00:00:00.367,00:00:27.127 >>This is Aaron Luo. [applause]. Good luck. >> Er, go –good 00:00:27.127,00:00:33.934 afternoon ladies and gentleman and thank you for coming, I 00:00:33.934,00:00:37.738 Aaron. Today I going to talk about drone hijacking and, er, I 00:00:37.738,00:00:47.047 going to enjoy this event. This event is my first time 00:00:47.047,00:00:53.854 presenting in Defcon and er, er, actually [applause], er, thanks. 00:00:53.854,00:01:01.695 Actually, I a little nervous now because, er, you know, first 00:01:01.695,00:01:10.203 time so [laughs] and er, this is my first time use English to 00:01:10.203,00:01:19.947 presentation. So, so, so, so, er, I know it’s hard to decode 00:01:19.947,00:01:23.116 my English, so please bear it and…okay… let me start with er, 00:01:23.116,00:01:27.788 brief self- introduction. Er, my name’s Aaron as I mention 00:01:27.788,00:01:37.931 before. And er, currently I er working in Trend Micro. Er, and 00:01:37.931,00:01:48.709 , er I come from Taiwan also, also HIT count member, a hacker 00:01:48.709,00:01:58.585 community in Taiwan and er, this this year he can’t also benefit, 00:01:58.585,00:02:18.705 enjoy the Defcon CTF and er, I do want to tell a story about, 00:02:18.705,00:02:26.513 about , er, about, why,er, I start my security research life 00:02:26.513,00:02:35.522 since 2005. Please also because of [inaudible] deal, in my 00:02:35.522,00:02:41.762 fifteen years or so I decide to development IT and, er, , er out 00:02:41.762,00:02:43.830 of blue or madness, I don’t know why I decide I don’t like that, 00:02:43.830,00:02:50.003 but if only I finish the , er, darkdoor when 16 years old, and 00:02:50.003,00:03:02.949 , er, and, er, and er, list IT for me to remote [inaudible] 00:03:02.949,00:03:11.258 machines …. He also offer some nice functions,er, such as you 00:03:11.258,00:03:16.263 can see if someone want to [indistinguishable] or, or, look 00:03:16.263,00:03:26.073 some functions or see remote desk top screen. Or, but trust 00:03:26.073,00:03:32.779 me, I just only play this summer. I’m my own VA so no one 00:03:32.779,00:03:43.490 impact. Okay, oh sorry I [indistinguishable] you know. 00:03:43.490,00:03:51.765 Er, after I creating the darkdoor management web server then I 00:03:51.765,00:03:54.901 join the Taiwan government cybercrime investigation 00:03:54.901,00:03:59.272 department with Kang [indistinguishable]. Then I 00:03:59.272,00:04:05.745 joined Trend Micro cyber 15 solution team so, I think the 00:04:05.745,00:04:16.223 dark door is the beginning of everything. Okay, er, this 00:04:16.223,00:04:21.962 enough my self- introduction….. let’s start, let’s start 00:04:21.962,00:04:28.768 hacking. This, er, this is, today’s agenda. I will 00:04:28.768,00:04:35.208 introduc-introduce the drone architecture and, er, and the 00:04:35.208,00:04:41.781 point of the vulnerability component. After I will demo how 00:04:41.781,00:04:49.122 to hack it and provide, er, er, prevention solution. The talk 00:04:49.122,00:05:03.403 will then be showing the G Hub. Er, today our topic is… the 00:05:03.403,00:05:13.246 DJI-Phantom 3 Advanced. This, this drone render is popular, is 00:05:13.246,00:05:20.787 popular and, er, I think the drone architecture is a similar. 00:05:20.787,00:05:27.194 So, if you know how to, er, exploit this drone, you may take 00:05:27.194,00:05:39.139 this same tech to hack another drone. Okay, let’s talk about 00:05:39.139,00:05:47.447 the structure of this drone. Er, there are three main model: er, 00:05:47.447,00:05:56.389 drone itself and the remote controller and,er, app SDK 00:05:56.389,00:06:04.297 [indistinguishable] vulnerable and easy to exploit. Er, I think 00:06:04.297,00:06:10.737 it’s er usually find in radio remote controller and, er, GPS 00:06:10.737,00:06:23.650 model and, er, app SDK. First, we, we, search for vulnerability 