Unchained Skies: A Deep Dive into Reverse Engineering and Exploitation of Drones

Presented at REcon 2023, June 10, 2023, 11 a.m. (60 minutes)

Our talk dives into the security of consumer drones from market leader DJI and exposes how to analyze, reverse engineer, and exploit such cyber-physical systems. In this process, we uncover various vulnerabilities in DJI drones, show how to bypass vendor signatures, become root, or even crash the drone mid-flight. Consumer drones enjoy great popularity due to their high versatility and great camera. While drones can be a fun toy, they also carry the potential for misuse in illicit and hazardous situations, where security and privacy matters to the drone operators. To prevent their deployment in such scenarios, drone manufacturers, such as DJI, routinely incorporate countermeasures that restrict flight in designated areas and impose limits on parameters like speed or altitude. In our talk, we will guide you through our security analysis of these drones, beginning with an examination of the signals they emit, as well as a brief discussion on DJI's DroneID—a signal that continuously transmits the location of both the drone and its operator. Subsequently, we dive into our reverse engineering of DJI drones, illustrating how we scrutinized these devices, from their wireless physical layer and hardware components to their firmware. To complement our manual reverse engineering efforts, we showcase how hardware-in-the-loop fuzzing can be used to reveal vulnerabilities across various drone firmware components. Throughout our talk, we will unveil a series of security weaknesses that enable an attacker to circumvent signed firmware updates and upload custom code, obtain root privileges on the drone, or even cause the drone to plummet mid-flight through the operator's smartphone.

Presenters:

• Nico Schiller
  Nico Schiller is a PhD student and security researcher at CISPA Helmholtz Center for Information Security, specializing in analysis, reversing engineering, and exploitation of consumer drones. He has a keen interest in fuzzing and wireless physical layer analysis, and his research aims to identify and address vulnerabilities in drone technology to improve overall security
• Moritz Schloegel
  Moritz Schloegel is a binary security researcher at the CISPA Helmholtz Center for Information Security. He is currently in the last year of his PhD and focuses on automated finding, understanding, and exploitation of bugs. Furthermore, he possesses a deep passion for exploring the complexities of (de-)obfuscation, emphasizing automated deobfuscation attacks and their countermeasures.

Links:

• https://cfp.recon.cx/2023/talk/HLHH89/

Similar Presentations:

• DeepSec 2018 „I like to mov &6974,%bx“ / Drones, the New Threat from the Sky
• DEF CON 25 (2017) / Game of Drones: Putting the Emerging "Drone Defense" Market to the Test
• DEF CON 24 (2016) / Drones Hijacking - multi-dimensional attack vectors and countermeasures