Drones Behaving Badly

Presented at

Oct 21, 2014

Mar 20, 2015

@SecureUtah

Hello!

• a review of the capabilities and interesting applications of the consumer / hobbyist variety of airborne devices
  • for discussion of the gov't kind, see John Oliver

• meant to stir your imagination
   
• a wake-up call

This presentation is:​

Drone, UAV or UAS?

• ACLU:  Drone -  Use the term that people would most clearly and directly understand 

• Media: Drone vs UAV - We report, you decide

• AUVSI (trade group): UAS - DontSayDrones

• FAA: UAS - They insist on this term

It depends on who does the talking - ​

Objectively defined:  a drone is some kind of flying machine that does not contain a person inside, and it can do anything from take your picture to end your life

These kinds of drones:

How mainstream?

How did we get here?

Military research!

• Offspring of 9/11
  • ​the mass-market drones we see today are descendants of the R&D that poured into satisfying the U.S. military's demand for more and better combat and recon UAVs
  • aka Trickle Down Warfare - Alex Stamos @ RSA2013

• 2012: The rise of quadcopter drones
  • Autonomous navigation, wireless charging, onboard tracking, crowd-sourced software, open source hardware

Drone Problems:

Criminal mischief

• Graffiti drone by KATSU; another project on GitHub
• Extortion - thermal cameras to find indoor grows
• Smuggling contraband into prisons
   
• Narco drones 
  • ​2010 - disposable unmanned planes
  • 2012 - DEA registers 150+ flights
  • 2013 - reusable; assembly-line mfg
  • 2013 - use-case predictions
  • 2014 - GPS-controlled drone carrying meth crashes

Drone Problems:

Less-than-lethal

• 2010 - CBP considers adding non-lethal weapons
   
• 2014 - CUPID combines drone + 80,000 volt Taser
   
• 2014 - Skunk riot control drone
  • Strobe lights, loudspeakers, thermal camera, HD camera, full telemetry to operator
  • 4 paintball guns shooting 4000 paintballs at 80/s = 50 seconds until empty
  • sold to African mining companies and Turkey
  • about $44,000 each

Drone Problems:

Swarms

• Coming in 2015: The Battle of 100 UAVs
   
• USOD proposes study into low-cost, expendable systems
   
• Q: What happens when you plan a UAV swarm* attack?
• A: You get 17 years of Federal prison and 10 years of supervised release, provided your explosives are delivered to you by the FBI.
   
• ...or it might not be that bad

Drone Problems:

Evildoers

• How much would it cost to swarm a target with enough drones to ensure neutralization?
  • Suicide drones - LMAMS vs UAV-IEDs​
     
• ISI-whatever is using DJI Phantoms for surveillance

• Kurdish forces in Syria are shooting them down

Drone Problems:

Surveillance, Privacy and Safety

• These concerns have dominated most of the discussion about how drones will disrupt society.
• People don't like to be watched from above:
  • Peeping drones - 26th floor; 36th floor
  • LAPD doesn't like drones over their buildings
  • Quadcopter pilot attacked
  • Ad company tracks cell phones in LA
• Drones fall on people
  • ​Manhatten; Triathlete runner; Kanye
• Drones are getting too close to planes and airports and helicopters and planes and....

Drone Problems:

Oops

• Consumer drone breaches the White House
• Did the Secret Service jam the drone's control channel?
• Don't drunk & drone
• DJI pushes out firmware update to restrict based on GPS
• Update is buggy
• Secret Service conducts readiness drills

• Alternate theory:

Drone-assisted IT attacks:

• 2010:  Wireless Aerial Surveillance Platform
  • ​DEFCON 19
     
• 2010:  SkyNET
  • ​drone surveys and then attacks WiFi 
  • drone acts as botnet C&C
     
• 2011-2012:  UAVforge.net
  • 140 teams competed - none succeeded 

Published research 

Drone-assisted IT attacks:

• 2013:  Ricky Hill at DEFCON 21 - ​DJI Phantom to carry payload & conduct surveillance
   