00:06:23.650,00:06:33.260 from TJI, TJI app and SDK. You can see the operation process in 00:06:33.260,00:06:45.672 this image. First the TJI develop app will makes a request 00:06:45.672,00:06:48.275 activation data from TJI authentication server. Then the 00:06:48.275,00:06:52.779 remote controller use USB to transmit data. Final drone, 00:06:52.779,00:07:10.330 drone will fly if can find the activation data. Er, actually, 00:07:10.330,00:07:15.568 actually presentation is not speciality so, so I’m really 00:07:15.568,00:07:22.475 very, er, nervous and er, er, now I want to introduce how to 00:07:22.475,00:07:28.548 correct the SDK authentication mechanism. First, er, we have 00:07:28.548,00:07:37.457 downloaded SDK from DJI website, then, er, then er, this 00:07:37.457,00:07:45.865 [indistinguishable] I choose actually SDK so it is, er, JAR 00:07:45.865,00:07:50.236 file. You can find the key function with JDGUI and, er, I 00:07:50.236,00:07:56.776 found the function, it calls check permission. This function 00:07:56.776,00:08:05.218 will, will be called by, by a when you open the app, it will 00:08:05.218,00:08:08.688 call, it will call this function. So, we just need to 00:08:08.688,00:08:14.761 patch this, er, function, then we then we are, we know to 00:08:14.761,00:08:27.841 bypass the, the authentication mechanism. So, how to patch this 00:08:27.841,00:08:36.016 function. Er, I think this part is easy, you just use JBE. JBE 00:08:36.016,00:08:43.523 is a java byte code editor and er,er, find, find, er, just 00:08:43.523,00:08:57.103 mention, er check permission function then, then I, I replace 00:08:57.103,00:09:04.377 the check permission directory to, to SDK level 2. It means we 00:09:04.377,00:09:14.721 can directly use the level 2 SDK, er, I forgot to tell you 00:09:14.721,00:09:23.463 about the SDK permission. Zero- it mean you have no permission 00:09:23.463,00:09:34.074 and for SDK level above the, bigger than zero, then it mean 00:09:34.074,00:09:43.149 you have the SDK permission so I just save it to, to er, to, to , 00:09:43.149,00:09:52.192 er, 2. Then return. After patch this function you can, you can 00:09:52.192,00:09:59.165 recheck [indistinguishable] JDGUI then you can see the SDK 00:09:59.165,00:10:10.977 level directory, return to and , er, this SDK is, SDK 00:10:10.977,00:10:17.817 authentication mechanism is easier to hack but I think it is 00:10:17.817,00:10:23.022 simple but powerful because all kind of DJI drones can be affect 00:10:23.022,00:10:37.103 by this, by this vulnerability. Er, now I demo, I demo how to 00:10:37.103,00:10:45.445 use this, this vulnerability. Er, at first we can… Oh sorry, I 00:10:45.445,00:11:32.158 check the video. Wait a moment. Oh, okay, okay, thank you, thank 00:11:32.158,00:11:42.735 you. Er…er, after we crack the SDK we can directly connect to 00:11:42.735,00:11:48.908 the app and look the camera data. So, this, you can see the 00:11:48.908,00:12:00.320 camera so this is really work and er…next demo I will show 00:12:00.320,00:12:05.391 how, how to use this vulnerability to impact the 00:12:05.391,00:12:19.072 drone. Er, I develop, er, a app by the SDK and er, this, contain 00:12:19.072,00:12:29.148 contains some er, API can be call, like er, we can, er 00:12:29.148,00:12:37.724 take-off or landing and for this I, I use the take-off function. 