Securing the Paparazzi drone

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Securing the Paparazzi drone

onefastdaddy
I have mentioned security in the past. I remember making an ARDrone
fall from the sky in a part in Toulouse from my iPhone as a
demonstration these drones are too insecure...sorry guys for that I
made sure it was only a few feet from the grass before pressing enter
:]
Three years later at BlackHat a much more public demonstration of the
same got a lot of attention. I was surprised this gaping security hole
still exists. Open root access to a flying robot???
I propose a simple fix I do all the time to any Linux system I work with:
1. exchange ssh keys
2. disable password login completely for every account
3. disable root login, do not use root at all (sudo) and monitor root
access of any kind
Has anyone considered simply exchanging id_rsa.pub files, disable
password login, the simple things are often the best. For any server I
manage there are no password logins or root logins allowed ever. They
key can be generated somewhere else and if the right files are
exchanged it works fine. cfengine can easily mass setup systems (read
drones at the factory) with security in place before shipping to
eliminate sending them out all open to the world for root. So easy to
do pls consider it vendors.
Paparazzi is not nearly as insecure from ENAC. Smart minds enabled a
HASH "key" exchanged at compile so the drone refuses messages without
the proper key. Now however we are running Paparazzi on less secure
platforms so it is time to address security again.

As Parrot uses Linux and it should be trivial to implement ssh key
exchanges at the factory using automation (cfengine is nice). I have
setup cfengine scripts to build entire Oracle RAC clusters from bare
metal so I know what goes on the ARDrone is easily doable this way.

Initial drone security (also Skycontroller) would be the 3 steps
given. Now with keys in place your programmers on the ground can
interact with the drone without sending any passwords over the air and
with sudo all steps required can be done, safely.

Is there anyone with questions? If so just ask I'm glad to help. I
have already seen one video where someone uses aircrack-ng to send a
WiFi deauth packet then connects and takes over control of the drone
using automated scripts from a flying Raspberry Pi with Wifi. Trivial
to do really but sadly it's so trivial to do. Let's fix this together!

-David

_______________________________________________
Paparazzi-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/paparazzi-devel
Reply | Threaded
Open this post in threaded view
|

Re: Securing the Paparazzi drone

dr3n3al labs
David
Thank you for the email explaining everything, question, i am new in the group and i am looking into get an AR Drone for research (based on a course done at TU Munich) would you recommend any book about embedded Linux that i should read to really understand whats going on inside of the ARDrone?

Thanks
Chris

On Mon, Aug 24, 2015 at 5:08 PM, David Conger <[hidden email]> wrote:
I have mentioned security in the past. I remember making an ARDrone
fall from the sky in a part in Toulouse from my iPhone as a
demonstration these drones are too insecure...sorry guys for that I
made sure it was only a few feet from the grass before pressing enter
:]
Three years later at BlackHat a much more public demonstration of the
same got a lot of attention. I was surprised this gaping security hole
still exists. Open root access to a flying robot???
I propose a simple fix I do all the time to any Linux system I work with:
1. exchange ssh keys
2. disable password login completely for every account
3. disable root login, do not use root at all (sudo) and monitor root
access of any kind
Has anyone considered simply exchanging id_rsa.pub files, disable
password login, the simple things are often the best. For any server I
manage there are no password logins or root logins allowed ever. They
key can be generated somewhere else and if the right files are
exchanged it works fine. cfengine can easily mass setup systems (read
drones at the factory) with security in place before shipping to
eliminate sending them out all open to the world for root. So easy to
do pls consider it vendors.
Paparazzi is not nearly as insecure from ENAC. Smart minds enabled a
HASH "key" exchanged at compile so the drone refuses messages without
the proper key. Now however we are running Paparazzi on less secure
platforms so it is time to address security again.

As Parrot uses Linux and it should be trivial to implement ssh key
exchanges at the factory using automation (cfengine is nice). I have
setup cfengine scripts to build entire Oracle RAC clusters from bare
metal so I know what goes on the ARDrone is easily doable this way.

Initial drone security (also Skycontroller) would be the 3 steps
given. Now with keys in place your programmers on the ground can
interact with the drone without sending any passwords over the air and
with sudo all steps required can be done, safely.

Is there anyone with questions? If so just ask I'm glad to help. I
have already seen one video where someone uses aircrack-ng to send a
WiFi deauth packet then connects and takes over control of the drone
using automated scripts from a flying Raspberry Pi with Wifi. Trivial
to do really but sadly it's so trivial to do. Let's fix this together!

-David

_______________________________________________
Paparazzi-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/paparazzi-devel


_______________________________________________
Paparazzi-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/paparazzi-devel
Reply | Threaded
Open this post in threaded view
|

Re: Securing the Paparazzi drone

onefastdaddy
Hello,
I learned Linux back in 1994 so back then you had to find information
online or magazines. since then I have worked on many production
projects using Linux and along the way I have observed and integrated
"best practices" that most certainly are shared online under a search
for "ssh linux security best practices". I do not mind sharing what I
know but worry it's common knowledge or unwanted so if you are more
specific I can be more specific.
I do not know your experience level with Linux to suggest any "best"
reading. I often simply look to the Internet now for the latest
information. Things change quickly. The Linux on ARDrone is still
"Linux" fundamentally.
Good news. On my BeBop it was easy to find the IP but connecting as
root no password failed so I am encouraged (a good thing) by that.