• 2013:  Quadcopter as pentest tool - Parrot A/R
   
• 2014:  Hak5's Pineapple Drone - DJI Phantom
   
• 2014:  Snoopy drone  - DJI Phantom + Snoopy software from 2012 that records probe requests & SSID names to profile, geo-locate & MITM the device owner​

Published research 

Drone-assisted IT attacks:

Drones + InfoSec = a naming opportunity

CompTIA Drone+

Certified Ethical Droner

Offensive Drone Security Professional

Airborne Penetration Threat

Red Team: Paratrooper Squad

Aerial Intrusion Detection System

Drone-Assisted Rapid Penetration Attack

Just another tool

How else can a drone be used in combination with existing tools?

Airdrop an evil payload!

Drone-assisted IT attacks:

Drone:  Quadcopter + FPV Camera + deployment / retrieval

Missing:  PoC and catchy name

Payload:  RasPi + Kali Evil AP w/ 3G access + LUKS + Battery / Solar / Leech

Just another tool

• RFID scraper
• WiFi range extender (yours or your neighbor's)
• Network hops on demand, solo or swarm
  • Movable hop to thwart tracking or obfuscate geolocation
  • WiFi canary - it goes down / gets busted, you escape
• High-rise penetration
  • fly up to the CEO's window, plant a solar-powered RasPi EAP
  • perch on the roof/balcony, scan a hotel during a conference
  • removes the need to physically be inside - no cover ID, no security cam footage, no money trail

Drone-assisted IT attacks:

Just another tool

• Air-numeration
  • Survey tall buildings with the greatest of ease
  • No need to social engineer your way in past the guard
• Targeted harassment
  • De-Auth / jam APs, relocate - support staff slowly goes mad
  • Denial of Service - use a swarm for Distributed DOS
  • Diversion while other actions are carried out
• Site survey
  • before & after, thermal inspection, physical security vulns
• Hack yourself first

Drone-assisted IT attacks:

• Assume your device will be compromised at some point
  • Iran downs a US surveillance drone

• Burner drones are not sold via Tor hidden services... yet.
   
• OpSec for Security Researchers
   
• Hacker Tradecraft

Drone-assisted IT attacks:

OpSec, aka Where Did It Land???

Drone Solutions:

Emergency / Search & Rescue

• Emergency communications via WiFi enabled drone
   
• Extreme Access Pocket Flyer - remote inspection of collapsed structures and tunnels
   
• Equusearch - volunteer search-and-rescue group fights FAA sanctions and finds missing man in 20 minutes 
   
• Iranian drone lifeguard drops preservers to swimmers

Drone Solutions:

Activism

• Quis custodiet ipsos custodes?  Drones mounted with HD cameras and FPV could record riots, protests, and police or government action remotely, keeping the operator safe and greatly reducing the threat of device confiscation or witness intimidation.
   
• Animal rights groups take to the air to bypass Ag Gag laws, but not without casualties
   
• Art vs Predator drones - #NotABugSplat

Drone Solutions:

• 49 quadcopters with LEDs flying in formation
• Modern dance + quadcopters
   
• Car-mounted drone to check traffic ahead
• Auto-follow drones - AirDog; The Pocket Drone
   
• Game of Drones - Flight Club, Aerial Sports League
  • Airframe torture test
  • Paintball Drone Gunship​
     
• ​FPV drone racing through the woods
• FPV quadcopter with Roman Candles vs your friends

Fun & Ingenious

Drone Solutions:

Commercial

• Delivery services by Amazon and Google
   
• GoFor - drones on demand / Drones as a Service
   
• Lost?  Summon SkyCall
   
• SkyCatch
   
• Disney files for three drone-related patents
   
• Drones.VC - only invests in drone-related start-ups

Drone Solutions:

Possibly Beneficial Military Research

• U.S. Air Force releases terrifying video of tiny flybots that can can hover, stalk and even kill targets, aka Micro Air Vehicles
   