00:12:37.724,00:12:46.132 Then I press the button, the drone just be take-off and then 00:12:46.132,00:13:10.957 I press the landing button. The drone is landing. And, er, I 00:13:10.957,00:13:18.931 also use this feature to, er, write a function, it can, it can 00:13:18.931,00:13:29.842 fly drone into the location we submit [indistinguishable]. ……at 00:13:29.842,00:13:35.415 first I input the GPS location and then I press the fly to 00:13:35.415,00:13:43.956 here, fly to there. The drone fly to there. But actually this 00:13:43.956,00:13:54.967 SDK er, er have some , have some limitation, er because this demo 00:13:54.967,00:14:00.973 I just use cracker a SDK, er this, this means I, I don’t need 00:14:00.973,00:14:09.215 to to connect to the authentication server I can 00:14:09.215,00:14:29.702 directly this, use this SDK. Er, so how to prevent or improve 00:14:29.702,00:14:41.314 this. The vendor can protect their library firewall by either 00:14:41.314,00:14:56.329 use obfuscator or packer. Or use the the encry- encryption tool 00:14:56.329,00:15:00.533 to void the SDK authentication keep between X and drone and 00:15:00.533,00:15:04.437 server now only just void the front [indistinguishable] 00:15:04.437,00:15:28.494 server. Okay, this is intro session, firmware, analysis. Er, 00:15:28.494,00:15:36.602 how to analysis the firmware we can use bin walk extract some 00:15:36.602,00:15:51.751 data but actually it’s limit. So, so, er, we we use IDA pro 00:15:51.751,00:15:59.525 tool analysis incomplete data extracting by the bin walk. And 00:15:59.525,00:16:06.098 use string reference to find the key function. The function 00:16:06.098,00:16:14.040 decide to check the firmware, we can use it to reverse the 00:16:14.040,00:16:25.751 firmware format. Actually this decode function is very big. 00:16:25.751,00:16:35.595 Please forgive me for not explain, explain the detail. 00:16:35.595,00:16:45.304 And, er, finally we can, we can extract each function which 00:16:45.304,00:16:50.843 contain detail information including the measuring of ID 00:16:50.843,00:17:04.757 and module name and the binary name. And after that I shared 00:17:04.757,00:17:27.546 the UBI file system from from PFC300SFw3 dot bin by er, by by 00:17:27.546,00:17:38.991 using old password. And er, an er then we can extract some 00:17:38.991,00:17:50.403 interesting things from firewall systems. For example the SSH key 00:17:50.403,00:17:58.744 and, er, and, er some, and er some config-configuration data. 00:17:58.744,00:18:06.586 And er, if you want to know the loop and as well you can view 00:18:06.586,00:18:17.730 the X shot to create this file. Okay, er, I will introduce how 00:18:17.730,00:18:25.338 to prevent or improve this this part. Actually I think, just 00:18:25.338,00:18:31.043 increase the firmware binary but still need ec, extra careful 00:18:31.043,00:18:38.784 about storage place must be safety and er this side and 00:18:38.784,00:18:51.097 should careful of the side channel attack. Okay, this is 00:18:51.097,00:19:07.680 the end of firmware analysis. The next section is signal 00:19:07.680,00:19:09.849 analysis. How to analyze the radio signal, er, just by the 00:19:09.849,00:19:18.157 SDR SDIs software define radio. The two on top are hacker-Ive, 00:19:18.157,00:19:24.296 the, the bottom one is,er, blade hive. Er, by the way, this all 00:19:24.296,00:19:31.303 available in Defcon vendor area, so if you interesting with this 00:19:31.303,00:19:51.157 you can buy from from vendor area. And,er, we found DJ PA 3 00:19:51.157,00:19:59.799 used two modulation/demodulation to transfer data with 2.4GHz ISM 00:19:59.799,00:20:06.205 band. I will introduce this detail later. One modulation is 00:20:06.205,00:20:10.876 used to control the flying duration of drone like, er, 00:20:10.876,00:20:18.884 flying up down left or right. You can observe it is SFHSS 00:20:18.884,00:20:29.161 frequency hopping and the frequentation range is about two 00:20:29.161,00:20:35.367 dot four gigahertz to two dot four eight gigahertz, and er, 00:20:35.367,00:20:45.711 each channel is about one megahertz bandwidth. The other 00:20:45.711,00:21:01.093 modulation use DSSS,er, it is direct frequency duration and er 00:21:01.093,00:21:08.200 it that drone to transmit images to remote controller. The 00:21:08.200,00:21:17.443 frequency is, er, about 2 dot