A case where you want to legally repel a drone that an erotic boy in the neighborhood flies

As a result of investigating the possibility of "drone hijacking", it was found that some models can take control of the aircraft lightly with Wi-Fi, FTP and Telnet open to the public without authentication. At "DEF CON 23" held in Las Vegas, USA in August 2015, security researcher Michael Robinson reported the results of such a survey in a fun way.

^{* Editor's Note: All expressions "legal" and "illegal" in this article are based on laws and regulations in the United States. Please note that we cannot guarantee the legality / illegality in Japan.}

Mr. Michael Robinson who excited the venue with a light talk

In contrast to the Black Hat conference, which has a strong white hacker color / security industry color, DEF CON disassembles and analyzes software and hardware (whether illegal or legal) with intellectual curiosity, and tricks and tricks. It's just an "event for hackers by hackers" to share security issues.

"Actually, it seems that a boy in the neighborhood got a drone equipped with a camera recently, and he flies day and night. The purpose of night flight is ... that's all." Robinson spills with a bitter expression, hoping that he would like to take a voyeur of the naked woman taking a bath.

However, it is not possible to shoot down with a rifle from the side where it flew. You can also use the free service "No Fly Zone" (http://www.noflyzone.org) that allows you to declare the area around your home as a "no-fly zone", but you can also take aerial images taken in the registered area. Since many can be found, it seems that no big effect can be expected at the moment.

A boy in the neighborhood is trying to take an aerial shot with a drone in the middle of the night ... "Seriously! If you want to see erotic, see it online!" (Robinson)

A drone that can connect to Wi-Fi, FTP, Telnet without authentication

Is there any way to "exit" the drone legally and beautifully? With that in mind, Robinson began researching two popular drones, the Parrot Bebop Drone and the DJI Phantom 3, in search of a foothold.

For Bebop Drone, it turned out that there were almost no security measures. The aircraft is operated via Wi-Fi from the controller application "Free Flight 3" installed on smartphones and tablets. The drone side becomes a "flying Wi-Fi access point", and the smartphone / tablet connects as a Wi-Fi device (client). And, importantly, this Wi-Fi communication is unencrypted.

Small, cheap and popular hobby drone "Parrot Bebop"

"For example, if you disconnect the session between the drone and the main controller (app) with a De-Auth attack and establish a new session with a third party controller, you can move the drone out of the communication range (of the original operator). It is also possible to leave. "

Image of "takeover". Multiple clients can connect to Bebop's Wi-Fi access point, but only the controller that first established the session from the app can control it.Therefore, the communication between the legitimate driver (tablet on the left) and the drone is forcibly cut off, and the attacker (smartphone on the right) takes control immediately.

Also, by connecting to Bebop Drone's Wi-Fi, I was able to connect to the FTP port without authentication. You can quickly find a media directory for storing aerial videos and more. "You can even replace a voyeur video of a woman taking a bath with a wilting video," Robinson laughs.

In addition, Telnet can connect without authentication. In fact, when Robinson, who was thinking of a live demo in this lecture, started the drone at the DEF CON venue, he revealed that 6 DEF CON participants were immediately connected to Telnet.

The other model could not be hijacked

How about the other DJI Phantom 3? As a result of the investigation, the Phantom 3 uses two radio waves (one for controlling the aircraft and one for transmitting camera images). The control of the aircraft was done by the same mechanism as the good old radio-controlled helicopter, and it was not possible to take over the maneuver via Wi-Fi.

DJI Phantom 3, a highly functional drone that costs over 100,000 yen

"Another possible method (as a hacking method) is to interfere with the GPS frequency band." In fact, DJI Phantom 3 started hovering on the spot after using a GPS test generator or similar to disrupt the drone's GPS communication. "Moreover, for unknown reasons, video delivery to the app has increased disruptions and delays," Robinson said.

DJI Phantom 3 app screen.For unknown reasons, the video transmission status became unstable after jamming GPS communication.

As for Parrot Bebop, the drone stopped flying as soon as GPS communication was interrupted and blocked. Even after GPS communication was restored, the function to automatically return to "home" (takeoff point) could not be executed.

However, jamming GPS communications is illegal. Robinson has received advice from many people, including lawyers, for this experiment, and is conducting a one-time experiment in the most appropriate manner.

Robinson said he reported to Parrot about Parrot Bebop, which has many security holes. "However, I haven't heard from you about the correction so far."

Robinson's report simply points out "a security issue with a drone product." However, at the same time, it is also a good example of making people think about the risk of "adding an unprotected Internet connection function without considering security" in the development of IoT products.

■ Related sites