 Alright folks, we're going to get the next talk going. Next up we have gaining control of the sky and in-depth drone security talk by Ryan Satterfield. Please give them a warm Torcon welcome. Hi and thank you for coming. My name is Ryan Satterfield and I'm the founder of Planet Zooda and today the topic is drones and the need for greater security. An incorrect critique on some of my research on drones is that people say they're just toys. And the reason I say that's incorrect is well I'd be inclined to agree if the military wasn't weaponizing one of my exploits and using it basically against enemy drones which is stupid because their enemies don't use these type of drones. So the military's gun works off a Raspberry Pi that locks onto open Wi-Fi and grabs the parrot's unique parrot-drawn identification and then knocks it out of the sky. It's a really simple telnet to Wi-Fi not kill one to kill the net process. But I'm going to go far, far further than that. That's just what the media knows. I'm going all the way down to binary analysis today. So let's jump in. Last time I gave this talk special operation teams are testing out the parrot drone for military operations in 2013. Parrot drones were also tested by Czech University for surveillance capabilities. I also mentioned that it was in the news that the U.S. government purchased since fly drones acquired by Parrot. I have yet to test a since fly but if you want to give one to me a test I'd love that and I give you the I give a talk on it. So a review of online catalogs show since fly drones going from $9,000 to $20,000 used which if that is the market price it'd be one of the higher priced so-called toys that I'm aware of. Since fly is used to survey and analyze the land automatically and does not fall into any form of classification as a toy in my mind. It's important to note that there are plenty of drone business models outside surveillance as well including photography and drone as an athletic jogging trainer and many many more unique services. I'm going to have to switch slides sorry about that. The NFL is now using drones to drop footballs into the game which if the drone is insecure that could easily pose a threat to the players. After drones we tested have security vulnerabilities. We are going to take a look at one particular today but we are not picking on that brand at all. The point here is that there are security issues that should be addressed either by industry self-regulation or if necessary legislation to be sure that the safety concerns are at least minimized beyond the level that they have been up to this point. As an example let's look at the security of the Parrot AR Drone. People also work on the AR Drone 2.0. I brought one and I'm dumb enough to actually hook up and hook in the battery so if someone takes it over they do. Just note that it doesn't actually fly it's broken so that's why I brought it. I'd like to note that everything I'm discussing has been reported to Parrot and the hope of that today will take steps to address the issues and concerns and it does not appear that they have taken effective steps to mitigate the threats and last time I checked the AR Drone and other drones. Hopefully this presentation has some motivation for them. So let's, security doesn't seem to be a top priority to vendors, to most vendors. This is concerning since Parrot sells a lot of drones including the Sinsfly to the government. As tested three days ago, the Telnet to Root exploit that was publicly displayed at DEFCON 23 still has not been properly fixed and it can still be exploited hence explaining why the military is using it in their so-called cyber gun, hey I didn't name it they did. So Parrot uses Telnet with no authentication, open Wi-Fi, non FTP and more issues. This particular drone creates its own Wi-Fi access point which anyone can access by default allowing any user to access the drone and then simply kill the init process with typing kill one among many other things. Some people, more or two people in this room may be aware that there was some controversy created when I demonstrated this at DEFCON 23 in front of a bunch of reporters because they thought it was too simple. I wanted to show a drone hack so ridiculously simple that anyone could pull it off and it didn't take long to find it at all because these drones aren't secure and they're selling them everywhere. We need to secure what we're putting in the sky or we're going to end up regretting it and someone may get badly hurt and that's not something I want. So let's go back down, alright so I also identified that they use anonymous FTP and instructions on their site directing their users as how to use anonymous FTP for updating their software which we'll get into more later. It's important to note that they don't use a default FTP port, instead they use port 5551. Michael Robinson demonstrated this on a Bebop drone at DEFCON 23 a day after my demonstration so I decided to verify if it worked on the Parrot AR drone 2.0 and it does. It's even more concerning that Parrot has guides to help users access the FTP. This doesn't appear to be an accidental oversight rather this seems to be a flaw by design and I'll get into why this exists later in the talk. Sure really after DEFCON you can no longer access Telnet when the drone has pairing on which is a feature you can enable in their app but it isn't