forty fifteen to about two dot 00:21:17.443,00:21:22.248 forty eight fifteen gigahertz. Each, er, channel is about ten 00:21:22.248,00:21:31.257 megahertz bandwidth. And, er, finally we found the image has 00:21:31.257,00:21:36.896 no check sound mechanism, so we can jamming the radio frequency 00:21:36.896,00:21:42.668 to show wrong image to controller. Er, let’s see the 00:21:42.668,00:21:54.513 demo. This is, er, the program I development. It can, it can 00:21:54.513,00:22:01.287 jamming, jamming the radio signal and show blue, er, green 00:22:01.287,00:22:12.598 screen to the , to the, to the DJI F system. And, er, how to 00:22:12.598,00:22:23.976 prevent or improve this. I think just validate the image 00:22:23.976,00:22:30.316 checksum, if checksum is wrong er, just don’t show this image. 00:22:30.316,00:22:37.056 Or, or you can transfer the image data by a sound metric 00:22:37.056,00:22:46.265 encryption, but, but, it can more performance, er, actually I 00:22:46.265,00:22:53.205 think just add er checksum is enough because reverse 00:22:53.205,00:23:06.852 modulation / demodulation, er, is not easy. And, er, let’s move 00:23:06.852,00:23:17.596 to next section. The GPS modules analysis. The GPS modules is 00:23:17.596,00:23:25.904 general way to hijacking the drone and,er, GPS protocol is 00:23:25.904,00:23:26.805 not encrypt. Er, GPS protocol if use for commercial is not 00:23:26.805,00:23:43.422 encrypt is call C /A for commercial, er, there is, there 00:23:43.422,00:23:49.528 have another GPS protocol call: Pcode. Pcode is for mainstream 00:23:49.528,00:23:59.238 so no more commercial can use this encryption, no. Er, so, so, 00:23:59.238,00:24:09.081 every every commercial usage, the GPS is, er, is er, easier 00:24:09.081,00:24:22.494 being attacked by attacker, er, attacker can easy to fake this. 00:24:22.494,00:24:26.899 And er, I will finish off with which function is associate with 00:24:26.899,00:24:34.907 the GPS. In these slide have four function will impact by 00:24:34.907,00:24:46.418 faking the GPS. One is: no fly zone. No fly zone mean DJI have, 00:24:46.418,00:24:56.662 say many place to the no fly zone like, like the airport or 00:24:56.662,00:25:04.336 some important place so if you fake the docket, if you are in 00:25:04.336,00:25:10.109 airport or some important place the drone will be a false 00:25:10.109,00:25:16.715 landing. And, er, another function is return to home. 00:25:16.715,00:25:25.657 Return to home mean: if you press the return to home, the 00:25:25.657,00:25:29.161 drone will return to original point. The other function is 00:25:29.161,00:25:34.166 called follow me. The follow me is the, is the function…it means 00:25:36.735,00:25:41.740 if you move, the drone will, will er also move. So the drone 00:25:47.446,00:25:52.451 always follow you. And the la -latest function is way point. 00:26:05.564,00:26:10.302 The way point means: you can setting the mutual location and 00:26:10.302,00:26:11.804 drone will go each location for four function will be impaired 00:26:11.804,00:26:20.512 by fake GPS. Now I will introduce how to spoof the GPS 00:26:20.512,00:26:26.819 location. They have a good open source simulation directory in 00:26:26.819,00:26:34.159 GitHub called GPS SDR. But, it have some limitation. Before you 00:26:34.159,00:26:38.897 want to fake a location you should wait for a few minutes to 00:26:38.897,00:26:44.369 generate the IQ data. What is the IQ data? IQ data is,er, if 00:26:44.369,00:26:50.042 you want to play SDR you must, you must build a IQ data for, 00:26:50.042,00:27:01.453 for, for, modulation. And er, er, so we improve the code, that 00:27:01.453,00:27:08.427 it can in real time generate the GPS signal. And, er, can be 00:27:08.427,00:27:13.365 control with the joystick, that is mean you don’t need to wait 00:27:13.365,00:27:18.270 five minute