 Good morning everyone, we deeply appreciate you selecting our session amidst the array of impressive presentations happening concurrently in other tracks and today we will delve into the pivotal role that SPR plays in the realm of military drones. Let's now turn to my colleague David, who will lead us further in this topic. So, we are Gabriela García and David Melendez. In that case, Gabriela, aka Gaps, is the first time in DEF CON for her and she is a security developer and a hacker and a hacking community organizer. She is also a coding and cyber security instructor and mentor and she is helping me to present this presentation because my English is from Zaragoza, Spain. So, she is attending several conferences like the motion, yesterday in Canarias, it's a good place to go to the beach. In my case, it's not my first time at DEF CON, but it's like this, we shoot the noob. I'm still processing the Jack Daniels, maybe. So, it's not my first time in DEF CON, also in several places, like the most famous conference in Spain, as Routercon. And I'm a book author about drones, hacking with drones, it's a very original name. Just to show how old I am, I am very fan of Capos Party. So, Gaps, let's go. Okay, the context. As some of you may have accidentally heard, we are in a wartime context. There is currently an alarming high number of conflicts occurring around the globe and military equipment manufacturers emphasizing one primary objective, which is to minimize casualties. This is what drones take on particular significance as instrument of warfare. Next, okay. Drones. Drones have evolved into essential instruments of warfare due to various factors. They enable precision strikes in combat, they eliminate the need for onboard personnel, and they are perfectly suited for symmetrical warfare and are crucial in executing tactics and strategies for real-time covert operations. Drones, as a precision-guided weapon, offer numerous advantages. They ensure greater accuracy in attacks, resulting in reduced collateral damage and fewer civilian casualties. They minimize human risk as they are remotely operated, and their operational duration is extended since there's no concern for fatigue. In addition, their versatility is just showcased by the capability to be equipped by a rank of weaponry from missiles to bombs. In sabatrica warfare, drones offer cost-effectiveness when compared to traditional men aircraft, and this is evident through cost reductions in drone production methods such as cargo drones, wooden drones, 3D printing, and the use of affordable ship sets. In strategic terms, drones offer tools for real-time covert operations and tactics, and additionally, they enhance surveillance capabilities in data collection and intelligence purposes. Drones also serve as a powerful asset for SIGINT, given their ability to gather information, intercept, and analyze enemy communication and electronic signals. They can access channel gene regions operate continuously for extended periods and transmit data in real-time for prompt threat response. Furthermore, they can execute cover missions for high attitudes or using discrete flight patterns. Some prevalent anti-drones measure includes utilizing both thermals and standard cameras for shape recognition, detecting heat emissions for engines and electronics, analyzing distinct drone noise characteristics, employing radiofrequency and waveform detection, and identifying unit radio signatures. To counteract detection measures, operators employ several strategies like using frequency hopping, engaging jammers that operate on conventional frequencies, implement robot communication protocols, and so much more, but it's important to highlight that, regardless of the advancement, no drone can effectively withstand direct physical attack, like a gas shot, or a stun. Ok, got it. Thank you. So, I want to talk about this type of drone, drones as war elements. So, we're going to start... well, excuse me. The use of drones for gene signals, they are used to collect information, extend reach to access areas, prolonged operations, real-time transmissions, as GAPs said, and co-operation for high attitudes and discrete flight patterns. So, the typical anti-drones measures, they are distributed to thermal and standard cameras for shape detectors, so you detect the drones as the shape of the drone. It's like a drone, it must be a drone. Detecting the heat of the electronics, especially the motors, so if you see four spots, four heat spots in the sky, maybe it's not a pigeon, so it's a drone. So, using artificial intelligence, or natural intelligence, maybe, so you can detect those drones simply by seeing them, or by sight, or by cameras. Another technique is charitization of drone noise. If it sounds like brrr, it's a drone, but it's... you know. Also, the most typical way to detect a drone is by radio frequency and waveform detection. So, we have here the most important way to detect a drone, the most cheap also, just because most drones work with Wi-Fi devices, Wi-Fi communications, and if we have Wi-Fi detector, it's not very expensive, so we have to detect the drones by Wi-Fi charitization. So, most of the drones nowadays has the capability to transmit through Wi-Fi or 2.4 GHz and 5. So, it's very easy to detect a drone with this method. And the last one is radar signature, using SDR devices with the typical waterfall that we are going to see. So, in last DevCon, I talked about this topic and the topic is the same as the last one. So, the countermeasures are very, very... it's the same. It's the frequency-hoping and the unexpected frequencies. So, typically, police devices, state force devices tries to jam the signal of the drones with jammers using the same fixed frequencies. They are the typical Wi-Fi jammers and the 5 GHz jammers and they are very constrained to that frequencies. And the last one is the most funny, just shoot the drone, right? It's the best one, but it's the more expensive one. It's not very... It's not very suitable. I want to explain the evolution of the Atropos. If you play Starcraft 2, as I am, you will not know that the Banshee. Atropos is Banshee in Spanish. So, I like... I am original, right? I know. The Atropos is a very, very