On 8/24/15, dr3n3al labs <[hidden email]> wrote:

> David
> Thank you for the email explaining everything, question, i am new in the
> group and i am looking into get an AR Drone for research (based on a course
> done at TU Munich) would you recommend any book about embedded Linux that i
> should read to really understand whats going on inside of the ARDrone?
>
> Thanks
> Chris
>
> On Mon, Aug 24, 2015 at 5:08 PM, David Conger <[hidden email]>
> wrote:
>
>> I have mentioned security in the past. I remember making an ARDrone
>> fall from the sky in a part in Toulouse from my iPhone as a
>> demonstration these drones are too insecure...sorry guys for that I
>> made sure it was only a few feet from the grass before pressing enter
>> :]
>> Three years later at BlackHat a much more public demonstration of the
>> same got a lot of attention. I was surprised this gaping security hole
>> still exists. Open root access to a flying robot???
>> I propose a simple fix I do all the time to any Linux system I work with:
>> 1. exchange ssh keys
>> 2. disable password login completely for every account
>> 3. disable root login, do not use root at all (sudo) and monitor root
>> access of any kind
>> Has anyone considered simply exchanging id_rsa.pub files, disable
>> password login, the simple things are often the best. For any server I
>> manage there are no password logins or root logins allowed ever. They
>> key can be generated somewhere else and if the right files are
>> exchanged it works fine. cfengine can easily mass setup systems (read
>> drones at the factory) with security in place before shipping to
>> eliminate sending them out all open to the world for root. So easy to
>> do pls consider it vendors.
>> Paparazzi is not nearly as insecure from ENAC. Smart minds enabled a
>> HASH "key" exchanged at compile so the drone refuses messages without
>> the proper key. Now however we are running Paparazzi on less secure
>> platforms so it is time to address security again.
>>
>> As Parrot uses Linux and it should be trivial to implement ssh key
>> exchanges at the factory using automation (cfengine is nice). I have
>> setup cfengine scripts to build entire Oracle RAC clusters from bare
>> metal so I know what goes on the ARDrone is easily doable this way.
>>
>> Initial drone security (also Skycontroller) would be the 3 steps
>> given. Now with keys in place your programmers on the ground can
>> interact with the drone without sending any passwords over the air and
>> with sudo all steps required can be done, safely.
>>
>> Is there anyone with questions? If so just ask I'm glad to help. I
>> have already seen one video where someone uses aircrack-ng to send a
>> WiFi deauth packet then connects and takes over control of the drone
>> using automated scripts from a flying Raspberry Pi with Wifi. Trivial
>> to do really but sadly it's so trivial to do. Let's fix this together!
>>
>> -David
>>
>> _______________________________________________
>> Paparazzi-devel mailing list
>> [hidden email]
>> https://lists.nongnu.org/mailman/listinfo/paparazzi-devel
>>
>


--
[hidden email]
http://www.ppzuav.com

_______________________________________________
Paparazzi-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/paparazzi-devel
Reply | Threaded
Open this post in threaded view
|

Re: Securing the Paparazzi drone

dr3n3al labs
David
I have been using fedora linux for 4 years now(just using it on my desktop machine), but I am no admin, I know my way around: to update, to troubleshoot drivers issues and basic stuff and I get things done
one book that I have been looking at is this

Exploring BeagleBone: Tools and Techniques for Building with Embedded Linux

http://www.amazon.com/Exploring-BeagleBone-Techniques-Building-Embedded/dp/1118935128/ref=sr_1_2?ie=UTF8&qid=1440453381&sr=8-2&keywords=embedded+linux

Paparazzi running on linux, is on ubuntu, so i am thinking that i should make the switch to Debian and learn a little more.

the whole idea of the AR Drone, is more to start learning in that platform to start and then move into Paparazzi feet first

Thank you for your advice
Chris

On Mon, Aug 24, 2015 at 6:45 PM, David Conger <[hidden email]> wrote:
Hello,
I learned Linux back in 1994 so back then you had to find information
online or magazines. since then I have worked on many production
projects using Linux and along the way I have observed and integrated
"best practices" that most certainly are shared online under a search
for "ssh linux security best practices". I do not mind sharing what I
know but worry it's common knowledge or unwanted so if you are more
specific I can be more specific.
I do not know your experience level with Linux to suggest any "best"
reading. I often simply look to the Internet now for the latest
information. Things change quickly. The Linux on ARDrone is still
"Linux" fundamentally.
Good news. On my BeBop it was easy to find the IP but connecting as
root no password failed so I am encouraged (a good thing) by that.


On 8/24/15, dr3n3al labs <[hidden email]> wrote:
> David
> Thank you for the email explaining everything, question, i am new in the
> group and i am looking into get an AR Drone for research (based on a course
> done at TU Munich) would you recommend any book about embedded Linux that i
> should read to really understand whats going on inside of the ARDrone?
>
> Thanks
> Chris
>
> On Mon, Aug 24, 2015 at 5:08 PM, David Conger <[hidden email]>
> wrote:
>
>> I have mentioned security in the past. I remember making an ARDrone
>> fall from the sky in a part in Toulouse from my iPhone as a
>> demonstration these drones are too insecure...sorry guys for that I
>> made sure it was only a few feet from the grass before pressing enter
>> :]
>> Three years later at BlackHat a much more public demonstration of the
>> same got a lot of attention. I was surprised this gaping security hole
>> still exists. Open root access to a flying robot???
>> I propose a simple fix I do all the time to any Linux system I work with:
>> 1. exchange ssh keys
>> 2. disable password login completely for every account
>> 3. disable root login, do not use root at all (sudo) and monitor root
>> access of any kind
>> Has anyone considered simply exchanging id_rsa.pub files, disable
>> password login, the simple things are often the best. For any server I
>> manage there are no password logins or root logins allowed ever. They
>> key can be generated somewhere else and if the right files are
>> exchanged it works fine. cfengine can easily mass setup systems (read
>> drones at the factory) with security in place before shipping to
>> eliminate sending them out all open to the world for root. So easy to
>> do pls consider it vendors.
>> Paparazzi is not nearly as insecure from ENAC. Smart minds enabled a
>> HASH "key" exchanged at compile so the drone refuses messages without
>> the proper key. Now however we are running Paparazzi on less secure
>> platforms so it is time to address security again.
>>
>> As Parrot uses Linux and it should be trivial to implement ssh key
>> exchanges at the factory using automation (cfengine is nice). I have
>> setup cfengine scripts to build entire Oracle RAC clusters from bare
>> metal so I know what goes on the ARDrone is easily doable this way.
>>
>> Initial drone security (also Skycontroller) would be the 3 steps
>> given. Now with keys in place your programmers on the ground can
>> interact with the drone without sending any passwords over the air and
>> with sudo all steps required can be done, safely.
>>
>> Is there anyone with questions? If so just ask I'm glad to help. I
>> have already seen one video where someone uses aircrack-ng to send a
>> WiFi deauth packet then connects and takes over control of the drone
>> using automated scripts from a flying Raspberry Pi with Wifi. Trivial
>> to do really but sadly it's so trivial to do. Let's fix this together!
>>
>> -David
>>
>> _______________________________________________
>> Paparazzi-devel mailing list
>> [hidden email]
>> https://lists.nongnu.org/mailman/listinfo/paparazzi-devel
>>
>