or a few minute to generate the IQ data, you can 00:27:18.270,00:27:27.613 directly, real time fake the point. And er, this is the, er, 00:27:27.613,00:28:23.902 demo. Er, wait a moment, sorry. You can see I use the joystick 00:28:23.902,00:28:30.275 and it can directly impair the GPS location. When I, I move to 00:28:30.275,00:28:37.549 left you see the GPS point is move to left. And, er, I move to 00:28:37.549,00:28:45.757 other side, the GPS points is move to other side. Then I move 00:28:45.757,00:28:54.499 to right side, it just move to, to right. So we can use this, 00:28:54.499,00:29:09.581 this joystick to, to impair the GPS location. [applause] Oh, 00:29:09.581,00:29:24.329 thank you. And now I demo to fake landing the drone by fake 00:29:24.329,00:29:29.034 location into the no fly zone. You can see the other side the 00:29:29.034,00:29:39.778 red circle is the no fly zone and the er…I open the program 00:29:39.778,00:29:46.785 then, then, its need to we need to wait a few, a few seconds 00:29:46.785,00:29:53.225 because, er, GPS, fake GPS should should, take, er, take 00:29:53.225,00:30:03.635 er, some times to update the, the satellite track. And the, 00:30:03.635,00:30:10.475 er, er, it is take about, third-thirty minutes, er, thirty 00:30:10.475,00:30:16.715 second, so you can see finally the drone is in the, the no fly 00:30:16.715,00:30:27.693 zone then drone take down. This demo also is being paced in, in 00:30:27.693,00:30:33.231 paced [indistinguishable] account so so I just want to, er 00:30:33.231,00:30:38.270 demo, demo this again, because I think someone maybe now seeing 00:30:38.270,00:30:57.889 this and er… and er I want to demo the er use the joystick to 00:30:57.889,00:31:10.769 hijacking the drone. Er, I open the DJI follow me function and 00:31:10.769,00:31:18.310 you can see I not touching the the remote controller. Then I 00:31:18.310,00:31:27.652 move the joystick can directly move drone to to location I want 00:31:27.652,00:31:39.965 the drone to er, like I, I move the joystick to the, to the my 00:31:39.965,00:31:54.045 side drone to take to my side. Then, then I just forward this 00:31:54.045,00:32:01.419 for a few times. And er, er, finally use joystick and easy, 00:32:01.419,00:32:17.335 easier to, to to control the drone. But finally the drone 00:32:17.335,00:32:23.108 just er, er, move to to far place I can’t control so I 00:32:23.108,00:32:35.654 switch to my, to my remote controller. Then, er, because 00:32:35.654,00:32:46.331 this drone is, our company, our company er, I turn so I can, 00:32:46.331,00:32:54.606 I can fly then to this er, I can then disappear. So, finally I 00:32:54.606,00:33:00.879 use er, er, the AC controller and get back the control. But 00:33:00.879,00:33:09.254 actually you can, if you want, you can let the AC controller 00:33:09.254,00:33:13.525 now work. You just jamming the er, two dot four gigahertz 00:33:13.525,00:33:20.131 frequency then control module will be lost. That time you can 00:33:20.131,00:33:32.777 use the hijacking program to fully control the drone. And er, 00:33:32.777,00:33:50.962 I want to introduce how to detect the fake GPS signal. The 00:33:50.962,00:33:56.434 one way er, is avoid the GPS sub-frame data, sub-frame data, 00:33:56.434,00:34:05.677 er, is data sent by GPS satellite which contain the 00:34:05.677,00:34:13.218 satellite track information. But fake GPS sub-frame data will 00:34:13.218,00:34:22.894 incorrect, er, like this. This is the sub-frame data and you 00:34:22.894,00:34:28.400 can see the upside sub-frame data is, er, is, er, true 00:34:28.400,00:34:34.039 satellite data and the the down side is the fake GPS satellite 00:34:34.039,00:34:42.213 data. You can see something is wrong. So you can, you can void 00:34:42.213,00:34:53.325 the sub-frame data to, to check the signal is fake or real. But, 