 So my name is Ricky Hill. I'm a wireless and security consultant. I work in the D.C. metro area. Specifically my office is out of rest in Virginia, Tennessee. I've done previous DEF CON talks along a similar vein here. I love flying things with all kinds of wireless equipment and other technical stuff on them. Previously I did the war rocketing probably about eight years ago where we launched a wireless access point and collected data over about 30 square miles. And it was good but we didn't get a lot because you can't launch rockets in urban areas, right? It was a rural area. The other talk I did here that I'd done previously was war ballooning. They actually banned us from doing, they initially give us permission to do that. We had a balloon with a Kismet drone payload that we were going to fly over DEF CON that year. That was five years ago. Unfortunately the city banned us and we couldn't do that. So we went to a church 10 miles out from the airport to make it legal. Yes. Hey. Pretty good. What's up? Yes. So we have this tradition at DEF CON for first time speakers. You know, the drill. However, we have it on good authority that this gentleman is a liar. And he in fact just wants a shot. And by the way, pour the drone one. Actually, I changed my mind. This is excellent. Thank you. Thank you very much, Bob. But we'd like to raise your hand if this is your first DEF CON as an attendee. Humans only. Come on, up. Wait a minute. You, the blonde. You raised your hand, didn't you? I can barely see under these lights. I hope your hair is blonde. Come on up. First time attendee. All right. Did we... Good stuff. Did you... I'm telling you. Thank you. The drone gets one. Where's mine? Absolutely. The drone gets one? Yeah, I told you to pour one for the drone. It's already been dunked in beer, so it's not an issue. Sweet. What's your name? It's fairly waterproof. Everybody, this is Crystal. Crystal, this is everybody. All right. Let's hear it for the drones, for the drone and crystals first time at DEF CON. As you were. Don't blame the next lad on me. All right, so what is... Give me a bit. Yeah, he's got a good point. I don't want to cut anybody up, so we might fire it up a little bit later. So what does this talk about? It's about network surveillance. It's not about... I don't know if you guys saw it about a month ago, but cleaners in Philadelphia as a gag did this and they're delivering the dry cleaning on guess which drone? That's the Phantom drone right there. And this thing, believe it or not, will lift probably about two pounds, 400 grams, whatever that works out to. So beer works. I haven't tried the full six pack. I understand some guys have. So here on the screen is what I plan to cover today. First we'll look at the advantages of doing wireless surveillance from the air. You've got line of sight to everything. It's a real easy way to get all the access points in a large area from a reconnaissance perspective. Next we'll explain how this year emerging technologies have made this a possibility. Two years ago, these payloads that you see loaded on this drone would not have been possible because of the power requirements and the size of the micro electronics on it. In particular, we'll talk about the electronics and the hack 5 software improvements in that and it has something on it called a cotton candy computer which is basically a USB stick that runs full of Buntu or Android. Finally, I want to cover how I built, designed, built and flew the Phantom surveillance drone. I think you guys will like it. We've got a lot of good video here. You'll witness successes as well as some of our oops moments that we encountered flying the drone. We flew a lot of missions during June and July of this year. All right, so the talk is really about the goodness of aerial wireless surveillance. My previous attempts have been problematic. As I mentioned, the rocket had problems because the whole flight was like four minutes, right? Even from 10,000 feet, you're not going to get a lot of information in that amount of time. The balloon suffered from similar things. When you launch a balloon this over the Vegas skyline, we managed to capture Luxor and several of the strips access points from quite a distance out. I think it was like 7 to 10 miles. But when you launch a balloon it's not a real stable platform. It tends to do this, right? So the video from that venture looked a lot like Blair Witch. It was pretty sickening. So next we'll talk about what others have done, what you see on the screen here. There was a contest, how I got the idea for this talk called DARPA UAV Forge. DARPA UAV Forge was about a fly off competition to design a small drone that would fit in a soldier's rucksack, basically fit on his back, which is why the small drone. And its purpose was to go out and land on roofs, houses, buildings, towers, whatever, and conduct visual surveillance. Like it would have been very useful, for instance, in the Boston bombing if you could have had surveillance anywhere you wanted it, right? So that was the military's purpose