--
[hidden email]
http://www.ppzuav.com

_______________________________________________
Paparazzi-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/paparazzi-devel


_______________________________________________
Paparazzi-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/paparazzi-devel
Reply | Threaded
Open this post in threaded view
|

Re: Securing the Paparazzi drone

flixr
Administrator
Hi David,

for the Parrot drones, the first thing I would do is to change to an WPA encrypted WiFi connection... that would close most vectors with minimal amount of work.

Cheers, Felix

On Tue, Aug 25, 2015 at 12:00 AM, dr3n3al labs <[hidden email]> wrote:
David
I have been using fedora linux for 4 years now(just using it on my desktop machine), but I am no admin, I know my way around: to update, to troubleshoot drivers issues and basic stuff and I get things done
one book that I have been looking at is this

Exploring BeagleBone: Tools and Techniques for Building with Embedded Linux

http://www.amazon.com/Exploring-BeagleBone-Techniques-Building-Embedded/dp/1118935128/ref=sr_1_2?ie=UTF8&qid=1440453381&sr=8-2&keywords=embedded+linux

Paparazzi running on linux, is on ubuntu, so i am thinking that i should make the switch to Debian and learn a little more.

the whole idea of the AR Drone, is more to start learning in that platform to start and then move into Paparazzi feet first

Thank you for your advice
Chris

On Mon, Aug 24, 2015 at 6:45 PM, David Conger <[hidden email]> wrote:
Hello,
I learned Linux back in 1994 so back then you had to find information
online or magazines. since then I have worked on many production
projects using Linux and along the way I have observed and integrated
"best practices" that most certainly are shared online under a search
for "ssh linux security best practices". I do not mind sharing what I
know but worry it's common knowledge or unwanted so if you are more
specific I can be more specific.
I do not know your experience level with Linux to suggest any "best"
reading. I often simply look to the Internet now for the latest
information. Things change quickly. The Linux on ARDrone is still
"Linux" fundamentally.
Good news. On my BeBop it was easy to find the IP but connecting as
root no password failed so I am encouraged (a good thing) by that.


On 8/24/15, dr3n3al labs <[hidden email]> wrote:
> David
> Thank you for the email explaining everything, question, i am new in the
> group and i am looking into get an AR Drone for research (based on a course
> done at TU Munich) would you recommend any book about embedded Linux that i
> should read to really understand whats going on inside of the ARDrone?
>
> Thanks
> Chris
>
> On Mon, Aug 24, 2015 at 5:08 PM, David Conger <[hidden email]>
> wrote:
>
>> I have mentioned security in the past. I remember making an ARDrone
>> fall from the sky in a part in Toulouse from my iPhone as a
>> demonstration these drones are too insecure...sorry guys for that I
>> made sure it was only a few feet from the grass before pressing enter
>> :]
>> Three years later at BlackHat a much more public demonstration of the
>> same got a lot of attention. I was surprised this gaping security hole
>> still exists. Open root access to a flying robot???
>> I propose a simple fix I do all the time to any Linux system I work with:
>> 1. exchange ssh keys
>> 2. disable password login completely for every account
>> 3. disable root login, do not use root at all (sudo) and monitor root
>> access of any kind
>> Has anyone considered simply exchanging id_rsa.pub files, disable
>> password login, the simple things are often the best. For any server I
>> manage there are no password logins or root logins allowed ever. They
>> key can be generated somewhere else and if the right files are
>> exchanged it works fine. cfengine can easily mass setup systems (read
>> drones at the factory) with security in place before shipping to
>> eliminate sending them out all open to the world for root. So easy to
>> do pls consider it vendors.
>> Paparazzi is not nearly as insecure from ENAC. Smart minds enabled a
>> HASH "key" exchanged at compile so the drone refuses messages without
>> the proper key. Now however we are running Paparazzi on less secure
>> platforms so it is time to address security again.
>>
>> As Parrot uses Linux and it should be trivial to implement ssh key
>> exchanges at the factory using automation (cfengine is nice). I have
>> setup cfengine scripts to build entire Oracle RAC clusters from bare
>> metal so I know what goes on the ARDrone is easily doable this way.
>>
>> Initial drone security (also Skycontroller) would be the 3 steps
>> given. Now with keys in place your programmers on the ground can
>> interact with the drone without sending any passwords over the air and
>> with sudo all steps required can be done, safely.
>>
>> Is there anyone with questions? If so just ask I'm glad to help. I
>> have already seen one video where someone uses aircrack-ng to send a
>> WiFi deauth packet then connects and takes over control of the drone
>> using automated scripts from a flying Raspberry Pi with Wifi. Trivial
>> to do really but sadly it's so trivial to do. Let's fix this together!
>>
>> -David
>>
>> _______________________________________________
>> Paparazzi-devel mailing list
>> [hidden email]
>> https://lists.nongnu.org/mailman/listinfo/paparazzi-devel
>>
>


