WIXLIB

Believe ItI oror Not:No : Wirelessireless WalkingWalkingon AirAirDrones and WirelessWireless SecurityWade TrappeSeptember 2018l\µTGERS

UAVsu TGERSWINLAB

UAVslandscapeUA V change theth wirelesswi Iland cape and willill havehavdramatic securityecurity implicationsimplica ions UAVs will come in a variety of sizes andshapes, with a wide range of cyber-capabilities– Tasks: environmental monitoring, itemdelivery, recreation, etc.– Use wireless for control– Have the potential to cause physical harm UAVs change the “wireless game”– Require strict guarantees incommunication performance– Have an elevated perspective that haspros/cons– Easy access by hobbyists– Advanced “tactical” UAVs have quitedifferent security considerations (talk tome offline!) TGERS Drones are already commoditytechnology:– DJI Phantom, 3DR, etc easily accessible andaffordable– Software kits available for appdevelopment (e.g. 3DR’sDroneKit API, DJI SDK)WINLAB

A CaseCa Studytudy illustratesillu trat theth potential risksri k associatedas ociatedwithith UAV:UA V: Football Stadiumtadium A recent Rutgers investigation into the use ofrecreational drones near football arenas:– Hobbyists try to fly drones over games to watch theevent Safety: A crash can harm life and infrastructureRevenue implications– Sensors deployed around a stadium, with newcommercial software used to detect drones Lessons learned:– Most drone vendors use commodity wireless tech(e.g. Wifi), and most detection uses “wireless” to findthe controller.– Controller detection was usually successful within30seconds, location within 150m about 80% of time.– Detection performance is dependent upondeployment “geometries”– Having an up-to-date drone “RF” signature database(MAC addresses, etc) Pre-planned missions or many drones: Not easy todetect need for other forms of drone detection TGERS Legal limitations:– The law limits what can be done“to counteract” drones– Can’t disarm or disable drones,even if they would cause physicalharm– FAA limitations are ignored byhobbyists– Concerns that anti-drone defensesystems (jammers) might impactother societal systems(navigation)– Need to re-evaluate these story.html#)WINLAB

Itsortof.0of.I is relatively easya y to pwnn a drone n In a separate study, Rutgers investigated thesusceptibility of commercial drones to simple,cyber attacksGoals:–– ,1,Analyze drone communicationsUnderstand attack vectors to control/disabledroneStop deauthenticatlon &load sc ·pt to make droneRy to a set location,.Attack scenario:––––– Run initialdeauthentication tochec functionalityContin edeauthentication toprevent manualoverrideLaptop running Kali LinuxWireshark - packet capturerAircrack-ng - wireless exploit suite3DR Solo DroneSololink - controller/drone wifi network-----CJ -·) Eiqnnlo11o.a e.o255 255 255 2'5Senaottet Sd . 68 :dc18 1 1 110 1 1 lOt'I6 7 bOJ5977.iS10 1 1 110 1 1 1061011.110 1 1 108UOP1(:1,11.110 1 1 1UOr10 1,1 lOtl10 1 1.10610 1 1 1ee10 1.1 l&e We were able to:–––Capture and replay packets (sent to the drone)Deauthenticate the droneRedirect the drone with the DroneKit APIltl Iii 11;!932028917 8 2i131&822210.1 l.l18.1.1.11ee 3883'4a26111g 8 Q0261JgJ10.11.110.1 1 1298.551861!il37321 a eae3801os22a eoaeg11"19.11-110.1.1 11011.1 Good news: Deauth on the drone did not lead toa crash drone hovers but does not have acontrolled descent. TGERS340 Ot1CP Request - frensacuon 10 8 1 5305a2 o hn 18.11.1 Tell 18 1 . 1 . 101223 523HI - 1"5'8 Len ll81OHCPBroadcast ""'lJOf'1307 S2316 - 145 Ll!n 12t.54 823UI - 14S Len,.JQtl43cl tt2Jltl - 1455G LenoJQl;I836 523115 - 1"558 Len 5!14707 52318 - 14558 Lensl5155 638 523UI - 14558 Len 5Q18 111001553 523115 -H 1.1.18e10 11 10683 52318 - 14558 Len 7g21'1558 Len l511834 523115 - 1'1558 Len 7Q2Fr111e 1: 328 bytes on wue (2624 blts), 328 bytes uptured (2624 b1ts) on 1nterhte 8Ethernet IL Srt: senaoNet Sd 60:dt (88:dc:1 6·3d:68:dt). Ott: eroadcnt (ff:ff ff·ff:ff : ff)Internet P r ototol ',,trsi.on 4, Srt: 8.8 8.8, Ost . 255.255.255.ffluser D.cagr1111 l"rototol , Srt Pore: 68, Ost Port 67Bootstrap Prototol (Dntover)ff ff ff ff ff ff 88 de -2 e.oe35'821253 8 . 282288114 7 883541152096 3d 60 dt ee oo 45 ooB OOOOOOOO ll MOOOOOOOOHHff ff 00 44 00 43 81 26gt, 3d 01 01 00 11 f5 ------- 0000000000ea oa ee oo oo eo ea dt 96 3d 60 dt oe oo oo ooE. , . y o.c .ez .00000000000000000000000000000000e70000000000 00 000000000000000000000000000000000000000000000000 oneSUttupRHpOnuPx lt 47 0ispl d: 47 (100.M)WINLABLo.:ltmt: 0:0.1Profile: Oe!M.Jll

Elevated implicationsimplication on spectrum:pectrum. a double-edgeddoubl - dg dswordord UAVs are an elevated platform– Able to receive RF signals from “further away”– Able to transmit RF and impact receivers “further away” Simple line of sight arguments imply a larger RF footprint/ radiohorizon for a drone– Larger L1 interference footprintPicture from Wikipedia– Larger L2 (MAC-layer) impact– think carrier sensing– Larger L3 impact (everything is the drone’s neighbor) The good:– UAVs as mobile, emergency cellular basestations– UAVs as repeater (bridge between two non-line-of-sight RX)– Enhanced spectrum sensing (needs more research on signalseparation, spectrum cartography!) The bad:– But what about a rogue, software-based LTE basestation (e.g. WINLAB spectrum sensing on adroneOpenAir LTE)?– Jammers TGERS GPS RF SDR dongleProblems with weight, GPSstabilityWINLAB

"Any opinions, findings, conclusions or recommendationsexpressed in this material are those of the author(s) and do notnecessarily reflect the views of the Networking and InformationTechnology Research and Development Program."The Networking and Information Technology Research and Development(NITRD) ProgramMailing Address: NCO/NITRD, 2415 Eisenhower Avenue, Alexandria, VA 22314Physical Address: 490 L'Enfant Plaza SW, Suite 8001, Washington, DC 20024, USA Tel: 202-459-9674,Fax: 202-459-9673, Email: nco@nitrd.gov, Website: https://www.nitrd.gov

WINLAB It is relatively easy to pwn a drone sort of. In a separate study, Rutgers investigated the susceptibility of commercial drones to simple, cyber attacks Goals: - Analyze drone communications - Understand attack vectors to control/disable