 This is Aaron Loh. Good afternoon, ladies and gentlemen. And thank you for coming. I'm Aaron. Today I'm going to talk about drone hijacking. And I'm glad to join this event. This is my first time presentation in DEF CON. And actually... Oh, thanks. Actually, I'm a little nervous now because... You know, first time, so... And... This is my first time using English to presentation. So... So, so, so... I know it's hard to decode my English, so please bear it. And... Okay. Let me start with a brief self-introduction. My name is Aaron, as I mentioned before. And currently I'm working in the train micro. And I come from Taiwan. Also... Also a HIKANG member. The HIKANG is a hacker community in Taiwan. And... This... This year, HIKANG also have a team during the DEF CON CTF. And... I just want to tell a story about... About why... About... I started my security research life science in 2005. This is because of the fucking deal. In my 15 years old, I decided to develop an IT. And... Auto Blue or Madness... I don't know why I decided to develop that. But finally, I finished the dark door in my 16 years old. And... And... At least the IT enabled me to remote-manage multiple machines. And it also offers some nice functions. Such as you can see someone's key logger. Or... Or look at some file transfer. Or see the remote desktop screen. But trust me, I just only play this on my... On my own VN. So no one impact. Okay. Oh, sorry. I'm so nervous, but... You know. After I created the dark door, also managed some web server. Then I joined the Taiwan government cybercrime investigation department. As a consultant. Then I joined to my core cyber-safety solution team. So I think dark door is the beginning of everything. Okay. It's an out of myself introduction. Let's start hacking. This is today's agenda. I will introduce the drone architecture. And... And point out the reliability components. Afterward, I will demo how to hack it. And provide the prevention solution. The tool will then be shared in the g-hub. Today our target is the DJI Penton 3 Advanced. This drone render is popular. It's popular. And I think the drone architecture is similar. So if you know how to exploit this drone, you may take the same way to hack another drone. Okay. Let's talk about the structure of this drone. There are three main models. Drone itself and remote controller. And app SDK. Which components are available and easy to exploit? I think it's usually found in radio. Remote controller and GPS module. And app SDK. First, we search for availability from DJI. DJI app and SDK. You can see the operation process in this image. First, the DJI developed app needs request activation data from DJI authentication server. Then the remote controller use USB to transmit data. Final drone will fly after confound the activation data. Sorry, actually presentation is not my specialty. So I'm really very nervous. And now I want to introduce how to crack the SDK authentication mechanism. First, we have downloaded SDK from DJI website. Then this DJI, I choose the Android SDK. So it's a JAR file. You can find the key function with the JDGUI. And I found the function, it calls check permission. This function will be called by when you open the app, it will call this function. So we just need to patch this function. Then we are able to bypass the authentication mechanism. So how to patch this function? I think this part is easy. You just use JBE. JBE is a Java byte called editor. And find just mention check permission function. Then I replace the check permission directory return to SDK level 2. It means we can directly use level 2 SDK. I forgot to tell about the SDK permission. Zero is mean you have no permission. And if SDK level above the bigger than zero, then mean you have the SDK permission. So I just say it to 2, then return. After patch this function, you can check result with JDGUI. Then you can see the SDK level directory return to. And this SDK authentication mechanism is easier to hack. But I think it's simple but powerful. Because all kinds of DJI drones can be afraid by this vulnerability. Now I demo how to use this vulnerability. At first we can... Sorry, I check the video with the moment. Okay, thank you. After we crack the SDK, we can directly connect to the app and look the camera data. So you can see the camera, so it's really work. And next demo, I will show how to use this vulnerability to impact the drone. I develop the app by this SDK. And this content sound API can be called. Like we can take off our landing. And at first I use the take off function. Then I press the button, the drone just be take off. And then I press the landing button, the drone is landing. And I also use this feature to write the function. It can fly drone into the location with specific... At first I input the GPS location. And then I press fly to here, fly to there. The drone just fly to there. But actually this SDK have some limitation. Because this demo I just use cracker SDK. This means I don't need to connect to the authentication server. Then I can directly use this SDK. So how to prevent or improve this? The render can protect their library file by other tools, cater or picker. Or use the... encryption to validate the SDK authentication key between apps and drone and the server. Not only just validate from app and the server. Next session, framework analysis. How to analysis the framework? We can use the bin work. Extrace some data. But actually it is limit. So we use IDAPRO to analysis the incomplete data extrating by the bin work. And use string reference to find the key function. The function is designed to check the framework. We can use it to reverse the framework format. Actually this decor function is very big. Please forgive me for not explaining the detail. And finally we can extract each function module which contain detailed information including the major min or id and module name and binary name. And after that I extract the file system from fc300fw.bin by using our password. And then we can extract some interesting things from file system. For example the SSH key and some configuration data. And if you want to know the rule password or you can view the x-shadow to click this file. Okay I will introduce how to prevent or improve this part. Actually I think just increase the framework binary but still need extract careful about storage place must be safety. And this sign should be careful about the side channel attack. Okay this is the end of framework analysis. The next session is radio signal analysis. How to analyze the radio signal? Just by the SDR. SDR is software where it defines radio. The two on top are HECL-IFE. The bottom one is BLADE-IFE. By the way these are all available in DEF CON vendor area. So if you are interested with this you can buy it from vendor area. And we found DJI-Pencon 3 used to modulation, demodulation to transfer data with 2.4GHz SA band. I will introduce this on detail later. One modulation is used to control the flying direction of drone like flying