This is Aaron Lowe.
Good afternoon, ladies and gentlemen, and thank you for coming.
I'm Aaron. Today I'm going to talk about drone hijacking. And uh I'm glad to join this event.
This is my first time presentation in DEF CON. And uh uh actually uh thanks.
Actually I'm little nervous now because uh you know first time so. So I'm going to
introduce myself. And uh this is my first time use English to presentation. So so so so uh I
know it's hard to decode my English so please bear it. And. Okay. Uh let me start with a
brief self introduction. Uh my name is Aaron Lowe. Uh I'm going to talk about drone hijacking.
Uh as I mentioned before. And uh currently I'm working in the Trey Micro. Uh and uh I
come from Taiwan. Also also uh HICCON member. The uh uh the HICCON is uh hacker
community in Taiwan. And uh this this year I'm going to talk about drone hijacking.
Uh HICCON also have a team join the DEF CON CTF. And uh I just want to tell a story
about about why about uh I start my security research life science to the zero five. This
is uh because of a fucking deal. In my security research life science to the zero five. This is
during my 15 years old, I decide to learn more about RIT. And uh uh out of blue I made this.
I don't know why I decide to le- that. But finally I finish the doctor in my 16 years old.
And uh and uh I decided to go on a real-world research and I uh I destroy I'm going to see for a few
and uh this RIT enable me to remote manage multiple com- machines and uh it also offers
s- some nice functions uh such as you can see someone's keylogger or or look at some file
transfer or see the remote desktop top screen. Uh but trust me, this is a very good
service. Trust me, I just only play this on my on my own VN so no one impact. Okay oh sorry
I'm so nervous but uh you know. Uh after I creating the dark door also manage some web
server actor then I joined the Taiwan government cyber crime investigation department uh
as a consultant. Then I joined my core cyber safety solution team. So I think dark
door is the beginning of everything. Okay uh it's uh an out of my self introduction.
Let's start let's start hacking. This uh this is uh today uh this is uh this is uh this is
uh today's uh agenda. I will introduce the drone architecture and uh and uh point out the
vulnerability components. Afterward I will demo how to hack it and uh provide uh prevention
solution. The tool will then be shared in the g hub. So I'm going to show you how to hack
it. Uh today our target is the DJI Pantone 3 advanced. This this drone render is uh popular
is popular and uh I think the drone architecture is similar. So if you know how to exploit this
drone you may take the same way to to hack another drone. Okay let's talk about the
structure of this drone. Uh there are three main model uh drone itself and the remote
controller and uh app SDK. Uh this is the main model. This is the main model. This is the
main płap module. Uh the most common version and typewwww. First we open up uh the
remote controller uh and uh on a GPS module here. Uh I show you uh how to hack it and uh
we will check the updating looking like c!, you're gonna come in guys look for any code or
whatever and see what related thing we Hijack just, uh I will share
DJI app and the SDK. You can see the operation process in this
image. First the DJI developed app needs request activation
data from DJI authentication server. Then the remote
controller use USB to transmit data. Final drone drone will
fly after confirm the activation data. Uh sorry actually
actually presentation is not my specialty so so I really very uh
nervous. And uh uh now I want to introduce how to create the SDK
authentication mechanism. First uh we have download the SDK
from DJI website. Then then uh this DJI I choose the Android
SDK so it's it's a JR JR file. You can find the key function
with the JDGUI and uh I found the function equals check permission.
Uh this function will will be called by by uh when you open the
app it will it will call this function. So we just need to patch
this function. Then we we are able to bypass the the authentication
mechanism. So we are able to bypass the the authentication mechanism.
So how to patch this function? Uh it's uh I think this part is easy. You
just use the JBE. The JBE is a Java byte code editor and and uh find find uh uh
just mention uh check permission function. Then then I uh uh uh uh uh uh uh uh uh uh
I replace the check permission directory return to to SDK level 2. It means we can
directly use level level 2 SDK uh I forgot to tell about uh the SDK permission.