in this. The top picture you see there is the UAV Forge's halo team above the competition course. The other attempts at wireless surveillance, if some of you remember it, is the Black Hat's Wasp Cellular, that yellow airplane cellular and wireless collection spy plane. It was pretty expensive. I think it was military surplus. It cost about $6,000. The problem with all these is that our people that fly drones, some now want to fly them continuously in the air. Well, when you're flying, you're using a heck of a lot of energy, right? I mean, you don't have fuel tanks like a 747. You're burning up battery power like mad. The advantage of this one, of course, is that it can land and then shut off the motors. So UAV Forge entered the UAV Forge contest, as I mentioned, introduced a very novel and progressive idea. That is a perch and stare surveillance, right? If you can land on something, you can shut down, conserve your battery power, and then conduct wireless cellular, whatever other operations you want to, because those electronics in the payload are going to use a lot less power. So I've extended upon the UAV Forge concept, expanded upon that primarily to perform network surveillance and exploitation. How many of you guys in here know what a pineapple is? All right. How many of you use the pineapple? Excellent. Excellent. Keep in mind throughout this presentation, it's a proof of concept for what can be done and what the military wanted. I'm not encourage anybody to go out to their land on their coffee shop roof for terrorizer neighbors. What you do with what you learn in this talk is up to you. So UAV Forge, 143 teams competed from 153 countries. Guess what? Nobody won. Nobody met their criteria for landing on or perching on a roof and collecting photos and coming back. They did require some autonomous operation, but not full autonomous operation. Does anybody know what the difference between a UAV or UAS and a drone is? Okay, go ahead. Yeah, well, some people don't know. Yeah, exactly. The key word is autonomy. So the phantom is autonomous drone in the fact that it will return to home base without any pilot intervention. Otherwise, it's just like a UAV. It'll fly with pilot control. So full drones, autonomous operation in fact was one of the Achilles heels of UAV Forge because things like trees got in the way, right, that weren't on Google Maps. Okay, well, guess what? It doesn't do trees well. So here's a review of UAV Forge. As you can see, it's pretty self-explanatory, a lot of crashes. Out of all those teams, out of a dozen teams in the final competition, the average time to crash between takeoff and crash was three minutes, right? Yeah, I mean, it's just ludicrous, right? And this is only two years ago. So that's what I want to impress upon you is how much the technology has changed. That's not a good bet for an aircraft that costs upwards of $10,000, right? I don't even think the Army wants to buy that. Well, I don't know. All right, so the phantom just came out in January of this year. I found out about it because a friend of a friend I work with was doing some Grand Canyon whitewater rafting. And she said her cousin or whatever ran this company that flies phantoms and other drones over the Grand Canyon films people going down. The phantom also comes with a GoPro mount. If you guys are familiar with sports GoPro cameras, excellent pictures from the air. So that's how I got the idea and went out and I was addicted once I saw these videos on YouTube. I'm like, oh, this thing is really cool. Look what I can do with it. And furthermore, you know, it flies really good. I can't tell you how many of the little RC helicopters I've crashed. I mean, I suck as a pilot, right? So I suck as a pilot, but you know what? GPS accelerometers and all the guts inside that thing make me rock. They are great. It also has other safety features built in such as a two-stick startup. What that means is if you've ever flown RC before is if you accidentally turn on it with the throttle up, then you can like eat up your friend's hand, you know, fly up into the ceiling if you're indoors, whatever. One stick is easy to get out of way. Like you can see here, it's not going to do anything with one stick. It requires positive both hands to the left to take off. Very nice feature. I also consider the return to home capability they advertise and works. You'll see it in just a bit to be the most valuable. If for any reason your flight gets into trouble, guess what? You can just turn off the transmitter here. The drone says, okay, I lost communication or even if my battery goes low, I'm going to come back to where I took off from. So the technological improvements that I spoke about earlier, the Cotton Candy Computer was one. Let me just show you that. I've got one right here. So the Cotton Candy is basically this white USB stick. It debuted at the 2011 computer electronics show in Las Vegas. This thing runs full Ubuntu or Android operating system. It makes an excellent platform for hooking in, for instance, this Wi-Spy Spectrum analyzer. It