Larry Pesce, Hackfest 2015

Drones for Pentesting?

Sounds like fun, doesn’t it?
 About me
• Penetration Tester/Hardware Hacker, @
InGuardians (Sr. Managing Consultant, Director
of Research)

• SANS Instructor

• Paul’s Security Weekly crew

• Extra class ham radio operator (KB1TNF)

• Built a prototype drone for radio analysis for the

energy sector.
 What this talk is
• Discussion on Practical application of drone
technology to the pentestig space
• Information for you to determine if drones are a
good fit in your methodology
• Pentest uses
• Attack scenarios
• Practical information gathering
• Physical pen test
• Practical payloads
• Detractors
• Cautions
 What this talk is not
• Step by step plans for implementing each
• Attack path
• Information gathering techniques
• Drone building workshop
• Discusion of the best/worst drone platform
• Legal advice
• I am not a lawyer, nor do I play one on TV
 Show of hands:
How many have flown a drone?
The PROS
 How can we have fun?
• PAYLOADS!
• Data, data, data
• Platform, Platform, Platform
• All sorts of fun can be had
• Recon
• Data aquisistion
• Attack
 Data Acquisition Issues
• Capture and analyze later

• Limited by size, weight of storage

• Need successful recovery

• Realtime

• Transfer speeds, depending on data

• Distance, dépendant on speed and radio selection

• Radio selection, frequency range, battery power

 Platform, Platform, Platform!
• We need a computing device that is
• Capable
• Small
• Low power draw
• I’m a fan of the RasPi
• B+ model is low power draw
• Pi 2, untested by me, but more horses
• Many options
• Arduino, Beaglebone, Cellphone, ODROID
• Even custom solutions
• Power? Onboard battery or supplemental
• See my other talk on “If it Fits, It Sniffs”
 Recon Payload

• Recon? I think pictures and video

• Building layout

• Roof access

• Physical security, locks, guards,

camera
 Recon Payload Hardware

• Depending on purpose, HD video

rules

• Modern DJI, built in

• Add GoPro!

• HD video, storage and battery

• On a big drone, add DLSR

 Data Acquisition Payload

• So many options here!

• This will need computing platform

• Data can take many forms

• In this case, all wireless

• Let’s talk awesome wireless payloads

• SEC617 anyone? :-)

 Data Acquisition Hardware (1)
• Wifi
• Alfa AWUS051NH *(v2) is the best in the game
• AWUS036H is ok, but no 802.11a
• GPS helpful
• Add on or use a “second feed” from onboard
• loc-nogps
• Record data with with
• Kismet*
• airmon-ng
• Process after landing
 Data Acquisition Hardware (2)
• Zigbee

• Atmel Raven RZUSB rocks

• No external antenna

• Riverloop API-mote also rocks

• External antenna, slower startup

• Control and record with Killerbee, api-do

• Killerbee for device discovery, packet capture

• api-do also for capture and channel hopping

• Analyze data after landing

• Capturing “good” data may take longer than flight time

• Drop and recover payload?

 Data Acquisition Hardware (3)
• Bluetooth

• Not as easy…

• Parani Sena UD-100 great for scanning

• Ubertooth One great for discovery

• Requires some work for automation

• Also great for BTLE/BLE/Bluetooth 4/Bluetooth Smart

• Need realtime care and feeding!

• Bunches of other BTLE tools emerging

 Data Acquisition Hardware (4)

• All the other radio

• This one can get overwhelming quickly
• So many options on the SDR front
• Same for what we may want to detect
• Initial recon may require several
extended trips
• Frequency of radio use
 Data Acquisition Hardware (5)
• All the other radio(2)
• My favorite, the RTL-SDR
• Cheap (losable, run multiple)
• Modestly robust
• Especially great for 900Mhz cordless…
• Depending on target, realtime data may not be feasible
• Post processing is possible, but storage gets chewed
up quickly.
• Potential issues with interference from C&C, telemetry,
video and EM interference.
 Attack Payload
• Many of the acquisition payloads can be used for attack
• Selection of wireless card, injection
• UbertoothOne for Bluetooth
• Modified RZUSB of zigbee
• General radio needs upgrades
• BladeRF, Ettus SDRs, HackRF
• Larger payloads, more offline analysis
• Delivery requires robust automation, accurate target selection
• Or work with a partner and longer flight times.
The CONS
 Opsec
• Noise?
• For those that have flown one, you know they are
loud
• Even the tiny ones sound like an overgrown
bumblebee
• Larger = more payload = more noise
• Small = little payload = still some noise
• No social engineering your way out of this one…
• Wait for a crash and retrieval!
 Show of hands:
How many have crashed a drone?
 Expense
• Yes, drones get expensive!

• So do repair costs

• Even a modestly priced ready to roll model is easily

$1500.

• Not including additional payload

• More payload, more expense

• Not just the payload!

• More power = more payload = more $$$

• Also more noise!

 Payload expense

• With commodity gear we can keep costs

down

• Until we lose it

• Over and over again…

• Even losing commodity gear can get

expensive depending on our payload
 Payload Size

• We will likely need single purpose

payloads

• The more we add the

heavier/unbalanced we get

• The heavier we get, the harder to

fly

• The harder to fly…

 Show of hands:
How many have flown a drone in restricted
airspace?

Keep your hands down!!!

Let me rephrase…
 Show of hands:
How many may have flown a drone,
unknowingly in restricted airspace?
Read as, “I don’t know if I have or not!”
 Did you know?
• Depending on where your customers are, you
may be restricted from
• Flying above a certain height
• Not flying at all, due to
• Airport proximity
• Geofence
• Other FAA regulations
• This gets fairly complex if not an every day task
• …and you have to get it right!
 Application of law?
• Model Aircraft rules largely applied to multi-rotor
based aircraft

• Not technically “models”, but new aircraft

design.

• Largeley lumped in the same category

• No actual case law

• Smart rules to observe!

 Registration
• New proposed regulations from the Department of Transportation, FAA

• Proposed for implementation before Thanksgiving 2015

• Just in time for the holiday giving season!

• Requires Drone registration, 9 oz or more!

• Unsure of retroactive purchases

• Registration infrastructure

• Security

• Likely be challenged

• Jurisdiction? FAA…

• Exceeding mandate? Not transportation…

• Where does the regulation beyond drones end?

 Commercial purposes?
• FAA proposed rules
• Need endorsement on pilots license
• Means you need a pilot license already…
• FAA requirementes?
• Likely to be challenged
• Model aircraft exemptions
• No case law
• Yet, whole conferences devoted to commercial applications
• http://dronelaw.net/
• http://www.gpo.gov/fdsys/pkg/PLAW-112publ95/html/PLAW-
112publ95.htm
 Commercial purposes?

• Proposed need endorsement on pilots license

• Means you need a pilot license already

• FAA requirementes?

• Likely to be challenged

• Model aircraft

• No case law
 Conclusions
• Yes, Yes, Yes we can have fun

• Before daddy takes the T-bird away…

• That fun needs to be tempered with cost,

application,

• Commercially, we need to keep an eye

on new, current rules

• Seek legal advice before engaging!

Thanks!

larry@inguardians.com
ll

@haxorthematrix