Words written in the front
It must be a sad thing for each of us to be cheated of our hard-earned money by criminals. With the rapid development of the Internet of things (IOT), remote controlled devices have become an indispensable part of our daily life. But while enjoying the convenience, there is an obvious shortcoming exposed - they can also be used by criminals. Have you ever thought that an attacker might just sit at home and be able to control your device to fly into their hands. Do you think it's impossible? But we have successfully hijacked the big Xinjiang spark drone and put the above assumptions into reality. Let's see how we did it!
introduce
For a long time, Dajiang UAV has been deeply concerned by hackers. They are mainly interested in cracking some functions of UAV, such as setting higher control channel frequency, eliminating flight altitude restrictions or no fly zones. In addition, there is some information about the jailbreak drone. Public knowledge can be found in GitHub and wiki.
Spark is one of the non professional series of UAVs in Xinjiang. Released in 2017 as a sales drone for amateur aerial photography. In some ways, it's worse than other models: for example, it can only fly for 16 minutes when the battery is full. But he was $499 cheaper than (phantom 4 and mavic).
Spark adopts leadcore lc1860c armv7-a CPU with Android 4.4 as the core. The update file has a. Sig extension and is signed with rsa-sha256, some of which are encrypted with AES algorithm. Other network security enthusiasts have already disclosed this AES key, so you can use this tool to extract encrypted field data from files. In the UAV firmware, a large number of native applications are found to ensure the normal operation of the device.
DJ spark is equipped with a set of external interfaces:
- USB interface for PC connection;
- For expansion of flash connector;
- Control the mobile application of the device through Wi Fi;
- The device is managed via a remote control of 2.412-2.462 GHz.
Dajiang has also designed the Dajiang assistant 2 application. The application can connect to desktop devices through USB operation, update firmware for them, change Wi Fi network settings, etc.
When browsing the community information, we found the script websocket? Tool.py which can change the maximum height of UAV. Each request writes a new value to the web socket server. This web socket server is started by the Dajiang assistant 2 application. In other words, the application has two interfaces:
- graphical user interface
- Web socket interface.
It's easier to infect a system from a computer that you think is safe than using traditional methods. Because of this, the mobile phone connected to PC is infected by various kinds of malware. So we decided to replicate this scenario and study the web socket interface carefully.
2、 Web socket server
We have introduced the latest version of Dajiang assistant 2 1.1.6 and connected Dajiang spark with version v01.00.0600 firmware to the computer. Let's try to access the web socket server. To use web sockets, we use the wsdump.py tool in the websocket client package.
The server response indicates that there is no service on the URL WS: / / victim: 19870 /. After running the web socket tool. Py script, we found a valid URL - / general.
ws:// victim:19870 /
URL - / general
As you can see, the server can be used without authorization. But its response is encrypted, which means that the interface can only be used for Dajiang software rather than users. So the question is: what does it convey? Let's see how messages between the client and the server are encrypted. When analyzing the old version of Dajiang assistant 2, we found that they communicate with the server in plain text. Later, we learned that the encryption mechanism has been used in version 1.1.6, which is why scripts from community materials are not encrypted.
3、 Encryption algorithm
First, we checked the encrypted text properties. The encrypted text remains similar each time the application is rerun. The UAV restart will not change it. Running it on a Mac gets the same result. These indicate that the encryption key does not depend on the session or the operating system used. Therefore, we assume that it is hard coded.
The code of the web socket server is stored in the websocketserver.dll Library in Dajiang. With the help of tools (for example, Krypto analyzer for peid), we determined the algorithm – AES and localized encryptor.
Even if you know little about AES, you can determine how encryption is used. The only requirement is to compare the decompiled code with GitHub's open source code. CBC mode was found. By analyzing cross references, we can find the initialized encryption key.
4、 Crack user interface
All we need to do is encrypt / decrypt the transmitted data into the wsdump.py script, and we will get the decrypted data sent to us by the application. In our GitHub, we modified the wsdump.py script.
In addition to information about application versions, device types, and so on, there is a list of URLs for drone management services.
These services can be processed remotely through the web socket interface.