also can do ZigBee collection. If you guys are familiar with the ZigBee and the Joshua Wright's Killer Bee, we've ran all of those payloads on the drone in the last month. Let me put my drone back up it's lonely. And finally, I can't emphasize how much of a joy this thing is to fly. It's just incredible when it's in GPS mode. Anybody fly helicopters? RC? Okay. We got a few people. How many crashes have you had? Okay. That says it all right there. So this is a look at the two payloads. Sorry, the pictures are a little fuzzy. Again, the main payload we've used for this thing is the Hack 5 pineapple, which you can see underneath the copter right here. And of course, the other one I have is the Cotton Candy I just showed you. The pineapple required quite a bit of modification and quite a lot of work to get going because lofting things in the air requires a lot of power. So it required a custom power supply. And for instance, on the SwapSpace on the Unix system required UUID mounts instead of regular mounts. It literally took me like a month to get that payload configured. And I finally got it configured with a T-Mobile GSM modem. Because all the other ones they just suck power. The CDMA, the typical USB stick modems just suck power. So my opinion Cotton Candy is the perfect headless computer to use for an aerial payload. The trick with it is because it takes power from its USB port is once you connect the USB port and put it on the helicopter, you just killed your computer, right? Well, to work around for that, you supply it with a LiPo battery power and an Apple Bluetooth and keyboard. Guess what? You can now detach your Bluetooth keyboard and mouse and you're good to go on the helicopter. You've got whatever you want running is now still running, right? So in my case, it's AeroDumpNG, it's a Wi-Fi spectrum analyzer, and the other payloads that we've talked about before. Basically any USB device that you can run, you can fly with this Cotton Candy computer. All right, so let me show you what the Cotton Candy looks like. It actually will also act as a virtual computer when you plug it into a laptop. So let's do that. I did pray to the demo gods. No, but I took two shots. Okay, installing device driver software. Here we go. Okay, the goat will happen next time. Sorry. Come on. All right, I'll know next time. Let me know. Do you have goats for sale? Please. All right, this is our first flight with the Wi-Fi spectrum analyzer. This is a neighborhood overlooking a lake. It happens to be a neighborhood overlooking a lake in Culpepper, Virginia. So it's a cool place to fly choppers because there aren't many trees on waterfront properties, right? So it's easier to fly in buzz neighborhoods do whatever you want, right? That's why we chose it. This is the collection off that. Approximately, we flew approximately up to about 200 feet and got all this data. This particular subdivision only had about 20 houses, and we did a 10-minute overflight. So as you can see, there's a lot of stuff on Channel 9. Plenty of data there. Okay, so we found a lot of wireless sources. So now what? Well, the now what is... Wait a minute, wait a minute. I want to make sure I'm not skipping something here. We found 80 to 11 sources, so okay, big deal, right? Well, that's when I got the idea to do the wireless pineapple. The HAC-5 pineapple provides numerous wireless survey and exploitation packages. You can even do metasploit on the pineapple. Pineapple basically is a router that acts as a man in the middle for unsecured wireless networks. If you connect and Android phones, I've captured a number of Android and Apple phones that connect instantly to it. Basically, I'm a man in the middle and I'm providing your Internet connection so I can do anything I want, right? Again, this the payload objectives for the flying pineapple were the same as for DARPA. That is to land on a unique vantage point. That can be a cell tower. It could be a hotel balcony. It could be anything you can think of that's hard to get to, right? Conduct your operations and return the phantom safely to the starting point. So I'm lazy. I don't want to construct the standard Vizio diagram, so I just did the I stole HAC-5s. Thank you, Darren and Robin. This is episode 112. How this works is that the team, there can be a wireless exploitation team on the Internet anywhere and through the GSM modem they're going to be able to talk to the pineapple and conduct operations on the pineapple. That's how it works. There's a relay server we call Hawaii that's out on the Internet that enables that. Here's a short list of the pineapple's capabilities. As you see, URL SNARF, DNS spoofing, SSL strip, AeroDumpNG runs great in flight because it doesn't transmit anything. The only other thing I would caution you if you want to do this project this is 2.4 gigahertz, okay? If you're running that with the receiver onboard the phantom and you're doing wireless ops with the payload, guess what? You're in the same band. You may not be looking so good. They're theoretically supposed to work. I've seen