--
[hidden email]
http://www.ppzuav.com

_______________________________________________
Paparazzi-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/paparazzi-devel


_______________________________________________
Paparazzi-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/paparazzi-devel



_______________________________________________
Paparazzi-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/paparazzi-devel
Reply | Threaded
Open this post in threaded view
|

Re: Securing the Paparazzi drone

Jan Čapek
In reply to this post by onefastdaddy
Excellent summary, our company has years of experience in running and
securing Linux based systems (including embedded targets, too). However,
we are quite new to the UAV platforms. World is full of naive solutions
with none to zero security. People using toys don't seem to care about
this too much. However, commercial and industrial use of UAV's calls
for a certified software which will cover security aspects too. This is
an area that we want to focus on once we gain enough practical
experience with UAV's.

Best regards,

Jan


Dne Mon, 24 Aug 2015 16:08:40 -0400
David Conger <[hidden email]> napsal(a):

> I have mentioned security in the past. I remember making an ARDrone
> fall from the sky in a part in Toulouse from my iPhone as a
> demonstration these drones are too insecure...sorry guys for that I
> made sure it was only a few feet from the grass before pressing enter
> :]
> Three years later at BlackHat a much more public demonstration of the
> same got a lot of attention. I was surprised this gaping security hole
> still exists. Open root access to a flying robot???
> I propose a simple fix I do all the time to any Linux system I work
> with: 1. exchange ssh keys
> 2. disable password login completely for every account
> 3. disable root login, do not use root at all (sudo) and monitor root
> access of any kind
> Has anyone considered simply exchanging id_rsa.pub files, disable
> password login, the simple things are often the best. For any server I
> manage there are no password logins or root logins allowed ever. They
> key can be generated somewhere else and if the right files are
> exchanged it works fine. cfengine can easily mass setup systems (read
> drones at the factory) with security in place before shipping to
> eliminate sending them out all open to the world for root. So easy to
> do pls consider it vendors.
> Paparazzi is not nearly as insecure from ENAC. Smart minds enabled a
> HASH "key" exchanged at compile so the drone refuses messages without
> the proper key. Now however we are running Paparazzi on less secure
> platforms so it is time to address security again.
>
> As Parrot uses Linux and it should be trivial to implement ssh key
> exchanges at the factory using automation (cfengine is nice). I have
> setup cfengine scripts to build entire Oracle RAC clusters from bare
> metal so I know what goes on the ARDrone is easily doable this way.
>
> Initial drone security (also Skycontroller) would be the 3 steps
> given. Now with keys in place your programmers on the ground can
> interact with the drone without sending any passwords over the air and
> with sudo all steps required can be done, safely.
>
> Is there anyone with questions? If so just ask I'm glad to help. I
> have already seen one video where someone uses aircrack-ng to send a
> WiFi deauth packet then connects and takes over control of the drone
> using automated scripts from a flying Raspberry Pi with Wifi. Trivial
> to do really but sadly it's so trivial to do. Let's fix this together!
>
> -David
>
> _______________________________________________
> Paparazzi-devel mailing list
> [hidden email]
> https://lists.nongnu.org/mailman/listinfo/paparazzi-devel


--
Braiins Systems
tel: +420 604 566 382
email: [hidden email]

_______________________________________________
Paparazzi-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/paparazzi-devel
Reply | Threaded
Open this post in threaded view
|

Re: Securing the Paparazzi drone

Luke Ionno
Honestly, I've flown the AR.Drone 2 and Bebop, and I've never been
particularly concerned with the lax security on the Parrots (although I've
been aware of it), given what they are: glorified toys.  I mean, by
comparison, your average RC plane (particularly with the old analog 72 MHz
RC control link) was MUCH less secure than a Parrot.  At least nobody can
accidently crash a Parrot, simply by emitting on the wrong frequency.  

Once you move over to true industrial/commercial (or even just
larger/heavier) UAVs, I agree completely, rigorous security is required.

-Luke

-----Original Message-----
From: paparazzi-devel-bounces+nsknews=[hidden email]
[mailto:paparazzi-devel-bounces+nsknews=[hidden email]] On Behalf Of
Jan Capek
Sent: Tuesday, August 25, 2015 5:08 AM
To: [hidden email]
Subject: Re: [Paparazzi-devel] Securing the Paparazzi drone

Excellent summary, our company has years of experience in running and
securing Linux based systems (including embedded targets, too). However, we
are quite new to the UAV platforms. World is full of naive solutions with
none to zero security. People using toys don't seem to care about this too
much. However, commercial and industrial use of UAV's calls for a certified
software which will cover security aspects too. This is an area that we want
to focus on once we gain enough practical experience with UAV's.