5、 Plan an attack
Even if there is no special controller, Dajiang UAV can be controlled by smartphone. Controllers can be sold as part of the spark combo package or separately. If there is no controller, Smartphone Application is the only choice to control spark in Xinjiang. No one can create a Wi Fi hotspot, which is protected by WPA2 protocol. The mobile phone can connect to this hotspot to control the UAV, but only one user is allowed to connect to this hotspot. We conducted a series of experiments to authenticate drivers from Wi Fi hotspots. If the UAV loses the pilot's signal when flying at low altitude, it will eventually fall to the ground. However, if the driver cancels the authentication after the UAV reaches high altitude, the device will behave strangely, which will increase the RPM speed and reach a higher altitude. So, a line is needed to keep the drone from flying like a pigeon. The line we used in the experiment is not long enough to check the maximum height that the UAV can reach. It turns out that spark is just a prisoner of wireless network.
The web socket interface grants full access to the Wi Fi network. By establishing a network connection with a computer that has started the web socket server, an attacker can view Wi Fi settings and connect to another person's drone. But if the settings change. The UAV will lose the connection with the user, so the attacker will become the only owner of the UAV.
In summary, a typical attack scenario might look like this (we copied the JSON commands format from the GitHub script).
In order to make the attack successful, cyber criminals will infect the victim's system and track the UAV remotely. By connecting to the victim's computer, they will start Dajiang assistant 2. The exact time can be determined through port 19870. Connect to the web socket server WS: / / victim: 19870 and perform the following operations to change the password to the UAV Wi Fi hotspot: 1. Request WS: / / victim: 19870 / generalurl to get the file value from the server response.
ws://victim:19870
ws://victim:19870/generalurl
"FILE":"1d9776fab950ec3f441909deafe56b1226ca5889"
"FILE":"1d9776fab950ec3f441909deafe56b1226ca5889"
2. Send the following command
ws://victim:19870/controller/wifi/<FILE>
{"SEQ":"12345","CMD":"SetPasswordEx","VALUE":"12345678"
3. After that, the Wi Fi password will be changed to the victim without knowledge. Before changing:
After that:
4. For the changes to take effect, restart the Wi Fi module
{"SEQ":"12345","CMD":"DoRebootWifi"}
5. Then connect to the UAV with a smartphone.
6. Wait for USB to unplug and hijack the UAV.
This scenario was tested on the Dajiang spark UAV, but it should be related to all UAVs compatible with Dajiang assistant 2. A list of drones is provided in the release notes.
This type of attack is applicable to all supported operating systems and default firewalls. It can be done in wired and public wireless networks. In order not to execute all programs manually, here is our POC
USB and the Internet of things
So far, almost all smart devices can upload some files through USB connection (such as PC or laptop), update device firmware (most devices can only be charged through USB) and other daily behaviors, which may cause a great degree of threat, because infected devices may easily infect other devices. Network criminals can also change the settings according to their preferences, upload malicious firmware to the device. When the device is connected to another PC / laptop, the infection can spread.
In the era of Internet of things, the problem will become more serious, so intelligent device developers should focus on the device connection scenario, and design authentication and authorization mechanisms and trusted guidance of signature firmware. Otherwise, when the smart car is infected through the interface, the owner has to pay a ransom to the criminals.
Timeline:
09 / 25 / 2017 – first notice about sending vulnerabilities; 09 / 28 / 2017 – sending technical details; 10 / 12 / 2017 – number of vulnerabilities and rewards received; 12 / 20 / 2017 – payment of rewards.
conclusion
Dajiang company is considered to be the leader in the market of consumer and commercial UAV. According to Wikipedia, it has a huge market share in the consumer drone market; by 2021 it will produce about 4 million drones. So it's very dangerous if there are loopholes in the UAVs - they affect a large number of users and organizations. This has happened, such as SSL keys and XSS vulnerabilities. And since a drone hit the South Lawn of the White House, the U.S. Army has banned Dajiang drones.
Due to the following security problems of Dajiang software, the following attack methods may appear.
1. The web socket server listens for all network interfaces. 2. Use hard coded encryption key to communicate with web socket server. 3. Authorization to use web socket interface. 4. Data can be easily obtained.
Wi Fi attacks can hijack drones, which may be more than that. Web socket interface has many functions, which may allow attackers to change the settings of drones to access confidential data.
GitHub (https://github.com/embedi/dji-ws-tools/blob/master/dji'wsdump.py) tools: https://github.com/fvantienn/dji'rev/blob/master/tools/image.py