HoneyDrone: a medium-interaction Unmanned Aerial Vehicle HoneyDrone: - PowerPoint PPT Presentation

HoneyDrone: a medium-interaction Unmanned Aerial Vehicle HoneyDrone: a medium-interaction Unmanned Aerial Vehicle HoneyDrone: a medium-interaction Unmanned Aerial Vehicle Honeypot Honeypot Honeypot DISSECT 2018 DISSECT 2018 DISSECT 2018 Co-funded by Co-funded by Co-funded by the European Union the European Union the European Union Jörg Daubert, Dhanasekar Boopalan, Max Jörg Daubert, Dhanasekar Boopalan, Max Jörg Daubert, Dhanasekar Boopalan, Max Mühlhäuser, Emmanouil Vasilomanolakis Mühlhäuser, Emmanouil Vasilomanolakis Mühlhäuser, Emmanouil Vasilomanolakis Logos CC-BY-SA by Peter van Driel Mert Güler, BomSymbols, Les 04.03.19 | SPIN | TK Lab | CYSEC – Cybersecurity [at] TU Darmstadt | 1 22.04.18 | SPIN | TK Lab | CYSEC – Cybersecurity [at] TU Darmstadt | 1 22.04.18 | SPIN | TK Lab | CYSEC – Cybersecurity [at] TU Darmstadt | 1 vieux garcons, Adrien Coquet, fredley

Drones. And why the hack they are relevant in distributed network security. INTRODUCTION 04.03.19 | SPIN | TK Lab | CYSEC – Cybersecurity [at] TU Darmstadt | 2

A history of drones (1) Military § 1849 unmanned balloons § 1916 Areal Target (radio controlled!) Civil 2006 MD4-200 § 2006 Foundation of DJI § 2009 Foundation of 3DR § § 2013 DJI Phantom 1 § 2015 Drone Racing MultiGP & DRL § 2016 Intel 500 Drone Light Show 04.03.19 | SPIN | TK Lab | CYSEC – Cybersecurity [at] TU Darmstadt | 3

A history of drones (2) Commercial • Transport (package drone) • Forest and agriculture • Infrastructure maintenance 04.03.19 | SPIN | TK Lab | CYSEC – Cybersecurity [at] TU Darmstadt | 4

What we know about drones so far Different types of drones—land, water, air Radio-driven devices get hacked § Model à drone à UAV à UAS § 2011, SkyJack, http://samy.pl/skyjack/ § Focus and correct term here: UAV / UAS § 2016, AR.Drone 2 Wifi Attack, https://github.com/markszabo/drone-hacking Mayhem: Bebop Wifi Attack, DroneJack, § Command & Control Bebop Dissabler, DeviationTX Live (radio) control § NRF24L01 Hijack, ICARUS, Nils Rodday Planned missions (with monitoring) à radio § Attack , Drone Duel, Fb1h2s Maldrone, Aaron Police UAS Luo DJI Phantom 3 hijack, Voidsec Hacking DJI WEP Wi-Fi UAS are networked systems Phantom 3, DJI Spark hijacking, Sololink Hack, Drone Hijacking by Arthur Garipov, […] § Ground stations, mission control, swarms 04.03.19 | SPIN | TK Lab | CYSEC – Cybersecurity [at] TU Darmstadt | 5

How to stop these attacks? Our track record Make drones more secure? § TraCINg § Doh! See attack history. Intrusion Detection Systems (IDS)? Where to put? § HosTaGe § Honeypots? 04.03.19 | SPIN | TK Lab | CYSEC – Cybersecurity [at] TU Darmstadt | 6

Very short. BACKGROUND 04.03.19 | SPIN | TK Lab | CYSEC – Cybersecurity [at] TU Darmstadt | 7