Best regards,

Jan


Dne Mon, 24 Aug 2015 16:08:40 -0400
David Conger <[hidden email]> napsal(a):

> I have mentioned security in the past. I remember making an ARDrone
> fall from the sky in a part in Toulouse from my iPhone as a
> demonstration these drones are too insecure...sorry guys for that I
> made sure it was only a few feet from the grass before pressing enter
> :] Three years later at BlackHat a much more public demonstration of
> the same got a lot of attention. I was surprised this gaping security
> hole still exists. Open root access to a flying robot???
> I propose a simple fix I do all the time to any Linux system I work
> with: 1. exchange ssh keys
> 2. disable password login completely for every account 3. disable root
> login, do not use root at all (sudo) and monitor root access of any
> kind Has anyone considered simply exchanging id_rsa.pub files, disable
> password login, the simple things are often the best. For any server I
> manage there are no password logins or root logins allowed ever. They
> key can be generated somewhere else and if the right files are
> exchanged it works fine. cfengine can easily mass setup systems (read
> drones at the factory) with security in place before shipping to
> eliminate sending them out all open to the world for root. So easy to
> do pls consider it vendors.
> Paparazzi is not nearly as insecure from ENAC. Smart minds enabled a
> HASH "key" exchanged at compile so the drone refuses messages without
> the proper key. Now however we are running Paparazzi on less secure
> platforms so it is time to address security again.
>
> As Parrot uses Linux and it should be trivial to implement ssh key
> exchanges at the factory using automation (cfengine is nice). I have
> setup cfengine scripts to build entire Oracle RAC clusters from bare
> metal so I know what goes on the ARDrone is easily doable this way.
>
> Initial drone security (also Skycontroller) would be the 3 steps
> given. Now with keys in place your programmers on the ground can
> interact with the drone without sending any passwords over the air and
> with sudo all steps required can be done, safely.
>
> Is there anyone with questions? If so just ask I'm glad to help. I
> have already seen one video where someone uses aircrack-ng to send a
> WiFi deauth packet then connects and takes over control of the drone
> using automated scripts from a flying Raspberry Pi with Wifi. Trivial
> to do really but sadly it's so trivial to do. Let's fix this together!
>
> -David
>
> _______________________________________________
> Paparazzi-devel mailing list
> [hidden email]
> https://lists.nongnu.org/mailman/listinfo/paparazzi-devel


--
Braiins Systems
tel: +420 604 566 382
email: [hidden email]

_______________________________________________
Paparazzi-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/paparazzi-devel


_______________________________________________
Paparazzi-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/paparazzi-devel
Reply | Threaded
Open this post in threaded view
|

Re: Securing the Paparazzi drone

Greg Jones-10
In reply to this post by Jan Čapek
It's been a few years since I last posted I know but I'm still reading the list!

Surely the elephant in the room here is not so much how to secure Linux, this itself is well documented, the problem is the potential to remotely force Paparazzi to switch flight modes by abusing the RC receiver and moving from AUTO2 to AUTO1 or MANUAL.

A remote attacker need only transmit a value on the necessary RC channel, there is currently no security on this mechanism and this mode switch  is all that is needed for the remote attacker to take control of the UAV.

The benefits of.having the RC override have undeniable safety benefits and I wouldn't fly without it but it is a major vulnerability, for me the most major vulnerability.

I do not attach any security value to the anti-interference controls in PCM based receivers to prevent spoofed signals and even if they were enhanced, short of some properly implemented cryptographic authentication between RC transmitter and RC controller, they can be readily defeated using a cheap SDR.

Anyway, so ends this decades post for me.

And Mr Conger, that TWOG I got off you 6 years ago is still going strong!

Best

Greg


________________________________________
From: paparazzi-devel-bounces+greg.jones=[hidden email] [paparazzi-devel-bounces+greg.jones=[hidden email]] on behalf of Jan Čapek [[hidden email]]
Sent: 25 August 2015 10:07
To: [hidden email]
Subject: Re: [Paparazzi-devel] Securing the Paparazzi drone

Excellent summary, our company has years of experience in running and
securing Linux based systems (including embedded targets, too). However,
we are quite new to the UAV platforms. World is full of naive solutions
with none to zero security. People using toys don't seem to care about
this too much. However, commercial and industrial use of UAV's calls
for a certified software which will cover security aspects too. This is
an area that we want to focus on once we gain enough practical
experience with UAV's.

Best regards,

Jan


Dne Mon, 24 Aug 2015 16:08:40 -0400
David Conger <[hidden email]> napsal(a):

> I have mentioned security in the past. I remember making an ARDrone
> fall from the sky in a part in Toulouse from my iPhone as a
> demonstration these drones are too insecure...sorry guys for that I
> made sure it was only a few feet from the grass before pressing enter
> :]
> Three years later at BlackHat a much more public demonstration of the
> same got a lot of attention. I was surprised this gaping security hole
> still exists. Open root access to a flying robot???
> I propose a simple fix I do all the time to any Linux system I work
> with: 1. exchange ssh keys
> 2. disable password login completely for every account
> 3. disable root login, do not use root at all (sudo) and monitor root
> access of any kind
> Has anyone considered simply exchanging id_rsa.pub files, disable
> password login, the simple things are often the best. For any server I
> manage there are no password logins or root logins allowed ever. They
> key can be generated somewhere else and if the right files are
> exchanged it works fine. cfengine can easily mass setup systems (read
> drones at the factory) with security in place before shipping to
> eliminate sending them out all open to the world for root. So easy to
> do pls consider it vendors.
> Paparazzi is not nearly as insecure from ENAC. Smart minds enabled a
> HASH "key" exchanged at compile so the drone refuses messages without
> the proper key. Now however we are running Paparazzi on less secure
> platforms so it is time to address security again.
>
> As Parrot uses Linux and it should be trivial to implement ssh key
> exchanges at the factory using automation (cfengine is nice). I have
> setup cfengine scripts to build entire Oracle RAC clusters from bare
> metal so I know what goes on the ARDrone is easily doable this way.
>
> Initial drone security (also Skycontroller) would be the 3 steps
> given. Now with keys in place your programmers on the ground can
> interact with the drone without sending any passwords over the air and
> with sudo all steps required can be done, safely.
>
> Is there anyone with questions? If so just ask I'm glad to help. I
> have already seen one video where someone uses aircrack-ng to send a
> WiFi deauth packet then connects and takes over control of the drone
> using automated scripts from a flying Raspberry Pi with Wifi. Trivial
> to do really but sadly it's so trivial to do. Let's fix this together!
>
> -David
>
> _______________________________________________
> Paparazzi-devel mailing list
> [hidden email]
> https://lists.nongnu.org/mailman/listinfo/paparazzi-devel