on by default. The app for the drone comes with pairing turned off by default that's allowing anyone to access the Telnet with no authentication while the drones are flying. There's a paper from 2013 that says if you have pairing on you can't access Telnet, sorry that's too early, but when I tested it in 2015 that was no longer the case and every time I've demonstrated this attack vector I've had pairing on. So Parrot did a security patch, so how effective was the security patch? After Parrot did their security patch I was handed a new Parrot drone I've never seen before in my life and asked to hack it for a documentary with a camera in my face. To the credit of Parrot for newer models the Telnet to Root issue does not exist however Telnet is still there but it's supposed to be inaccessible. So I have this camera in my face and I have little to no time to come up with an exploit so I really sent requests to the Telnet port on the new bebop drone I was handed with the old information that would have worked for half an hour manually because I had an idea of just what I could do and didn't have an automated script to auto send a request and repeat. So it happened after trying to connect for half an hour I completely disconnected the drone from the phone by potentially overflowing the Telnet stack. Another issue one might use is a simple denial of service against the drone however when you de-doss the drone it recovers connection to the drone operator within 30 seconds which is a good security feature I guess. So when I potentially overflowed the Telnet stack it was a complete disconnect. So the drone was flying anywhere it wanted in the sky and we could go anywhere and there's no way to restore control so this led to some good television taking two extremely tall men jumping into the air and knocking the drone down. So you can watch this video in German I'll post the link. But while Parrot solved one problem they're newer drones they created a new one. And unfortunately that does happen. Parrot did send out a patch to certain drone models which looked like an attempt to stop people connecting from Telnet to Busybox where you can just shut down the drone however the patch was so buggy it wasn't even a mild irritant. It was most importantly to this talk the update did not go to the Parrot AR drone 2.0. So it wasn't did they fix accessing the anonymous FTP? No they didn't and what purpose does the FTP serve besides annoying people and potentially distributing malware? It seems that this is where all recordings on the drone are stored. So it doesn't take much imagination what one could do with an open FTP port where you're supposed to upload videos that allegedly actually took place. Oh boy all sorts of stuff could take place. Of course video footage taken by drones is not more easily authenticated for legal purposes than any other video so it should not be trusted any more than any other video recording nor should it be able to be used in court because anyone in the area could have changed what really happened which I'll discuss more later in this talk. With the drone frenzy currently going on in the media this fact seems to be getting left behind. So how many operating systems does the Parrots use and what versions? Our last time we tested the Parrot AR drone it used an embedded configurable operating system, Linux and busybox which some consider to be a real-time operating system. I want to give Kudos to John Staffordshire also known as GeekSpeed for discovering the embedded configurable OOS so I'll get into more later in the talk and how we discovered that. When I was testing this in late 2015 I identified the Parrot AROS with Linux so I became curious what version of the Linux kernel the Parrot drone was using. And lo and behold they were using 2.6.32.9 which by default has plenty of exploits some remote exploits but some do need local access. Now why at the time in 2015 and late 2015 were they using a Linux kernel that is no longer supported and had reached end of life? I honestly don't know the answer to that question. But I do know it was using 2.6.27.49 in 2012 which I'll discuss why I know that in the next slide. Again these issues have already been reported to Parrot but our knowledge is that they have yet to be repaired. Our hope is that this talk and other talks will inspire Parrot to make their drones more secure for the mass consumers. So the 2.6.32 version of Linux has 200 exploits listed on CVE details however I don't know why many of those affected version 2.6.32.9 nor do I know if Parrot has done any updates to their kernel. Let's get end users a binary and tell them to use FTP, brilliant idea. It is difficult to believe but the company in particular actually built a web page to distribute the binary file along with a rather well written guide telling their users to use their insecure FTP and to upload the binary and how to do an update, seriously most people don't even know what FTP is. Not alone know how to use it to upload a binary file, any company that expects a normal person to download a file, FTP into their drone, upload the file and follow the rest of the instructions I've never tried to talk to normal people about code or FTP if you don't believe me once when I was talking about PHP someone thought I was talking about a girl. I mean are you kidding me? So yeah, we got that. This is not a good way to address