Drone Radio – Protocols Drone Network Application MicroDrone MD4-200, … 2G, 3G, ? ? Parrot AR.Drone 2, Bebop IEEE 802.11 FTP, Telnet, SSH, MAVLink 2, Rolling Spider Bluetooth 3DR Iris, Solo IEEE 802.11 MAVLink DJI Phantom 3,4, … IEEE 802.11 Telnet, FTP, SSH LightBridge Globe UAV Copter 7, 8 LTE ? Others IEEE 802.11 MAVLink IEEE 802.15 UAVCAN SiK Radio (433 MHz, …) ? Wi-Fi—drone specific: vendor BSSID, predefined ESSIDs, IPs, predefined security MAVLink 04.03.19 | SPIN | TK Lab | CYSEC – Cybersecurity [at] TU Darmstadt | 8

Some MAVLink Background Message example: <message id="150" name="RUDDER_RAW"> <description>...</description> <field type="uint16_t" name="position">...</field> <field type="uint8_t" name="port_limit">...</field> Marshalling / serialization library § [...] Low overhead (8 Byte / packet) § </message> Over various transport protocols (UART, § UDP, TCP) Grew over time: now version 2, point-2-point, § multicast, pub/sub, CRC, delivery guarantees 04.03.19 | SPIN | TK Lab | CYSEC – Cybersecurity [at] TU Darmstadt | 9

Related Work § Heralding (credentials) § HoneyBot, http://www.rh.gatech.edu/news/604462/robot- § Kippo (SSH) designed-defend-factories-against-cyberthreats § Kojoney2 (SSH) Cowrie (SSH, Telnet) § HosTaGe (mobile) § HoneyPy (Web, Telnet, TFTP, SIP, …) § HoneyWRT (Telnet, VNC, RDP, …) § § Bluepot § […] No MAVLink! Hardly Wi-Fi specific. 04.03.19 | SPIN | TK Lab | CYSEC – Cybersecurity [at] TU Darmstadt | 10

Some background and how it works. HONEYDRONE 04.03.19 | SPIN | TK Lab | CYSEC – Cybersecurity [at] TU Darmstadt | 11

HoneyDrone Design Network Interface Emulator ( NIE ) More software GNU/Linux Services Wi-Fi SiK § Python HostAPd [...] Bluetooth [...] Twisted framework § PyMAVLink (+ MAVLink) § UAV Emulation PyMongo § Services UAV Profiles Connection MAVProxy § MAVLink Telnet Guard AR Drone 2 [...] § Arducopter (+ SITL) SSH FTP [...] Filesystems UAV File Systems HoneyDrone DB MongoDB AR Drone 2 Phantom 3 [...] 04.03.19 | SPIN | TK Lab | CYSEC – Cybersecurity [at] TU Darmstadt | 12

HoneyDrone Capabilities § Low power (3-5 Watt) § Portable (a UAV can carry HoneyDrone) § Can lure attacks away from real UAVs (Uses the same Wi-Fi as the SkyJack attack) § Emulate § AR.Drone 2 § Custom UAVs § 04.03.19 | SPIN | TK Lab | CYSEC – Cybersecurity [at] TU Darmstadt | 13

Brief Evaluation (1): Telnet AR.Drone 2.0 04.03.19 | SPIN | TK Lab | CYSEC – Cybersecurity [at] TU Darmstadt | 14

Brief Evaluation (2): MAVLink Pixhawk Attacker stealing UAV 04.03.19 | SPIN | TK Lab | CYSEC – Cybersecurity [at] TU Darmstadt | 15

Conclusion Summary Next § Commercial drones besides recreational ones § Support more radios 1 st honeypot for drones / UAVs § § Multiple instances 1 st honeypot to support MAVLink release § § Focus on emulating drone Wi-Fi § Profile support for common drones § Dr. Jörg Daubert Filesystems of drones § Senior Researcher | Area Head Coordinator RTG 2050 § Can emulate a real flight controller +49 6151 16-23191 TU Darmstadt Phone Demo session on Wednesday +49 6151 16-3052 Hochschulstraße 10 www.tk.informatik.tu-darmstadt.de Fax 64289 Darmstadt/Germany daubert@tk.tu-darmstadt.de 04.03.19 | SPIN | TK Lab | CYSEC – Cybersecurity [at] TU Darmstadt | 16