--
Braiins Systems
tel: +420 604 566 382
email: [hidden email]

_______________________________________________
Paparazzi-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/paparazzi-devel
_______________________________________________
Paparazzi-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/paparazzi-devel
Reply | Threaded
Open this post in threaded view
|

Re: Securing the Paparazzi drone

onefastdaddy
In reply to this post by flixr

This can be done thanks to the details in this post. I will confirm I can do this myself
http://forum.parrot.com/english/viewtopic.php?id=15790
I do really appreciate the Parrot drone being so open. My focus is only to invite as much discussion as possible so we can write nice tools to make our flights a safe as possible.
Thanks everyone for adding to this discussion.

On Aug 25, 2015 4:12 AM, "Felix Ruess" <[hidden email]> wrote:
Hi David,

for the Parrot drones, the first thing I would do is to change to an WPA encrypted WiFi connection... that would close most vectors with minimal amount of work.

Cheers, Felix

On Tue, Aug 25, 2015 at 12:00 AM, dr3n3al labs <[hidden email]> wrote:
David
I have been using fedora linux for 4 years now(just using it on my desktop machine), but I am no admin, I know my way around: to update, to troubleshoot drivers issues and basic stuff and I get things done
one book that I have been looking at is this

Exploring BeagleBone: Tools and Techniques for Building with Embedded Linux

http://www.amazon.com/Exploring-BeagleBone-Techniques-Building-Embedded/dp/1118935128/ref=sr_1_2?ie=UTF8&qid=1440453381&sr=8-2&keywords=embedded+linux

Paparazzi running on linux, is on ubuntu, so i am thinking that i should make the switch to Debian and learn a little more.

the whole idea of the AR Drone, is more to start learning in that platform to start and then move into Paparazzi feet first

Thank you for your advice
Chris

On Mon, Aug 24, 2015 at 6:45 PM, David Conger <[hidden email]> wrote:
Hello,
I learned Linux back in 1994 so back then you had to find information
online or magazines. since then I have worked on many production
projects using Linux and along the way I have observed and integrated
"best practices" that most certainly are shared online under a search
for "ssh linux security best practices". I do not mind sharing what I
know but worry it's common knowledge or unwanted so if you are more
specific I can be more specific.
I do not know your experience level with Linux to suggest any "best"
reading. I often simply look to the Internet now for the latest
information. Things change quickly. The Linux on ARDrone is still
"Linux" fundamentally.
Good news. On my BeBop it was easy to find the IP but connecting as
root no password failed so I am encouraged (a good thing) by that.


On 8/24/15, dr3n3al labs <[hidden email]> wrote:
> David
> Thank you for the email explaining everything, question, i am new in the
> group and i am looking into get an AR Drone for research (based on a course
> done at TU Munich) would you recommend any book about embedded Linux that i
> should read to really understand whats going on inside of the ARDrone?
>
> Thanks
> Chris
>
> On Mon, Aug 24, 2015 at 5:08 PM, David Conger <[hidden email]>
> wrote:
>
>> I have mentioned security in the past. I remember making an ARDrone
>> fall from the sky in a part in Toulouse from my iPhone as a
>> demonstration these drones are too insecure...sorry guys for that I
>> made sure it was only a few feet from the grass before pressing enter
>> :]
>> Three years later at BlackHat a much more public demonstration of the
>> same got a lot of attention. I was surprised this gaping security hole
>> still exists. Open root access to a flying robot???
>> I propose a simple fix I do all the time to any Linux system I work with:
>> 1. exchange ssh keys
>> 2. disable password login completely for every account
>> 3. disable root login, do not use root at all (sudo) and monitor root
>> access of any kind
>> Has anyone considered simply exchanging id_rsa.pub files, disable
>> password login, the simple things are often the best. For any server I
>> manage there are no password logins or root logins allowed ever. They
>> key can be generated somewhere else and if the right files are
>> exchanged it works fine. cfengine can easily mass setup systems (read
>> drones at the factory) with security in place before shipping to
>> eliminate sending them out all open to the world for root. So easy to
>> do pls consider it vendors.
>> Paparazzi is not nearly as insecure from ENAC. Smart minds enabled a
>> HASH "key" exchanged at compile so the drone refuses messages without
>> the proper key. Now however we are running Paparazzi on less secure
>> platforms so it is time to address security again.
>>
>> As Parrot uses Linux and it should be trivial to implement ssh key
>> exchanges at the factory using automation (cfengine is nice). I have
>> setup cfengine scripts to build entire Oracle RAC clusters from bare
>> metal so I know what goes on the ARDrone is easily doable this way.
>>
>> Initial drone security (also Skycontroller) would be the 3 steps
>> given. Now with keys in place your programmers on the ground can
>> interact with the drone without sending any passwords over the air and
>> with sudo all steps required can be done, safely.
>>
>> Is there anyone with questions? If so just ask I'm glad to help. I
>> have already seen one video where someone uses aircrack-ng to send a
>> WiFi deauth packet then connects and takes over control of the drone
>> using automated scripts from a flying Raspberry Pi with Wifi. Trivial
>> to do really but sadly it's so trivial to do. Let's fix this together!
>>
>> -David
>>
>> _______________________________________________
>> Paparazzi-devel mailing list
>> [hidden email]
>> https://lists.nongnu.org/mailman/listinfo/paparazzi-devel
>>
>