Zero is mean you have no permission and uh if uh if SDK level above the bigger than zero
then mean you have the SDK permission. So I just set it to to uh to 2 then return. FF2
uh. And then after patch this function you can you can check it result with JDGUI. Then
you can see the SDK level directory return to and uh this SDK is SDK authentication
mechanism is easier to to hack but I think it's it's it's a bit uh it's it's very easily uh to uh to hack.
simple but powerful because all kind of DJI drones can be uh
fed by this v-v-variability. Uh now I demo I demo how to use
this this variability. Uh at first we can uh sorry I check
the video. Wait a moment.
Uh after we can crack the SDK we can directly connect to the app and look the camera data
so uh this you can see the camera so it's it's really work and uh next demo I will show
how how to use this variability to impact the drone. Uh I develop uh uh app by this SDK
and uh this
content content some uh API can be called uh like uh we can uh take off or landing and uh
at first I I I use the take off function then I press the button the drone just be take off
and then I press the landing button. The drone is landing. And uh I also use this filter to write uh uh
function it can it can fly drone into the location we specific uh at first I input the GPS location
and then I press uh fly to here fly to there the drone just fly to there. But actually this uh SDK
uh have some have some limitation uh because this demo I just uh use cracker SDK uh this means
I I don't need to to connect to the authentication server then I can directly this use this SDK
uh. So how to prevent or improve this? The render can protect their library file by
other tools cater or packer. Or use uh the uh the uh the uh the uh the uh the uh the uh the uh the
uh the uh the uh the uh the uh the uh the uh the uh the uh the uh the uh the uh the uh the uh the uh the uh uh the
encryption is increase to void the SDK authentication. Key between apps and drone and the server not
only just voided from server. Ok let's uh intro next session, framework and my
analysis. Uh how to analysis the framework? We can use the
binwalk. Extract some data. But actually it is limit. So
uh we we use IDAPRO to analysis the incomplete data. Extracting
by the binwalk and use string reference to find the key function. The function is
de- designed to check the framework. We can use it to reverse the framework for
meta. Actually this decode function is uh very big. Please forgive me for not
explain explain the detail. And uh finally we can we can extract each function
module which contain detail. So uh we can use the binwalk and use string reference to
find the file information including the major min or ID and uh module module name and uh binary
name. And uh after that I extract the file system from from fc 300 fw dot bin. Uh
by uh by by using our parser. And uh and uh then we can extract some interesting things
from file system. For example the uh uh uh uh uh uh uh uh uh uh uh uh uh uh uh uh uh uh uh uh uh uh
ENGLISH S-S-S-H key. And uh and the uh sound and uh some configure configure
configuration data. And uh if you want to know the root password you can you can view
the x pseudo to click click this file. Okay uh I also want to quickly uh search and uh volg
I will introduce how to prevent or improve this this path.
Actually I think just increase the framework binary but still
need extra careful about storage place must be safety and
this side and uh should careful about the side channel attack.
Okay. This is the end of uh framework analysis. The next
session is radio signal analysis. How to analyze the radio signal? Uh just by the SDR. SDR is
software defined radio. The two on top are hacker I've. The two on top are hacker I've. The
bottom one is blade I've. Uh by the way these are all available in DEFCON vendor area. So if
you interesting with this you can buy it from from vendor area. And uh we found DJI Pantone
and uh we found DJI Pantone and uh we found DJI Pantone and uh we found DJI Pantone and
this data is uh 2XXXY problem. 3 Use to modulation demodulation to transfer data with 2.4
gigahertz SA band. I will introduce this uh detail later. One more modulation is used to
control the flying direction of drone like flying up, down, left or right. You can observe
serve that it is FHSS uh frequency hopping spray
spectrum and uh the frequency frequency range is about 2.4
gigahertz to 2.483 gigahertz. And uh each channel is about
one megahertz bandwidth. The uh the frequency range is about
2.4 gigahertz. The other modulation use DSSS uh it is
direct direct screen spray spectrum and uh it let drone to
transmit image to remote controller. The frequency is
about 2.1415 to 2.4 gigahertz. So uh the frequency range is
about 2.5815 gigahertz. And uh each channel is about 10
megahertz bandwidth. And uh finally we found the image you
have no check sound mechanism so we can jamming the radio
frequency to show wrong image to controller. Uh let's see the
demo.