00:34:53.325,00:34:59.864 I know you must, you must think if I just recall, replay the GPS 00:34:59.864,00:35:05.904 data the sub-frame will be correct, yes it is. But, er, we 00:35:05.904,00:35:14.646 have another solution, when when you . when you, er, recall and 00:35:14.646,00:35:21.586 replay the GPS, you can use, er, time, you can void the time 00:35:21.586,00:35:25.790 between satellite time and the real time. Because if you recall 00:35:25.790,00:35:33.698 and replay the time will be wrong. So, this is another way 00:35:33.698,00:35:43.341 to detect a fake GPS signal. And er, another way is, er, check 00:35:43.341,00:35:51.316 the motion speed between point to point. Er, for example, it is 00:35:51.316,00:35:55.754 impossible to change your location from Taiwan to Las 00:35:55.754,00:36:11.336 Vegas in one second, unless you are dynamo or sonic. And er, er 00:36:11.336,00:36:21.046 finally, I development a fake GPS signal device by just measuring 00:36:21.046,00:36:27.552 ways and the, I, er, develop it in the raspberry P, raspberry 00:36:27.552,00:36:40.131 pi, and er er, I buy a GPS in module, is a popular module called 00:36:40.131,00:36:51.142 U-blox. This this the demo of the tool I create. You can see, 00:36:51.142,00:36:55.914 er, this is raspberry pi and this is ,er, my phone controller 00:36:55.914,00:37:03.955 hack of device. And I transfer some fake GPS data and now, now 00:37:03.955,00:37:08.059 now it’s no more because the fake GPS, they come, will take a 00:37:08.059,00:37:28.847 few time to affect. Er, er about about thirty minutes. And er, 00:37:28.847,00:37:41.559 er. Wait a moment. I don’t know why my screen is become black, 00:37:41.559,00:37:51.936 er, er. I…wait a moment. I press this, okay? Is the screen being 00:37:51.936,00:38:01.279 hacker? Oh, [laughs] [inaudible]. Er, no problem, I 00:38:01.279,00:39:21.426 just er take the… I think today is unlucky. Er. Wait a moment. 00:39:21.426,00:39:23.561 [inaudible] oh, er. Oh, so it’s the sound people 00:39:23.561,00:40:16.147 just…[inaudible] oh er…oh, I need screen to er…[inaudible]. 00:40:16.147,00:40:30.428 >>…these guys lost the signal… >>Oh okay. [inaudible]. >>Sorry 00:40:30.428,00:41:31.889 for the interruption, guys, we have A- AV tech is on the way, 00:41:31.889,00:41:37.929 erm, and they should be able to fix this. Thanks. >>Actually 00:41:37.929,00:41:43.968 this is not my computer be hack, so I have nowhere to start this 00:41:43.968,00:41:47.672 attack because my computer is fine but the environment just 00:41:47.672,00:41:52.477 got attack… >>No, your computer is fine. [inaudible] 00:41:52.477,00:42:09.260 >>Er…[inaudible] okay. >> So I just take this opportunity to 00:42:09.260,00:42:17.201 remind people it’s not the back, erm, and we probably gonna have 00:42:17.201,00:42:20.238 you compress over a little bit, erm, at the end of the talk 00:42:20.238,00:43:35.146 which, you know a few minutes here. [inaudible] [applause] >> 00:43:35.146,00:43:40.384 Er. Unfortunately, this talk, I think maybe I can’t finish 00:43:40.384,00:44:17.755 because…[inaudible] >>Are you close to the end? >>oh, okay. I 00:44:17.755,00:44:26.597 close. I’d like to, to publicly provide my GitHub account that I 00:44:26.597,00:44:43.314 will, I will put my fake GPS detection program to my 00:44:43.314,00:44:50.221 GitHub and, er…oh, sorry today I, I think… >>It’s, it’s okay 00:44:50.221,00:45:01.065 man, you did a good job. >>Okay. Thank you for coming and er, er 00:45:01.065,00:45:06.337 I would like to provide my GitHub account. This account er, 00:45:06.337,00:45:15.046 will now be hacked by, er, by er any anyone, er maybe. Er, my 00:45:15.046,00:45:21.385 account is Aaron, Aaron Lou. Aaron dash Luo and I will 00:45:21.385,00:45:32.563 publish the attack and defense to all to this GitHub. Thanks 00:45:32.563,00:00:00.000 for coming. [applause]