--
[hidden email]
http://www.ppzuav.com

_______________________________________________
Paparazzi-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/paparazzi-devel


_______________________________________________
Paparazzi-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/paparazzi-devel



_______________________________________________
Paparazzi-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/paparazzi-devel


_______________________________________________
Paparazzi-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/paparazzi-devel
Reply | Threaded
Open this post in threaded view
|

Re: Securing the Paparazzi drone

onefastdaddy
In reply to this post by Greg Jones-10

@Greg: awesome to hear about the TWOG!
I still have several Tiny13 I keep sealed so one day I can fly with it. Still today I stare at it in wonder as it has GPS onboard with power, with the processor, with molex... If only it had a single chip IMU and baro (hint), maybe stm32f4? It could be still the smallest ready to integrate controller. All the designs are wonderful and open.
Point really is how thoughtful the Paparazzi group is to not obsolete past hardware and why separation of business from development is so good for the community.
Security for Linux based, open source Drones, will evolve quickly thanks to the open nature of the platform. I now admire  Parrot for giving us something unlocked so the community can make it as safe as we wish. Some have already said they are OK with no security. Others wish more.
I am happy to share what I continue to learn so stay tuned.

On Aug 26, 2015 1:16 AM, "Greg Jones" <[hidden email]> wrote:
It's been a few years since I last posted I know but I'm still reading the list!

Surely the elephant in the room here is not so much how to secure Linux, this itself is well documented, the problem is the potential to remotely force Paparazzi to switch flight modes by abusing the RC receiver and moving from AUTO2 to AUTO1 or MANUAL.

A remote attacker need only transmit a value on the necessary RC channel, there is currently no security on this mechanism and this mode switch  is all that is needed for the remote attacker to take control of the UAV.

The benefits of.having the RC override have undeniable safety benefits and I wouldn't fly without it but it is a major vulnerability, for me the most major vulnerability.

I do not attach any security value to the anti-interference controls in PCM based receivers to prevent spoofed signals and even if they were enhanced, short of some properly implemented cryptographic authentication between RC transmitter and RC controller, they can be readily defeated using a cheap SDR.

Anyway, so ends this decades post for me.

And Mr Conger, that TWOG I got off you 6 years ago is still going strong!

Best

Greg


________________________________________
From: paparazzi-devel-bounces+greg.jones=[hidden email] [paparazzi-devel-bounces+greg.jones=[hidden email]] on behalf of Jan Čapek [[hidden email]]
Sent: 25 August 2015 10:07
To: [hidden email]
Subject: Re: [Paparazzi-devel] Securing the Paparazzi drone

Excellent summary, our company has years of experience in running and
securing Linux based systems (including embedded targets, too). However,
we are quite new to the UAV platforms. World is full of naive solutions
with none to zero security. People using toys don't seem to care about
this too much. However, commercial and industrial use of UAV's calls
for a certified software which will cover security aspects too. This is
an area that we want to focus on once we gain enough practical
experience with UAV's.

Best regards,

Jan


Dne Mon, 24 Aug 2015 16:08:40 -0400
David Conger <[hidden email]> napsal(a):

> I have mentioned security in the past. I remember making an ARDrone
> fall from the sky in a part in Toulouse from my iPhone as a
> demonstration these drones are too insecure...sorry guys for that I
> made sure it was only a few feet from the grass before pressing enter
> :]
> Three years later at BlackHat a much more public demonstration of the
> same got a lot of attention. I was surprised this gaping security hole
> still exists. Open root access to a flying robot???
> I propose a simple fix I do all the time to any Linux system I work
> with: 1. exchange ssh keys
> 2. disable password login completely for every account
> 3. disable root login, do not use root at all (sudo) and monitor root
> access of any kind
> Has anyone considered simply exchanging id_rsa.pub files, disable
> password login, the simple things are often the best. For any server I
> manage there are no password logins or root logins allowed ever. They
> key can be generated somewhere else and if the right files are
> exchanged it works fine. cfengine can easily mass setup systems (read
> drones at the factory) with security in place before shipping to
> eliminate sending them out all open to the world for root. So easy to
> do pls consider it vendors.
> Paparazzi is not nearly as insecure from ENAC. Smart minds enabled a
> HASH "key" exchanged at compile so the drone refuses messages without
> the proper key. Now however we are running Paparazzi on less secure
> platforms so it is time to address security again.
>
> As Parrot uses Linux and it should be trivial to implement ssh key
> exchanges at the factory using automation (cfengine is nice). I have
> setup cfengine scripts to build entire Oracle RAC clusters from bare
> metal so I know what goes on the ARDrone is easily doable this way.
>
> Initial drone security (also Skycontroller) would be the 3 steps
> given. Now with keys in place your programmers on the ground can
> interact with the drone without sending any passwords over the air and
> with sudo all steps required can be done, safely.
>
> Is there anyone with questions? If so just ask I'm glad to help. I
> have already seen one video where someone uses aircrack-ng to send a
> WiFi deauth packet then connects and takes over control of the drone
> using automated scripts from a flying Raspberry Pi with Wifi. Trivial
> to do really but sadly it's so trivial to do. Let's fix this together!
>
> -David
>
> _______________________________________________
> Paparazzi-devel mailing list
> [hidden email]
> https://lists.nongnu.org/mailman/listinfo/paparazzi-devel


--
Braiins Systems
tel: <a href="tel:%2B420%20604%20566%20382" value="+420604566382">+420 604 566 382
email: [hidden email]

_______________________________________________
Paparazzi-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/paparazzi-devel
_______________________________________________
Paparazzi-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/paparazzi-devel

_______________________________________________
Paparazzi-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/paparazzi-devel
Reply | Threaded
Open this post in threaded view
|

Re: Securing the Paparazzi drone

Christophe De Wagter

Even the mirumod (atmega plugging in serial port) was disabling wifi login.