a major security flaw. So what's in this binary? Well when I was examined in 2015 I found some very interesting things and I put the links there on the paste bin which you can review it for yourself, John aka GeekSpeed volunteered to take a look at it since he's good at firmware and discovered that the binary is making changes to the kernel and also made a discovery that there is an embedded configurable OS using a real-time operating system. Another unique thing that GeekSpeed pointed out is the fact that Parrot is making some changes to the kernel in the binary update file and I repeated myself twice, oh well. The binary is from 2012 and was using the Linux kernel 2.6.27.49 which is why I was able to talk about that kernel in the last slide. They're doing a few things but it's arguably not enough and it's too slow to make a significant difference to secure their drones. At least they are drawn 2.0. I can't speak for all their drones. In the wild drone hacks. In 2013, NATO's Cooperative Cyber Defense of Excellence gave a talk on a paper called The Vulnerability of UAVs to Cyber Attacks and Approach to the Risk Assessment by Kim Hartman and Christof Stoop. It was a very good paper and this paper goes into detail of different ways that government drones have been hacked and had to potentially hack sentinel drones, Reaper drones, Predator drones and for some reason on the list was the Parrot AR drone. I'm not privy as to why NATO made this talk and paper publicly available and even so far is staying that can be reused for non-profit or non-commercial uses but since they did I'm referencing it here today. The only papers they mention about AR drones is that an occupied protester used the drone to watch the police and the Czech Republic Technical University has written papers on the AR drone including as a platform for robotic research and education. They didn't reference a paper by the Czech Republic titled Planning for Surveillance Uses. However, that's a very important paper. The AR drone wasn't the main focus of the paper, rather how to hack the sentinel and a smaller focus, the Reaper was the main focus. The reason for the focus on the sentinel is because Iran claims to have captured one that the CA used in 2011 which I think everyone knows, does everyone know that's what happened with the drone that Iran captured? Alright, so I don't have to go over that. But anyways, they came up with a few theories that either it was GPS spoofing that pushed the drone into the Iranian territory or even worse, in my opinion, there was a software glitch which was their theory that made the drone just crash in Iranian territory. So either way, that's not good. And the way that the attack took place was just a $26 program called Sky Buster if they wanted to do so. Wait, I'm going to make sure I'm on the right, yeah, I'm still in the picture, oh sorry, I'm sorry. And that was a prior to the drone 2009 by Iraqi insurgents, allowed them to obtain live video by using a $26 program called Sky Buster, I'd like to correct myself. This occurred due to not having their communication link encrypted similar to how the AR drone doesn't use a Cure FTP for what appears to be used for video recording. Instead it uses FTP which should allow for a similar attack to occur. I would hope the parrot drone wouldn't be used for anything sensitive by anyone. So what can we do? So we now know that many of these drone systems are extremely vulnerable. What can we do about these issues? Well certainly regulation might be of assistance. For example if the FAA used FAA part 23 which applies to airline security already and used it as a model for drone security and edited in an amendment requiring security to be enforced then we would have some really well-written rules that we already know work well. I don't know if that will happen or not. And even better idea, a far far better idea is self-regulation. Drone associations already exist and we are considering issuing our own recommended compliance protocol for our clients through industry, self-regulation, perhaps we can avoid the need for overabundance of legislation. So my team at PlantZoota intends to continue examining and reporting upon as main drones we can get our hands on to analyze from a security perspective and will continue to bring issues to the attention of manufacturers. Overall drones are somewhat safe and I'm not discouraging the use of drones at all. I'm pro-drone actually. I like drone companies and I talk to them and I would invest in some if they were good. But I simply want to do what I can to help make our industry safe for the public. Does anyone have any questions? If I don't see your hand just speak up. Yes? It was. Indeed. Thank you for pointing that out. Yes. You know I would have to be, since I'm on the record, I want to be absolutely correct and so I can't comment on that right now but I would have to look into it. But thank you for bringing that up. I will look into it and talk to you afterwards. Any other questions? Oh my gosh. Let's see. Approximately nine. Over $6,000 worth of drones. Yes. The since fly. I'm serious. If anyone wants to crowd fund since fly and hack it, I would do the research on it for free and present it. Under same question that would take more thought than it takes time to answer the question. Any more questions? Oh, awesome. Thanks for coming and go hack the planet.