up, down, left, or right. You can observe that it is FHSS frequency-hoping spectrum. And the frequency range is about 2.4GHz to 2.4A3GHz. And each channel is about 1MHz bandwidth. The other modulation is DSSS is the director's supreme spray spectrum. And it led drone to transmit image to remote controller. The frequency is about 2.15 to 2.5A15GHz. And each channel is about 10MHz bandwidth. And finally we found the image have no jack sound mechanism so we can jamming the radio frequency to show wrong image to controller. Let's see the demo. This is the program I developed. It can jamming the radio signal and show green screen to the DJI FPV system. And how to prevent or improve this? I think just validate the image check sound. If check sound is wrong, just don't show this image. Or you can transfer the image data by some metric increasing. But it need take more performance. Actually I think just add the check sound is announced because reverse the modulation and demaduration are not easy. And let's move to next session. The GPS module analysis. The GPS module is general way to hydrating the drone. And GPS protocol is not increased. GPS protocol if used for common real is not increased. It's called CA code. It's for common real. There is another GPS protocol called P code. P code is for ministry. So normal common real can use this increase channel. So every common real usage the GPS is easier. Being a take by a taker. A taker can easy to fake this. And I will think which function is associated with the GPS. In DJI drone have four function will impact by faking the GPS. One is no fly zone. No fly zone mean DJI have say many place to the no fly zone. Like the airport or some important place. So if you fake the location if you are in airport or some important place the drone will be forced landing. And another function is return to home. Return to home mean if you press the return to home the drone will return to original point. The other function is called follow me. The follow me is the function. It means if you move the drone will also move. So the drone always follow you. And the latest function is waypoint. The waypoint means you can setting the multiple location then drone will go each location. The last four function will impact by fake GPS. Now I will introduce how to spoof the GPS location. They have a good open source GPS simulator in github called GPS SynSDR. But it have some limitation before you want to fake a location you should wait for a few minutes to generate the IQ data IQ data is if you want to play SDR you must build the IQ data for modulation. And so we improve the call. Then it can in real time generate the GPS signal and can be controlled with the joystick. This means you don't need to wait five minutes or a few minutes to generate the IQ data you can directly real time fake the point. And this is the demo. Wait a moment, sorry. You can see I use the joystick and can directly impact the GPS location when I move to left you can see the GPS point is moved to left and I move to outside the GPS point is moved to outside then I move to right side it just move to right. So we can use this joystick to impact the GPS location. Thank you. And now I demo to face landing the drone by fake location into the north-right zone. You can see the outside the red circle is the north-right zone and I open the program then it need to wait a few seconds because fake GPS should take some time to update the satellite track and it take about 30 seconds. So you can see finally the drone is in the north-right zone then drone take down this demo also in past dev account so I just want to demo this again because I think someone may be not seeing this and I want to demo the joystick to hijacking the drone I open the DJI follow me function and you can see I not touching the remote controller then I move the joystick you can directly move drone to location I want the drone to like I move the joystick to my side the drone take to my side then I just control this for a few times and finally use the joystick easier to control the drone but finally the drone just move to far place because I can't control so I switch to my remote controller because this drone is our company so I can't find then to disappear so finally I use the real RC controller and get back the control but actually you can if you want you can let the RC controller now work you just jamming the 2.4GHz frequency then control module will be lost that time you can use the hijacking program to fully control the drone and I want to introduce how to detail the fake GPS signal the one way is avoid the GPS subframe data the subframe data is data sent by GPS satellite which contain the satellite track information but fake GPS sound subframe data will correct like this this is the subframe data and you can see the upside subframe data is true satellite data and the downside is the fake GPS satellite data you can see sound file is wrong so you can avoid the subframe data to check the signal is fake or real but I know you must think if I just record and replay the GPS data the subframe will be correct yes it is but we have another solution when you record and replay the GPS you can use the time you can avoid the time between satellite time and real time because if you record and replay the time will be wrong so this is another way to detail the fake GPS signal and another way is check the motion speed between point to point for example it is impossible to change your location from Taiwan to Las Vegas in one second unless you are Doraemon or Sonic and finally I developed the fake GPS signal device by just mentioning ways and I developed it on the Raspberry Pi and I buy a GPS module the module is a popular module called U-Blocks this is the demo of the tool I created you can see this is Raspberry Pi and this is my phone control the hiccups device and I transferred some fake GPS data now it is normal because the fake GPS data will take a few time to affect about 30 minutes and wait a moment I don't know why my screen is become black wait a moment I press this again is the screen been hiccups? no problem I think today is unlucky wait a moment some people just okay sorry for the interruption guys we have AV techs on the way and they should be able to fix this actually this is now my computer behind so I have no way to start this tech because my computer is fine but the environment just gotta take so I'll just take this opportunity to remind people exit out the back we're probably gonna have you press over a little bit at the end of the talk which I know a few minutes here unfortunately this talk I think maybe I can finish because okay I close the tour and I'd like to probably provide my github account that I will put my fake GPS detection program to my github and sorry today I think okay thank you for coming and I'd like to provide my github account this account will not be hiccups by anyone maybe my account is aronlaw aron-law and I will publish the tech and the defense tour to this github thanks for coming