In this example, we show how we reverse-engineered the communication between the Parrot Anafi consumer drone and its controller, which connects via Wi-Fi. The Parrot Anafi hosts its own Wi-Fi network, allowing the controller or a phone running the Freeflight app to connect. Our goal is to understand the signals sent by Anafi for the initiation of takeoff and landing sequences.
Test Setup
Start by connecting your PC to the Parrot Anafi’s Wi-Fi network. Next, set up an ARP spoofing attack to put your PC in a man-in-the-middle position between the drone and its controller. This can be done using tools like Ettercap, which allows your device to capture the data exchanged between the two.
The resulting test setup will look like this:
Package Analysis
Using Wireshark, we can look at the packets, which are sent during a landing and a start sequence (the image shows only a snippet):
We can see that the communication between the drone and the controller is done by UDP. Every UDP packet contains some kind of hex string as payload, which is not ASCII
Next, we look at the distribution of the packets sent, of all the packets sent in a drone takeoff and landing:
To identify which package is responsible for the take-off and landing we got 17 take-offs and landings and found that the value of the third type (length=53 bytes) of the messages is from 2 to 34. Can is it the package that controls the take off/landing ? because 17*2=34
We can filter with Wireshark the frame.len==53 for filtering only for start/landing packets:
The payload of the packages has a clear structure: (here is an example of some)
After analyzing the protocol, we can reverse the format of this type of packet:
ATTACKS
Let’s see if we can send our own packages from our PC to the drone, to start and land it, without using the controller. For that we setup a Python script (see below) to send a UDP packet with the payload 040bff0b000000300001000100 of the drone at its start. Note that we set the counter to FFbecause the packets will be dropped by the drone if the counter value is lower than the current counter. use FF ensures that it is always accepted.
And we did it! The drone does its auto-start maneuver and hovers overhead! To land the drone again we can send it 040bff0b000000300001000300the drone. Note that the trigger byte (2nd last byte) is set to 03.
Note, one does not need to change the MAC address to get these results. Anafi processes packets even if the laptop is not the primary controller at this time.
If we spam either the takeoff or landing command, the following attacks can be exploited:
-
Possible Attack
-
Prevention begins
-
The next experiment was to spam the landing command constantly, with the result that the drone could not start using the controller. The rotors of the drone spin for a second but then the landing command is received and Anafi stops the start process.
-
-
Avoid landings
-
The same result can be achieved by spamming the start package. When one presses the landing button on the controller or on the phone the drone starts to descend, but when the starting package from the laptop arrives at the drone the drone stops landing and focuses again on the surface of the earth. As a result, the phone user will not be able to land the drone properly.
-
-
Summary
This case study shows why it is relevant to reverse network protocols when analyzing IoT devices. As an attacker, with access to the Parrot Anafis WiFi network we can send fake packets to the drone and control its take-off and landing. This can be done on any device, which can connect to WiFi networks.
Resources
Bachelor Thesis, Jonas Rosenberger (me)
https://www.hardbreak.wiki/~gitbook/ogimage/lr7KvYjIuGcn74SLVf0h
2024-12-28 16:13:00