numerous blogs on the Internet for you just crashed your $700 phantom. So monitor mode only in flight is the way to go. And that works. That sucks. Sorry. I'm going to skip here. I forgot to show you this video. This is pretty cool. Watch this. This is the return to home feature of the phantom. So basically what I did is take this thing out in a field. This is my last test that I did, by the way. I turned off the transmitter. And you can see it landed near my gym bag like three feet from the same point it took off from. That's the GPS and the Nazim controller on it. All right. So the next mission we did was I went out on my Sea Ray boat and we decided a good place to check to see how many people had wireless was on the beach. At this particular beach is at Lake Anna. We ran Airmon NG as I've spoken about before and no, we were not looking for bikinis. We were just looking for how many people were using their androids and other wireless devices on the beach. Notice the pylons added to the drone quite well. I know one will support me above the water so it worked really cool. We're flying out here about like one of those little advertising planes does at Virginia Beach and we just buzzed the whole beach area which is probably about a football field long so you can see right here. So down at the other end we started to get people's attention to thank goodness the life guards did not chase us off but play altitude of about 100 feet here and we're collecting all while we're flying, right? I'm running low on time here so I'm going to speed this up. Here's the landing. The battery went dead. Watch this. It actually died. I actually had no control at that point. My friend Mr. Nick Hopper jumped in and did helicopter search and rescue. I have never seen a man swim so good. He jumped in and held the thing out, got it, held it over his head and swam like 50 feet back to the boat. So incredible. Actually 100 feet. Thank you Nick. Alright so I had bragged to one of my friends that I had not crashed the Phantom yet and we'd been doing ops with it about a month and unfortunately there were some oh no moments but I think you'll find these interesting. We now have moved on to the phase where we've done arrow collection and we're going to do the DARPA thing where we want to land on and collect information from roofs or other interesting places, right? So the first thought was well let's perform a test flight and the second thought is let's land on a balcony. Hey you know we can land on the Marriott or whatever and just check out somebody's room and do the Pineapple Wireless thing, right? Okay we'll see how that looks. This is test flight number one. Okay pan right this was a stormy evening fairly windy. I'd had only two beers at this point not two shots but watch. Yeah that's about 75 feet at least so not so good. What you see here on stage is Phantom V2. Oops one more clip here so this is our balcony shot where we're trying to land on a balcony just to see if it can be done. About an inch short on that leg watch. Damn you're a good man. Also Mr. Nick Hoppler this is a look at the reconstruction of the Phantom what you see in the center there that red thing is the NASIM controller very sophisticated uses GPS accelerometer and even uses a compass on the leg there in order to orient itself in space. I've seen advertised GPS that it's no better than like 6 to 9 feet or something. This thing actually does better than that. It does a space about this wide and it will hover in place with that controller. The Phantom has no moving parts other than the propellers on top there. What you see on the ends are they called the ESCs the electronic speed controllers they're on each thing. The damage the only damage this thing had was one of the ends right here you can see the end when it did that full head on impact it bent at about 20 degrees so that that particular propeller was off the only way to fix that it's like a crustacean it's got a hard shell the new shell is 60 bucks so that's 60 bucks and about an 8 hour rebuild alright so mission number 3 is actually attempt to do the DARPA mission that's do a rooftop landing we did quite a few rooftop landings I'm going to show you the best one here we ran Airmon NG before we landed after we landed we did site surveys we did some URL snorfs and I can tell you these by virtue of wireless these are great vantage points because you land on somebody's roof guess what you don't need a high gain antenna you're there so the thing is this is with the zoom lands this thing is actually pretty far away the problem is if you as a pilot attempt to start to land on a roof you lose the farther the object is from you the more depth reception you lose right so there is an onboard camera I can show you guys after but it's about the size of a postage stamp first person view camera that I will see what's on the roof so if you're wondering why I'm hanging up there there's a corrugated thing on the platform in front with about this much dip on it that I'm wondering if I can ever get my helicopter off I'm like nah you