This is the program I developed. It can it can jamming the jamming
the radio signal then show blue uh green screen to the to the to
the DJI FPV system. And uh how to prevent or improve this
I think just avoid the the image check sound. If check sound is
wrong uh just don't show this image. Or or you can transfer the
image data by uh some metric increasing but but you need take more performance. Uh
actually I see just to edit the check sound is announced. Because
reverse uh modulation and demodulation are not easy.
And uh let's move to next session. The GPS modules analysis. The GPS module hunted
modules is general way to hijacking the drone and uh GPS
protocol is not include. Uh GPS protocol if uh used for
common real is not include is called CA code is for common real
uh there is a they have another GPS protocol called uh P code. P
code is for so so no more common real can use this uh encrypt
channel. Uh so so every every common real usage the GPS is uh
is easier
being uh attack by attacker uh uh attacker can easy to to fake
this. And uh I will figure out which function is associated with
the GPS. In DJI drone have uh four function will impact by faking
the GPS. One is uh no fly zone and the other is no fly zone. Uh
no fly zone mean DJI have said many many place to the no fly
zone like like the airport or some important place. So if you
fake the locate if you are in airport or some important place the drone will be
uh false landing. And uh another function is return to home. Return to home mean if
you press the return to home the drone will return to original point. The other
function is called follow me. The follow me is the is the function it means the
if you move the drone will will also move. So the drone always follow you. And uh the
latest latest function is way point. The way point means you can setting the multiple
location then drone will go each location. So looking at how very, very well are looking
those four function will impact by fake GPS. Now I will
introduce how to spoof the GPS location. They have a good
open source GPS simulator in GitHub called GPS scene SDR but
it have some limitation before you want to fake a location you
should wait for a few minutes to generate the IQ data. What is
the uh IQ data? IQ data is uh if you want to play SDR you must
you must build the IQ data for for for uh modulation and uh uh
so we improve the code then it can in real time generate the
GPS signal.
And uh can be control with the joystick. That is mean you you
don't need to wait five minute or a few minute to generate the IQ
data. You can directly real time fake the point. And uh this
is the demo. Uh wait a moment, sorry. Uh this is the demo.
So this is the demo. The next one. This is how to set up the
just have to go to your camera and select a camera. And put
your camera side by side. Then you can check the image. And
all you have to do is to scan it at least one time. So see what
difference. And then when you scan the camera and scan the
information, you can see better than just what it's saying. But
the difference is that you can see the data. So what you can do is to
location when I I move to left you can see the GPS point is moved to left and the
I move to outside the GPS point is moved to outside then I move to right side it just uh move
to to right. So we can use this this joystick to to impact the GPS location. So we can use
this. Oh thank you. And now I demo to face landing the drone by fake location into the
no-fly zone. You can see the outside the red circle is the no-fly zone and uh I I uh I
open the program then then uh it is need to wait a few few second because uh GPS fake GPS
should should take uh take uh some time to update the the satellite track and uh uh it is
take about 30 minutes uh 30 second. So you can see finally the drone is in the the no-fly
zone then drone take down. This demo also in in paste in paste devcon so so I just want to uh
demo demo this again because uh I don't know if you can see the uh the uh the uh the uh the
because I think someone maybe not seeing this and uh and I want to demo the uh uh use the
joystick to hijacking the drone. Uh so I just want to demo the uh the uh the uh the uh the
uh I open the DJI follow me function and you can see I not touching the the remote
controller then I move the joystick can directly move drone to to location I I want the
drone to uh like I I move the uh the uh the uh the uh the uh the uh the uh the uh the uh the
uh the uh the uh the uh the uh joystick to the to the my my site uh the drone to do the take to
my site uh. Now so uh so the last thing I want to demo run the the the the controller
process that we already do is put um you know control one the at theorden the device at the
other place. The following just control one connect the uh the the control device
control the device and uh finance pessoal which that is what the story is a little
to the so uh this the that we just download a you know a two click to a the device input
place. So you justprocess everything and the and uh uh uh like I wanted to do it
uh test and uh test an alternative and then I want to display it here in this
place actually to next step level um what basically what happened that uh what we
to control the drone. Uh but finally the drone just uh uh move to too far place I can control
so I switch to to my to my remote controller. Then uh because I can't control the drone
because this this drone is our company company uh item so I can I can find them to this uh
I can then then disappear so finally I use the real RC controller and get back the control
but actually you can if you want you can
let the the RC controller not work you just jamming the 2.4 gigahertz frequency then control
module will be lost. That time you can use the hijacking program to fully control the drone.