• Hunting Mines Via Drones
   
• DARPA's Mobile Hotspots for the battlefield
   
• Military-grade, 3D-printed drone

Drone Defense:

Needs work

• NoFlyZone - blacklist your geolocation
   
• Shoot it yourself
• Net Guns
   
• SkyJack - de-auth then take control
• Maldrone - software payload
   
• Lasers - Israel's Iron Beam
   
• Black Dart - USA's annual counter-UAV exercise

Get a drone:

Read, learn, buy

• How The Drone Age began
• Newbies guide to UAVs
• Getting started with drones
• @DroneSafely
   
• 3DRobotics; DJI Phantom 2; Parrot AR.Drone
• UAVDronesForSale.com
   
• Small thermal cams for Android and iPhones

Get a shirt

Drunk Predator Drone

My Little Droney

Dress to Impress

Legal:

Seriously, don't fly here

Don't fly here

Legal:

Utah SB167 signed into law April 1, 2014 

             68          63G-18-103. Warrant required -- Exceptions.
             69          (1) A law enforcement agency may not obtain, receive, or use data acquired through an 
             70      unmanned aerial vehicle unless the data is obtained:
             71          (a) pursuant to a search warrant;
             72          (b) in accordance with judicially recognized exceptions to warrant requirements; or
             73          (c) subject to Subsection (2), from a person who is a nongovernment actor.

New Utah law

Legal:

Utah SB167 signed into law April 1, 2014 

             74          (2) A nongovernment actor may only disclose data acquired through an unmanned
             75      aerial vehicle to a law enforcement agency if:
             76          (a) the data appears to pertain to the commission of a crime; or
             77          (b) the nongovernment actor believes, in good faith, that:
             78          (i) the data pertains to an imminent or ongoing emergency involving danger of death or
             79      serious bodily injury to an individual; and
             80          (ii) disclosing the data would assist in remedying the emergency.

New Utah law

Legal

• The Catholic Church gets an exception
   
• The FAA is trying to ban FPV drone flights
   
• The FAA says that toy is now a drone
   
• North Carolina outlaws drones for hunting & fishing
   
• National Park Service bans drones

National laws are all over the place

Legal:

• A small UAS operator must always see and avoid manned aircraft. If there is a risk of collision, the UAS operator must be the first to maneuver away.
• The operator must discontinue the flight when continuing would pose a hazard to other aircraft, people or property.
• A small UAS operator must assess weather conditions, airspace restrictions and the location of people to lessen risks if he or she loses control of the UAS.
• A small UAS may not fly over people, except those directly involved with the flight.
• Flights should be limited to 500 feet altitude and no faster than 100 mph.
• Operators must stay out of airport flight paths and restricted airspace areas, and obey any FAA Temporary Flight Restrictions (TFRs).

New FAA rules

A framework of regulations

Predictions

• Batteries are the biggest anchor on drone development. Once battery and/or recharging tech advances to a point where a sub-$100 device can stay airborne for days by recharging as it flies...
   
• Highly autonomous drones - perform mission, recharge, repeat, repeat, repeat
   
• Privacy debate will get louder and more entertaining
   
• FAA regulations will restrict off-the-shelf device capabilities

Conclusion

Just another tool

• A tethered 'watchdog' drone, armed with a 10 lb paintball gun, four 2000-ball hoppers weighing 64 pounds, and a cam linked to a laptop running motion-detection software.  You have an overly-complicated yet awesome anti-crow system, anti-trespasser system, or a fun addition to the Scout Camp obstacle course.
   

• How many of you have a child age 9-13?  You just got them their own emergency escape vehicle.  Link 2 or 3 together, now an adult has a controlled descent from the top of a burning building down to the ground.

Skunk riot control drone carries 40 kg / 88 lbs:

Thank you!

Much thanks to the authors of all the source material I linked to.  This presentation wouldn't have been possible without their research, writing, and experimentation.
 

Huge thanks to BSidesSLC for the opportunity to speak and to all of you for attending!

dronesbehavingbadly.com