 David is going to talk to us about drones and anti-drone countermeasures beyond just simply handing me a drone remote because I got a drone and the only thing I can do apparently is fly the thing into my face. And I've done that a number of times. So let's give David a big round of applause. Good luck. Thank you. Have a good time. Thank you. I can say that I'm pretty great. So let's get started. Well, welcome to my talk. Glad to see you here. And I'm going to present the Project Interceptor. It's about owning an anti-drone system with nano drones. So that's me. Well, I'm David Melendez. I'm a research and development and baby software engineer in a company in Spain. And I, the creator, the actor of the several robots, and I went to explain later. And the author of the book, Hacking Condrones. It's in Spain, in Spanish. And a resident speaker, but not here. And a traniac. Why am I saying that I am a traniac? This is the Alta Velocidad Español. It's a pretty cool train. It's fast and it's cool. And you were fast. But I'm pretty a fan of your trains because they are pretty badass. They stack containers. And big fan. Big fan of you guys. Big fan of you folks. Absolutely. So if you meet later with me, be careful because maybe I start talking with trains and I can stop. So be careful. So I would like to start with this. You're laughing. Good job, folk. I thinking about this guy arriving at home and honey, I'm doing a pretty good job today. So that's that's one point. The second point, previously in DEF CON, I want to start with drones in DEF CON. And I think that what is the first drone seen in DEF CON with pretty cool stuff. And well, with hacking capabilities, you can take the drone along the city, taking a lot of networks and make some cool stuff. Right? And the second one, what's the year ago for the danger drone? And it is a pretty cool stuff because they were used 3G and 4G communication and telemetry. So that's because several anti-drone systems work indeed with 3G and 4G systems. And if you use the same system, the anti-drones, they can be trolled you. It's no way to jam your drone. But only because it's illegal to jam 3G, 4G frequencies. It has some kind of problems. So I want to explain drones as a 3. I like that picture because it's pretty cool. Well, we can start talking about drones as a flying computer. It's like internal things over your head. IOT, we can call IOT as before we return to Assholes because there were named quadcopters. They can use custom pilots, the sniffer, jammers, network analyzers, 3D mapping cameras and so on. Some kind of cool stuff you can put in your drone. So any kind of thing you can imagine, you can put in your drone. A drone is a vehicle, it's not a weapon, it's a tool. So how we can detect drones? Well, the first one is, okay, I'm seeing a drone. I detected it. So there are thermal and standard cameras. Well, nowadays there are a lot of systems that they are able to detect drones by its shape and with artificial intelligence and so on. And with thermal cameras, with electronics and motor heat detection. Okay, you see four dots on the sky that are pretty hot. It's not a pigeon, I think. Also, other detection method is a charge sensation of drone noise. A pigeon doesn't sound okay, we got it. Detected radio frequency and waveform. This is the most important method to detect drones because every drone has a signature of radio communication and it's pretty easy to detect those drones because, for example, oh, okay, and a Wi-Fi with the access point name would hear a manufactured drone. It must be a drone. Okay, well, all the other methods to detect drones, I'm a pretty fan of these voluntary measures. Well, if you install in your drone an application that reports to cops that you are flying a drone in a certain area at a certain time, okay, no problem at all. Everything will be all right, right? So this application gives two cops the ability to take down your drone. Imagine if you install this application on your car, okay, everything will be all right. So, perfect plan. So, how about the counter-counter measures? Well, we can use several methods that are already on the stage, like the spectrum that you can transmit in a very wide area of radio frequency and with the hope that nobody can jam on all the area. Frequently hopping, you can hop to many channels and use inspective frequencies by the jammer. The jammer expects that the drone works in certain frequencies and robust protocols that we are talking about this. Well, I want to explain my first round of this stuff that it is called Atropos. It's a quadcopter that I built like six years ago. You can Google it. It's in Hackaday and so on. And I decided to build it with a Wi-Fi router. It's a Wi-Fi router and La Fonera router. And, well, some cool stuff like real remote of Nintendo as inertial sensors. So, six years ago, there's no Chinese manufacturers that you can buy and they take your sensor to your home. So, there was easier to take the sensor from the Wi-Nu Chaku. And I decided to put the sensors to the router directly by attaching the bus to the lights, okay? And controlled by a web server installed on the router. The program, the stabilization program is programmed in C inside the router and it has an embedded system and also has another capability with Bully that is able to attack other Wi-Fi. So, you can see the La Fonera router and some pretty cool and professional soldering skills. And that's perfect. So, no, what else? I like to see this movie because, well, all the other Star Wars movies made me cry. So, I like this one, okay? And I like it particularly on a scene that we count 50 level ships, Lord Vader, but there is a smile that everybody in our turbo lasers. That gives me an idea why not make a small drone, okay? With chopsticks, okay? Because people ask me, why are you