old drone that I made like a decade ago, more than a decade. I was young, I was in my 20s, just to notice that I'm not still in my 20s. Well, it's a homemade router, it's a homemade quadcopter with Wi-Fi router. It was made when the Raspberry Pi didn't exist, luckily. And when the Arduino was starting. So, I use a microcontroller from Microchip, the PIC, the PIC-1, to generate the PabloDM signal to the motors. And the stabilization unit is from a Y9TAC and MOTION Plus from Nintendo. So, they are glued inside the drone without the case, obviously. So, I use the web page of the router as a telemetry control. For control and telemetry of the drone. I've used that method. So, the first approach to control the drone was indeed Wi-Fi. So, the first attack I suffered in a conference was the authentication attack long time ago. So, we are here from that. As years passed, I was keeping the drone with several tools, like WPS attack with bully, with extra onboard hardware and so on. So, the first approach with this drone is to avoid authentication attacks with using beacon frames. That was the first approximation. So, just a lateral... Just another functionality was to inspect all the frames, all the beacon frames of the environment. So, just for a second. I didn't jump for distraction. So, I've generated a lot of frames of fake drones just to hide the right one. So, the evolution of the Atropos was the state too. So, I decided to make another drone called Interceptor that was presented here in Defcon. Maybe I was tired to travel with the big drones out of the airport. So, I decided to make a tiny drone like this just with the same system, with the same beacon system to transmit the commands. So, the last approximation that I made with this drone was to use FM radio to send the commands to the drone. Just to hide, as a method, to hide the communications to the jammers. So, it was not enough for me and for us. So, that was the first approximation. I have a USB trainer, it's not a drone command, it's too expensive. So, I decided to put a USB router to that trainer and to connect throughout the standard Wi-Fi. That was the first approximation. The second one was to send four beacon frames from one router to another. And the authentication attack was not possible here. So, that was the second approach. But I'm still vulnerable to jamming Wi-Fi attacks. Well, the third approximation was with the Interceptor. It has a two-way communication. I'm able to send the commands and receive telemetry from the drone, using the same system. That was the last one, to a redundant system with FM every day spaloid. This is used to, for example, with Raspberry Pi, maybe you know that there is a project that did use a one pin to generate FM radio. So, you are able to create your own radio station with its own name. So, in the name of the radio station, it travels the USB commands to the drone. So, you can see the talk, several experiments with the Interceptor. That was the RBS FM. And I used the RBS part. So, the right one. The mono audio and the stereo audio just was for fun. So, we reached the stage three to the world weapon. So, the last approach was to control the drone through arbitrary frequency generation. So, how can we do that? We generate a custom frequency, so, the drone receives that frequency throughout SDR software defined radio. So, and the last one, I am able to change the frequency dynamically from the transmitter to the receiver. So, this is the current approach. I use a b-core 2. It's a teeny board of open WRT. So, I use the USB with the same metal. So, I generate through I2S bus and 2A ASK modulation. I'm going to explain that. So, with SDR dangle onboard the drone, I can receive that command in an arbitrary frequency. So, no police guns works with this. So, what is the spectrum? The spectrum is a modulation that I am able to change the frequency very fast to disturb any method to receive a jammer. So, the jammer doesn't know what's the next frequency that I'm going to use. So, the jammer is useless in this case. May I use the chip explanation? Excuse me. Spread spectrum is a modulation technique that broadens the signal across a frequency that is much wider than the original information requires. By employee spread spectrum resistance to noise and interference is enhanced. This is because the signal is spread over a broader spectrum and can more effectively manage noise concentrated at a particular frequency. There are two key terms inside the spread spectrum. First, the FHSS which stands for Frequency Hoping Spread Spectrum and second, DSSS an acronym from Direct Sequence Spread Spectrum. We created a remarkable innovation of the spread spectrum to Heady Lamar, not just a Hollywood actress, but also a brilliant inventor in collaboration with George Amphill, the pioneered spread spectrum system. I'm trying to popular release while Lamar didn't invent Wi-Fi the groundwork for today's Wi-Fi, CDMA and Bluetooth technology. Go ahead. So, the Frequency Hoping Spread Spectrum is the technique that we use here. So, we generate the signal by toggling a general purpose input-output pin of the b-core. That is on board of the I2S bus. So, if we toggle the pin very fast we can generate a radio signal. If we solder a wire in that pin we have an antenna. So, you have a raw modulation of that signal. So, if you change the frequency of that toggling you can transmit in an arbitrary frequency to control the drone. So, this technique uses the Frequency Hoping Spread Spectrum. So, I transmit a message with a given frequency and the next message is transmitted with another frequency pre-established between the transmitter and the receiver. So, this is a combination of techniques starting from... have you heard about tempests? So, this is the same technique but changing the frequency constantly. So, would it be possible with a 15 bucks board instead of a Raspberry Pi like the MT7628 chipset? Maybe. Hold my view. So, what is the I2C bus? The I2C bus is not the I2S bus. It's not the I2C bus. The I2S bus is used to transmit and receive digital audio but we are not using this bus for that here. So, we have two wires. One wire is a clock pin and we have a data transmission and a data receiving. We