And uh I want to introduce how to
detect the fake GPS signal. The one way is to avoid the the GPS subframe data. The subframe
data is is uh data sent by GPS satellite which contains the fake GPS signal. The fake GPS
signal will send the satellite track information but fake GPS is some subframe data will incorrect
uh like this. This is the subframe data and you can see the upside subframe data is is is
true satellite data and the the downside is the fake GPS satellite data. You can see some fake GPS
data which is is false. So you can you can avoid that the subframe data too to check the
signal is fake or real but I know you must you must think uh if I just record and replay the
GPS data the subframe will be correct yes it is but uh it it is not a fake Gps data uh uh
we have another solution. When when you when you uh record and
replay the GPS you can use the time you can void the time
between satellite time and the real time because if you record
and replay the time will be wrong. So this is another way to
detect a fake GPS signal. And uh another way is uh check the
motion speed between point to point. Uh for example it is
impossible to change your location from Taiwan to Las Vegas
in one second. Unless you are driving on the highway or
Mon or Sonic. And uh uh finally I development the fake GPS
signal device by just matching ways. And uh I develop it on
the Raspberry Pi Raspberry Pi and uh uh I buy a GPS module the
module is a popular module called uBlocks. This is the demo
of the tool I create. You can see uh this is the Raspberry Pi
and uh this is uh my phone control the device and uh I transfer some fake GPS data. And now
now it's normal because the fake GPS data will take a few time to
affect. Uh about about 30 minutes. And uh
wait a moment. I don't know why my screen is become black uh I wait a moment. I press this again. Is the screen being hacker? Or uh I think uh uh
There is a problem. Uh no problem I just uh take to the
The
I think today is unlucky. Uh
Wait a moment.
Oh, so it's some people just.
Oh, I know.
Oh, okay.
Okay.
Hey, sorry for the interruption, guys.
We have AV techs on the way.
Um.
And they should be able to fix this.
Thanks.
Actually, this is not my computer being hacked.
So I have no way to start this attack
because my computer is fine.
But the environment just got attacked.
So.
Uh.
No, your computer is fine.
Uh.
I can't see without the screen.
Yeah, it's okay.
Okay.
So I'll just take this opportunity to remind people exit out the back.
Um.
And we're probably going to have you press over a little bit at the end of the talk,
which, you know, a few minutes here.
.
So.
Uh.
.
Okay.
Cut out.
Yes.
We played the bad game.
I agree.
I kind of .
It was going the whole time.
Yeah, get that over there and see if it comes.
Tim, you got it?
Yeah.
Unfortunately, this talk, I think maybe I can't finish.
Cut.
Okay.
Thank you.
Are you close to the end?
Uh, okay.
Uh, I close to the end.
And, and I, I'd like to, to probably, uh, provide my GitHub account that I will, I will
put my fixed GPS, uh, detection program to my GitHub.
And, uh.
Okay.
Great.
Uh.
uh sorry today I uh I think. Uh that's it. That's okay man. You did a good job. Okay.
Thank you for coming and uh uh I'd like to provide my github account. This account uh will
not be hacked by by any anyone. Uh maybe. Uh my account is aaron aaron law aaron dash law
and I will publish the attack and the defense tool to this github. Thanks for coming.
Thank you.