using chopsticks? Don't you have a 3D printer or somewhere? Are you poor or what? Well, if I print the drone, nobody believes me is mine. So, this is mine. I'm going to check that. Actually, the drone is draining its battery, so maybe I have to fly before the battery drains. Okay, all right. So, the Bully Interceptor is based on low budget. No, seriously, low. You take a cheap sensor, a cheap board and a cheap everything. My name on site is Unweight, hard to detect, okay? And with all the stuff that is on this thing, hacking capabilities and resilient control. Well, this is the drone and the chopsticks. We can see a Linux board inside that is indeed a router with open WRT Linux distribution inside. And some cool stuff like bruised motors. Why bruised? Because they are cheap. Ridiculously cheap, okay? And small. So, we have transistors, an SDR and a camera, so on. So, you can compare with a one euro coin, okay? And this is the B-Core 2. I think this is the smallest board on the market. That is run Linux and we have Wi-Fi. And yeah, that's the specifications and we have a one core of CPU. Three serial ports and the most important thing is PWM ports. There is four. There are four ports of pools with modulation, okay? Those ports are used to control the motors without any other integrated circuit. Just because it has to be small, it has to be cheap. We have to take advantage of all the hardware stuff, okay? So, we need four PWM signals to control the motors, one for each one. And they are hard real-time constrain. We cannot emulate and or it's very difficult and uncomfortable to emulate those signals with the quality required to make the drone works. So, we have four channels available, but we only to enable by the manufacturer. We have to enable the other one. But what happens with the other two? They are the serial debug console. Good job, right? Okay. So, we have to disable the serial port for debugging and enable all the four pins. I went to the forum. The guy that designed the AV core is answering questions. And one guy asked for to enable to the these pins and the guy answered, oh, it's a hard way. Well, you have to download the open Linux source from vocore. Second, find the DTS in source, try to understand the pin control. And you have to understand some kind of stuff. And then you make magic, okay? And you will be a good Linux hacker, okay? What the fuck? Thank you for nothing, guy. So, here you have all the stuff that you need to enable and disable all the stuff. You have the UART pins defined. You have the pin max, okay? This is a maxer. I interconnected inside of the system on chip. You have to wire functions with outputs, because chip has more functions than outputs and you assign a function to an output. So, you have to reassign, disable the UART and enable the power with modulations. We have to redefine those pins. We call, I call, power UEM pins. We have the first one, the zero, the one, done. They are already defined. But I'm going to define the other two. That is called UART 2 PWM. The group is UART, but the faction is PWM. Additionally, in the IDC bus, I attach a sensor to take into account the battery, okay? We disable UART and we enable the four channels. Well, this is only for your information from the data sheet, where I found the information to change that. The power stage is a MOSFET. That means my work pretending to know what I'm doing with an oscilloscope. There is my personal version of an electronic speed controller, okay? This is the oscilloscope, because with brasset motors, we have to deal with a counter-electro-motiv force. Because when the motor is spinning, I have to power it, but a motor acts also as a generator and puts current in the circuit, a reverse current. So, I have to cancel it with a capacitor and a diode and a Schottky diode. This is the PED tanning. This is the worst part of build a drone. You have to tune it from 000, okay? I'm going to explain the Wi-Fi architecture of this drone. That is not a Wi-Fi regular drone, because it works as a become frame-based communication. That's because if you are not authenticated to any network, you cannot beat the authenticated, okay? Nobody comes here to add the authentication attack and they authenticate my drone. Because it's not authenticated to anything. We have a joystick. The joystick is not a fancy RC drone remote. And we have a pilot side that this is my laptop with an additional Wi-Fi adapter. So, my communication protocol is based on become frames. So, in the payload of those become frames, travel all the data from my remote, from my joystick, and to the pilot, and reverse. You turn on your laptops or mobiles, you will see two networks. One called Interceptor and the other one called Piloto or Pilot. There are fake networks, okay? One network is generated by my laptop and the other network is generated by the drone. Both sides are designed to listen to each other and, well, for control and telemetry, as you can see on that slide, protected with an encryption algorithm because, if not, we are not doing nothing. So, this is the packet format. And you can see all the stuff of encryption algorithm. We have an initialization vector. We have a command, a sequence number, and an integrity check. So, this is the, they travel inside the become frame. So, I would like, we can turn on the drone. I will put on the ground for my safety, not for yours. Maybe I'm going to change the battery later. I have to change the battery. I will try here. Well, well, it starts again. I'm going to explain you a particular characteristic of this protocol, but because it's allowed me to change the channels of the Wi-Fi, of the both Wi-Fi, the drone and the pilot, while I'm flying it without losing control. That because the Wi-Fi adapters, they are not perfect. So, if you are on channel one, you are listening