are not to use the receiving data so we only use the clock pin for the moment. So, what is the clock pin? The only one that is toggling constantly. So, this is the method. Well, if we see the data set of the MediaTek MT7628 we see what address we found the device, the I2S device. So, we can write directly to the registers to turn on and off the clock pin. So, this is the clock plan of the SOC and we have a primary clock that we can lower the frequency of that pin by configuring the clock dividers. So, by configuring the clock dividers we are able to change the frequency constantly and seamlessly. So, we have to set up our I2S device like we are with a new driver. So, with this project it's a new driver to the I2S device for this chipset that enables the I2C bus but what I'm doing here is to enable and disable the clock constantly to generate a high level and low level modulation. And when I want to change the frequency so, I changed the last one the deep config and divined config. So, we can choose a very wide set of frequencies. So, if I turn on the clock I am transmitting in a frequency, right? Configured by the clock dividers. So, if I turn on I am transmitting in that frequency and if I turn off I am not transmitting. So, the most simple modulation is to amplitude shift key. It's the same like garage doors, remotes and so on. But here I'm creating the modulation just turning on and down the clock of the bus. So, if I want to turn on and off the clock at a given frequency. So, how to receive that in the drone side we can use a SDR-USB to receive that modulation. So, if we turn the SDR in that frequency we received each packet like a high blue bar. So, that's one command of the transmitter transmitting to the drone. So, this is the rock command seen by amplitude as the receiver receives that packet. So, we have a preamble here just to tell the receiver that this is a valid packet. So, the receiver starts recording all the IQ values from SDR and it decodes if it is in the high level or low level to the code the binary transmission. So, how this works this is an extra board a board of the drone that accepts bitstream from the device from the file system. So, it modulates 2SK and the ads and CRC8 by two timers. I have two timers here. And the other one is traded in every symbol. So, we have one timer up, down, up, down, up, down on each symbol and I have a timer up, down, up, down on each packet. So, I can transmit the symbols in a very specific time and every symbol in a very specific time. So, this is another b-core attached to an SDR dangle that this receives in that frequency all the data from the SDR and how I did it by Frankenstein. Well, this is entirely in C no Python here sorry. To receive the data I change the frequency constantly to receive the commands. So, I have to use the live ISDR library that is the same that use RTLS TCP and so on. So, I have to make my own program I have to program my own driver to transmit to do my own program to receive. So, in this approximation I have a list of frequencies. So, the transmitter transmit one packet in one frequency and change to the next frequency. So, the receiver have to synchronize have to find the first packet in a given frequency. So, if both sides have the list of the frequencies the receiver knows where is what is the step in the list of the frequencies currently. So, the receiver is able to continue taking account that list. So, for this setup I decided to make my own transmitter this is a PCB board with a custom controller so, with the typical two geostics of the drone. So, using the V-Core we attach a linear amplifier to make some much more noise that makes the V-Core itself. So, this is the transmitter so, this part is the antenna attached to the I2S GPUs. So, how we generate As you see, I can transmit in a very wide range of frequencies. I make this demo in my house in Spain because as you see, I am transmitting with the frequency military error. So, if I go to prison I like to go to the Spanish prison just to let my mom to bring me cigarettes. So, if you see that this is the difference between the V-Core without the amplifier and with the amplifier so, there is a big difference it's up and down is one packet and as you see, I zoom out as you see, I am transmitting let's see again. You see two signals here because the spread spectrum is transmitting in that frequency and this changing to a neighbor frequency. This is a demo just to demonstrate that the transmitter jumps from one frequency to another. I am able to jump in a very wide area in a very wide range of frequencies that they are very far from each other so, from a jammer this is an enigma. Indeed, we can skip the frequency hopping technique and simply transmitting with a fixed frequency but unexpected by the jammer so, it's much more reliable and the transmitter doesn't have to jump from one frequency to another because it takes time for the chip the SDR dongle is very cheap 20 bucks and it takes time to change the tuning frequency from one frequency to another we can use simply this frequency and almost no jammer will take care about this because what about I am transmitting in military frequency and the jammer tries to jam my own drone jamming indeed military frequencies right? This is the web page of the drone I am still using a wifi transmission as a primary method so, I use this modulation as a fallback so the receiver decides which command use if the receiver receives a wifi command it use them but if the wifi doesn't work the receiver use the alternative method the last one is to demonstrate that the drone flies indeed please don't kill anyone please don't kill anyone so, maybe I'm not allowed to fly the drone here sadly I don't know what but the drone kills very few people like only 3 people as you see it's an outside drone it's not an inside drone but let's make a little noise just to make noise we come from Spain so any of you have a code to bull it isn't that it's too far or it's jumping but if your slow motion the video you can see flying but seriously guys I know what I'm doing not flying it so we are fine with the time ok so thank you for coming here and if you have any questions we would like to answer it thank you very much