On Aug 27, 2015 2:37 PM, "David Conger" <[hidden email]> wrote:

@Greg: awesome to hear about the TWOG!
I still have several Tiny13 I keep sealed so one day I can fly with it. Still today I stare at it in wonder as it has GPS onboard with power, with the processor, with molex... If only it had a single chip IMU and baro (hint), maybe stm32f4? It could be still the smallest ready to integrate controller. All the designs are wonderful and open.
Point really is how thoughtful the Paparazzi group is to not obsolete past hardware and why separation of business from development is so good for the community.
Security for Linux based, open source Drones, will evolve quickly thanks to the open nature of the platform. I now admire  Parrot for giving us something unlocked so the community can make it as safe as we wish. Some have already said they are OK with no security. Others wish more.
I am happy to share what I continue to learn so stay tuned.

On Aug 26, 2015 1:16 AM, "Greg Jones" <[hidden email]> wrote:
It's been a few years since I last posted I know but I'm still reading the list!

Surely the elephant in the room here is not so much how to secure Linux, this itself is well documented, the problem is the potential to remotely force Paparazzi to switch flight modes by abusing the RC receiver and moving from AUTO2 to AUTO1 or MANUAL.

A remote attacker need only transmit a value on the necessary RC channel, there is currently no security on this mechanism and this mode switch  is all that is needed for the remote attacker to take control of the UAV.

The benefits of.having the RC override have undeniable safety benefits and I wouldn't fly without it but it is a major vulnerability, for me the most major vulnerability.

I do not attach any security value to the anti-interference controls in PCM based receivers to prevent spoofed signals and even if they were enhanced, short of some properly implemented cryptographic authentication between RC transmitter and RC controller, they can be readily defeated using a cheap SDR.

Anyway, so ends this decades post for me.

And Mr Conger, that TWOG I got off you 6 years ago is still going strong!

Best

Greg


________________________________________
From: paparazzi-devel-bounces+greg.jones=[hidden email] [paparazzi-devel-bounces+greg.jones=[hidden email]] on behalf of Jan Čapek [[hidden email]]
Sent: 25 August 2015 10:07
To: [hidden email]
Subject: Re: [Paparazzi-devel] Securing the Paparazzi drone

Excellent summary, our company has years of experience in running and
securing Linux based systems (including embedded targets, too). However,
we are quite new to the UAV platforms. World is full of naive solutions
with none to zero security. People using toys don't seem to care about
this too much. However, commercial and industrial use of UAV's calls
for a certified software which will cover security aspects too. This is
an area that we want to focus on once we gain enough practical
experience with UAV's.

Best regards,

Jan


Dne Mon, 24 Aug 2015 16:08:40 -0400
David Conger <[hidden email]> napsal(a):

> I have mentioned security in the past. I remember making an ARDrone
> fall from the sky in a part in Toulouse from my iPhone as a
> demonstration these drones are too insecure...sorry guys for that I
> made sure it was only a few feet from the grass before pressing enter
> :]
> Three years later at BlackHat a much more public demonstration of the
> same got a lot of attention. I was surprised this gaping security hole
> still exists. Open root access to a flying robot???
> I propose a simple fix I do all the time to any Linux system I work
> with: 1. exchange ssh keys
> 2. disable password login completely for every account
> 3. disable root login, do not use root at all (sudo) and monitor root
> access of any kind
> Has anyone considered simply exchanging id_rsa.pub files, disable
> password login, the simple things are often the best. For any server I
> manage there are no password logins or root logins allowed ever. They
> key can be generated somewhere else and if the right files are
> exchanged it works fine. cfengine can easily mass setup systems (read
> drones at the factory) with security in place before shipping to
> eliminate sending them out all open to the world for root. So easy to
> do pls consider it vendors.
> Paparazzi is not nearly as insecure from ENAC. Smart minds enabled a
> HASH "key" exchanged at compile so the drone refuses messages without
> the proper key. Now however we are running Paparazzi on less secure
> platforms so it is time to address security again.
>
> As Parrot uses Linux and it should be trivial to implement ssh key
> exchanges at the factory using automation (cfengine is nice). I have
> setup cfengine scripts to build entire Oracle RAC clusters from bare
> metal so I know what goes on the ARDrone is easily doable this way.
>
> Initial drone security (also Skycontroller) would be the 3 steps
> given. Now with keys in place your programmers on the ground can
> interact with the drone without sending any passwords over the air and
> with sudo all steps required can be done, safely.
>
> Is there anyone with questions? If so just ask I'm glad to help. I
> have already seen one video where someone uses aircrack-ng to send a
> WiFi deauth packet then connects and takes over control of the drone
> using automated scripts from a flying Raspberry Pi with Wifi. Trivial
> to do really but sadly it's so trivial to do. Let's fix this together!
>
> -David
>
> _______________________________________________
> Paparazzi-devel mailing list
> [hidden email]
> https://lists.nongnu.org/mailman/listinfo/paparazzi-devel


--
Braiins Systems
tel: <a href="tel:%2B420%20604%20566%20382" value="+420604566382" target="_blank">+420 604 566 382
email: [hidden email]

_______________________________________________
Paparazzi-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/paparazzi-devel
_______________________________________________
Paparazzi-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/paparazzi-devel

_______________________________________________
Paparazzi-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/paparazzi-devel


_______________________________________________
Paparazzi-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/paparazzi-devel