know that doesn't look so good let's back up a hair here so decided to abort the rooftop landing and go for the actual platform there so there's the chopper going down this is a clubhouse on the lake by the way there you can see their lawn chair their grill there were no people here thankfully at this point now we all held our breath as we well actually actually we did we did a few videos for this the videos been clipped together we held our breaths and did the takeoff and voila alright thanks so we did encounter a couple places and what you have to worry about when flying drones or you're doing surveillance is you know if you're doing private property or whatever that people might be pissed off that you're trying to collect their wireless or flying a drone outside their window right I mean it's natural I personally have shotguns for that purpose watch this we're not going to stay here let's get the hell out of there that thing will do 35 miles an hour by the way these are just a few of the results I know they're hard to see but SSL strip I actually hacked and got my own password with SSL strip basically what it does it collects as a man in the middle you don't have SSL anymore right because I'm providing your internet you all snarf the same way I'm basically getting every website you're going to so that's results there we did compare ourselves to UAV forged team scores I know they're hard to see but the scores go from 0 to 100 and all the teams failed nobody even made the baseline well I'm sorry let's go down one here one team team halo made 47 points the phantom if we score it by the score it's scored above like 10 out of 12 helicopters two years ago based on autonomous return to home avoiding obstacles and other baselines if you want to see more want to learn more about drones in UAV forged go look at UAV forged net it's a very interesting contest and you can see a lot more crashes there so future work we pretty much prove that perch listen and engage for why it will work for wireless networks surveillance it's also a highly effective site survey tool the take away from this is that you know drones and UAVs can be used for good or bad right I mean they can use be used to parent people's windows they can be used to collect what collect information at coffee shops other important places or they can be used over by the military overseas you know they're sort of you know it's in the it's in the mind of the beholder basically right as to what they're used for we hope they're used for good so keep that in mind if you guys are interested in flying or keeping drones flying because now right now the FAA is evaluating who's going to be able to fly drones in the United States and and where and that's due out I believe mid 2014 or 2015 right now I flew under the rules that say no commercial entity sponsored me I'm flying under model association rules wherein I have to maintain an altitude of under 400 feet if any of you guys fly I implore you implore you and here's the disclaimers to not fly this without experience if you don't if you don't have experience flying a drone you don't start with a $700 helicopter right also don't fly anywhere near an airport because 400 is not a lot I was going to do a before we decided on our lake trip I went to a place near the Potomac River which is you know borders DC and thought oh this is a cool resort let's do some drone operations here bad idea went out there bunch of golfers were into my balcony you already saw the balcony crash where Nick collected the copter well that would have been a golfer's head right think about it the other thing is over over the Potomac there's the approach to Reagan national airport which was about ten miles out I thought well there couldn't be any airplanes there they're going to be thousands feet up no they're like 800 a thousand feet well within the capability of this drone so bad idea if you're going to fly anywhere make sure you get with somebody and in our local RC club or whatever make sure that you're doing the right thing and you're not endangering people right it's all fun we had a great time doing this this is one tip I have for you and I can show you guys afterwards it's an altimeter it's just a USB stick basically right you get on the elevator punch the zero at the bottom floor and tell how high you got right it fits well in just about any copter you want to fly what's 400 feet for the for the phantom it's about as far as you can see when it starts to get to where you can't see it anymore well you know you're too high you're you're you're an aircraft space now so again that's about it let's see what we got here some shout outs to Nancy alpha ops team helped me out a lot for the with this as far as the flight operations Nick Hoppler in particular Mr. rescue right here thank you very much Nick it and the hobby hangar in Chantilly Virginia I had the advantage of having two blocks from my house I can go out and get parts for the phantom or whatever I want right so I will leave you this with this final thought here on the screen thank you very much