it to crash, I was flying perfectly legally up to that point but lost control due to some idiot with a jammer” now prove it didn’t happen that way
The court, or whoever is taking you to court, doesn’t have to prove someone jammed your drone and caused it to crash. All they have to prove is your drone crashed and caused damage to them or their property. You have to prove it wasn’t your fault, and good luck with that.
Cars can be taken control of by a hacker also, but good luck trying to say the reason you were speeding or rear-ended someone is because a hacker took control of your car. Especially if you don’t have any proof.
So I want to catch the local cellphone signal with an antenna like this and bring it into the house so my phone has signal . Can this be done?
In theory, yes. In practice, not so much. The problem is that either you have a passive re-radiator, which is inherently lossy to the point that it’s fairly useless, or you’re talking about a BDA or similar device, which has to be professionally installed (or the FCC may come knocking).
Instead you might want to investigate using wifi calling, most carriers are providing that option, and it apparently is working pretty well.
The 2450 GHz band is technically a civilian free-for-all frequency for unlicensed low power use. As such if your 802.11 controlled drone suffers interference and goes out of control and crashes because of somebody’s Wi-Fi usage….well you are using a public frequency after all… Note that the same jamming principles can be used to screw up US military drones – you can bet the Chinese, Iranians and Russians know how to do that….
Not in the US. It is an amateur radio band that non-hams are secondary users of, limited in power. It’s also illegal to jam on ham radio bands, which generally gets a , but if someone jams an aircraft in flight, they are liable for both damage to the aircraft, and damage to whatever (or more importantly WHOever) gets hit when it comes down.
I think what he is trying to say is that because it is a public frequency, it will be hard to prove that someone intentionally jammed your drone vice you ran into interference caused by another law abiding citizen.
Drones: responsible for horrible carnage and pizza delivery! https://www.youtube.com/watch?v=zoao_TPtvnA
So go ahead and jam someones drone, so they lose control of it, and because they no longer have control of it, it flies out of control and crashes into someone nowhere near where the pilot was flying, possibly even a child. That will solve the problem.
The vast majority of multi-copters and radio controlled aircraft are not controlled by Wi-Fi and a better device to disable the drone is just to point your finger at the drone and say “Bang! bang!” I won’t work, but you will not have wasted the effort to build a useless device.
Right on. Cool article. Provides insight into other potential projects. Thanks
This can be purchased here http://ali.pub/ln9i1
http://dronkayit.com/
Drone Hakkında her şey
Drone Kayıt http://dronkayit.com/
http://dronkayit.com/
Thanks for posting
Practical suggestions – Incidentally , if your company is searching for a WI F-00036 , my company filled out and esigned a template form here
https://goo.gl/ynUq3tah yes.. just standing there with your HIGHLY DIRECTIONAL, beam formed antenna, trying to keep pointed at your targets every move, bounce, elevation change, PARROT AR Drone or BeBop…you know, the ones with up to TEN WHOLE MINUTES of flight time, keeping your 2.4 GHz signal on point and strong enough for your silly script-kiddie BASH scripts to connect, login, and then send your “shut-down” scripts ??
Bring it on, I’ll even hover mine, at 25 ft altitude (AGL) for the entire battery life so you can come out, get close, and then violate several laws trying to disrupt my communications link and crash my toy drone…
BUT…consider this before you try, I fly legal, and my “real” drones will be the ones you maggots are chasing, and the only 2.4 Ghz signal they use are Frequency agile Spread Spectrum and 5.8 Ghz video feed links…and I also am a legal concealed carrying “pilot”… aside from whatever I might be carrying, my favorite “persuader” is a re-purposed fiberglass axe handle..
The short version of the legal blurb should read… It is a misdemeanor for someone to overfly your property or otherwise fly their drone illegally. it is a FELONY to do what this article says on two counts. First, to disable/crash/or whatever you might cause the vehicle to do, and 2) Jamming is illegal (OK, it is questionable that this is jamming… but a good lawyer could probably make that case). Current laws don’t distinguish the difference between manned and unmanned air vehicles. How quickly can you become a felon? Some Mom bitches to the police that you caused her kid’s quad to crash. Yes, that quick… you become a felon.
I have a feeling context is going to play a big role in these types of cases. If you are at a park and crashing people’s drones for fun, yes you will become a felon. However, if you use this to crash your neighbor’s drone while he is taking pictures of your 16 yr old daughter in a bikini in the backyard, or of her changing in her bedroom….I have a feeling you will get a slap on the wrist, if anything at all. Granted you run the risk of getting a judge who doesn’t care and slaps you with a felony anyway, but I will be surprised. Especially if you are able to recover the video footage from the drone showing what he was recording.
You are awesome , its very amazing text , i will share it all my friends and my family, i am sure they will excited with this. You are amazing. I am sure this device can hijack all drones , its look very powerfull , i will share it my web site , you can look http://zekagelistirenoyunlar.com
This is a nice wifi tutorial check for swisscoin tutorial here http://larryfranky.com
Wondering if someone could help, no matter what i change when i run the above script (with my drone essid on line 7) i get
wpa_supplicant : no process found
dhclient: no process found
and the script ends.
i cant even get into the drone to run the poweroff script..
any1 able to explain this to me to help me understand how its working and why its doing it
If I could quietly and quickly disable the stereo in the car next to me with the open windows and big speakers playing extra loud music of a type that I find disagreeable….
Just because you can, doesn’t mean you should. Be warned that beyond possible legal issues, disabling an airborne drone is dangerous. Multi rotor drones are essentially flying lawnmowers with almost no physical safety guards….don’t be ‘that guy’
great post https://www.tricksclu.com
Hi I’m new to this, for the drone killer program, do I need to program the raspberry pi myself or is there a way I can download it?
great.. i love this
But where do i find a goth girl for my deauth project?
Nice
Andhra Pradesh Engineering, Agriculture & Medical Common Entrance Test (EAMCET) is held by Jawaharlal Nehru Technological University, Kakinada on behalf of Andhra Pradesh State Council Of Higher Education (APSCHE).
AP Eamcet Results 2018
great
Can you make a video please. It’s rather confusing and better if there was a visual step-by-step guide. :)
Wow really amazing article really liked it. Now I’m going to make a drone by myself at my home.
Send this to a friend