packets from channel two, for example. This protocol takes advantage of this, because if I want to change the channel of the drone from channel one to channel five, I tell the drone, change to channel two. Okay. The drone acknowledges that. Okay. And channel two, change your, your change to channel two. So, both pilot and drone are in the channel two. So, they are in a loop, changing channels, each other, until they reach all the, to the channel five, or the target channel that I set. This is the interface. Well, there's some common stuff of this web interface. The interface is created on the laptop. They have to receive the, the recon frames. They, they turn into a WebSocket package, and it's, they see on the, on the, on the web page. So, I want to show you a video. This is the interface and the drone. And there are the networks on my house. The, the drone keeps auditing the networks, but I can control the drone while the drone is attacking the networks with bully. Okay. So, there is so many networks on, on the air. And I am changing the, the channel of the drone. Well, you see, they, each other are negotiating the, the change of the, of the channel. You don't see, you can see that here, here. Channel eight, both. Okay. And they, and they change seamlessly. Okay. I don't, I don't lose the, the control. That because I don't, I don't want to put an extra adapter, an extra Wi-Fi adapter on the, on the drone. Okay. Because it's very expensive. It's an extra way to, to the drone, especially, especially. Are you safe? It's almost okay. I'm not a very, a very professional pilot indeed. But, well, the other, the other investigation that I'm doing with this is to prove that any, anybody is able to build a drone with a custom flight controller, like mine. This is all, all program on C, both the stabilization program inside the, inside the V-Core and the protocol communication. It has a, I'm working right now on an extra fallback communication system based on SDR. Okay. Just, just in case, every, just in case a drone jammer detect my network because my network, you can see as a pilot or as an interceptor, but they can change to, to be the same as the, as the NRB networks. Okay. That is to hide the presence of the drone. So, another protocol is a fallback protocol based on, on FM that is selects an arbitrary frequency inside the range and start transmitting if the pilot detects that no more telemetry comes from the drone, the, that the link is, is broken. So, it has, it transmits to, with an arbitrary frequency and the, the main motif of this, of this project is that transmitting leg and frequencies are the less problem for bad guys. If you are to, to do bad things, the less of your problem is to transmit on FM. Okay. So, this is a warning to, to drone manufacturers because I, I still keep sending commands to the drone even without Wi-Fi using our Raspberry Pi radio transmission with RPTX project. Okay. As a proof of concept. So, I'm selecting the, the frequency dynamically. So, we, we surveyed the spectrum and I detect the, the peaks and the valleys and then I select the, the best suitable frequency. So, the fallback FM based communication, we have the joystick, they, they are limited to four bytes packet and they are transmitted to FSK modulation using the mini, the mini, mini modem project and they are, they turn into RF format. Okay. They are FM modulated transmission and they are on air by Raspberry Pi. So, an SDR dongle on drone captures that frequency and makes the reverse path. Okay. We have an audio capture and we have to demodulate, demodulate that packet with the same mini modem but compile with, for the, for the architecture of the drone, these mips. And we have the four byte format for flight control. Okay. Okay. That was the demo. You can see the, I'm like porkings. Okay. I would like to, I would like to explain more, we have more time. I would like to explain a little bit more what method I follow to, to pitch tuning because it's the hardest part to, to make a drone. I attach to a, to a six bench professional grade with also chopsticks. Okay. And other parts, other home parts on the, you can see. So you have to tune the P that is the proportional gain. It's a, you, you send, we stay here. If the drone stays, it stays here and I want to stay straight. The error is zero. It's a, if, if it moves, the error changes. So we have to multiply the error by the proportional gain. Okay. We have one force. The second force is the integral term. So I have to take into account how much time is the drone in another stage. Okay. And the derivative term is it takes into account the speed that I'm reaching the desired position. Okay. That those values multiply with a gain. We have a real control of the, of the drone. This is my paper to see you. So as conclusions, we'll like to show you the conclusions. Okay. We have a ridiculous small size weight and cost. This will turn the next point. Hardware hacking from scratch. Even you can track if you buy a router. Cops can track that you are building a drone for bad or for good. Okay. So we have a side hidden channels communication as a central philosophy. No vendor or 3D4G communications. We keep the cost low because we are using Wi-Fi also. But we have professional capabilities to keep the communication safe or as safe as we can. If an expected attack is performed or all the Wi-Fi spectrum is jammed, we have a fileback system to keep the drone controlled. And we have people can steal us. We also have hacking capabilities to hack another Wi-Fi networks, pentesting and so on, keeping on only one adapter on the drone. Okay. With the same adapter, we have traveled throughout all the Wi-Fi channels. So and a fileback control based on SDR protocol. So I would like to thank you to stay here and if you have any questions. So thank you very much.