How To Set Up A Drone Vulnerability Testing Lab

Most of the people I know who are into IT security want to hone and enhance their skills in areas like IoT, SCADA or Drone vulnerability testing. When it comes to drones they have doubts and problems like:

  • They don’t have any drone to use as a target.
  • They thought that a drone is costly.
  • They don’t know what drone is vulnerable, how to perform attacks or drone vulnerability testing/exploit methodologies.
  • They have questions like, “Is legal to fly a drone?””Do I need to register my drone?”.
  • They thought that needed hacking tools (hardware) are expensive.

If you have limited resources, the best thing to do is buy some low-priced drones with already know vulnerabilities to replicate before research your own drone zero-day. I have selected a pair of toy class drones vulnerable to different attacks, affordable, and are below Federal Aviation Administration drone registration limit of 0.55 pounds (250 grams). Do not be fooled by their size, their vulnerabilities are exactly the same type as full size commercial drones.

Following are the stuff needed for setting up our drone pentest lab:

CX-10 Micro Wifi quadcopter

Cheerson CX-10W Wifi Micro Quadcopter

One of the most popular first quadcopters happens to be the Cheerson CX-10. The design has turned out to become so popular that a tonne other variant, including CX-10W which happens to be the world’s smallest First Person View (viewing and/or recording real time video stream to your phone or tablet) drone.

CX-10W Control App

Interestingly, similar to bigger drones as Parrot AR or 3DR solo , CX10W is operated from mobile applications (Android and iOS) connected to a wireless access point that creates the drone itself. So most testing/exploit methodologies is the same that wireless pentesting. The CX-10W costs less than $40 while his bigger brothers WiFi drones sold for ten times that amount.

Being a Wifi controled drone there are number of possible vulnerability exploit exercises, from DoS attacks using 802.11 deauth (knocking CX-10W drone out of the sky is as easy as just run aireplay-ng or Wifijammer), protocol capture or reverse engineering of the mobile application.

Reverse engineering from APK file to source code

Basic reverse engineering is easy given the open WiFi access point, capture the communication between the drone and the App is trivial. From traffic capture is quickly seen that the video is transmitted as a TCP stream and the remote control is via UDP packets. Connecting to the access point and performing a port scan on the cx-10w drone with nmap shows that the drone opens the TCP port 8888. Android APK is also very easy to decompile to produce full source code. Streaming video feed appears to be encoded via libffmpeg. You could find a detailed protocol reference in “How to hack IP camera in toy drone” by reddit user pj530i.

CX-10W protocol capture

Syma X5C

Syma X5C-1

High performance drones either hobby or professional not typically make use of wifi, short range and latency make it impractical. Therefore control of more expensive drones like DJI Phantom or most Race Drones is performed by RF (Radio Frequency) proprietary protocols. But those are not implemented from scratch, more than often they make use of existing integrated circuits used for unlicensed radio applications. Almost always working on the 2.4 GHz band, using frequency hopping to eliminate the likelihood of accidental interference. The most common are radio chipset are CC2500, NRF24L01, A7105 and CYRF6936.

The Syma X5C-1 Explorers is extremely affordable $50 drone for what you’re getting. It’s durable, stable enough to fly indoors but fast enough to be able fly outside, have an onboard camera and uses a NRF24L01 2.4GHz RF Transceiver IC based protocol.

Proprietary RF protocol hacking usually follows the following steps:

  • Decoding and sniffing RF chip configuration either from raw radio captures or I2C bus sniffing
  • Capture of data , Set the meaning of each packet, how stick controls are encoded and how each function associated with a button on the controller is sent.
  • Write code to use your own RF chip to spoof control packet

What makes our NRF24L01 chip excellent for our laboratory: is extremely common with already several projects and libraries for Arduino that cover much of the work required.

The drone runs on the NRF24L01 module, which from previous work we have seen can easily be sniffed and decoded by hardware based sniffer using a $3 radio module. Yveaux developed a sniffing platform based on an Arduino Uno, a single nRF24L01+ module and a computer running the popular network protocol analyzer Wireshark: Embedded Innovation: nRF24L01+ sniffer.

There are already several writeup with practical examples of how to hack our Syma drone. During last PHDays (Positive Hack Days) a yearly forum with a focus on ethical hacking and security the organizers set up a competition where the goal was to “steal” or take control of a Syma X5C-1 quadcopter drone.

PHDays Hack my Drone CTF

To reverse engineer the drones wireless communications system the teams used software defined radios like the HackRF and BladeRF, and also an alternative method involving just using an Arduino and nRF24L01+ receiver chip. Once the signal was received, they used GNU Radio to decode the signal into packets of data. After analyzing the data they found that the data bytes were easily reverse engineered and then were able to transmit their own data packets to control the drone. This post goes into further detail on the specifics of the reverse engineering.

NRF24L01 2.4GHz RF Transceiver IC

NRF24L01 is used in multiple drone most drone RC protocols (here is a updated list of NRF24L01 drones) were reverse engineered by the drone community for added compatibility, you can study source code from projects like Github nrf24_multipro.

In summary, you can start off with under $100 drone testing lab. As your skills progress and become stronger, you can increase the complexity of your lab setup bringing more expensive drones like the popular DJI Phantom 3 , or CX-20 a cheaper alternative to Phantom. Finally the Futaba RC systems would be the ultimate challenge in the hacking of drones. Professional Futaba drone systems are based on ML2724 Micro Linear 2.4ghz Low-if 1.5mbps Fsk Transceiver RF protocol.

To be a good drone security pentester, you will need plenty of practice along with your other studies and research. There are literately dozens of different ways that you can attack a drone, you can read some in my previous post: List of vulnerable drones & attack tools. Your own drone testing lab will be the perfect venue for a student like yourself to perfect out their skills and techniques without the fear of permanently damaging or destroying your own drone, or someone else’s for that matter.