Drones: Where Cyber and Physical Security Collide

foreign

[Music] I believe so uh twitch chat if you can just give me a double check by saying you can hear me that'll be terrific um and look that was the best elevator of Music I've ever heard I don't know if you in the uh in the room were able to hear it but um I certainly could so um look welcome it's an honor to be here with you although uh remote so I do apologize I'm not there in person I would take the opportunity to go to Canada for the first time um but unfortunately not this time so today I'm going to give you a talk on drones or the commercial off the shelf drones uh and we're going to be looking

at why the Cyber and physical worlds of security are really starting to emerge um and there are some really interesting challenges and threats throughout it so this is a closing keynote which means it will be um available to all in terms of the understanding and so hopefully I can take you through that journey and we come out the other side okay now a few of you may remember um a couple months or even a year ago there was a subreddit called Wall Street bets and the wall Street's bet uh were trying to make stock market movements against popular companies like GameStop and they were going up against some of the heavy hitting hedge funds such as

Citadel securities and what's really interesting is you know when you're driving your car along the road Google takes that data and they make sure that they can tell what the traffic is like or what your journey distance would be as a matter of fact though if you're in a certain area or a building your phone data also tells Google how busy that area is depending on the number of phones in that room so for example when the Wall Street bets group were trying to analyze everything Citadel Securities was doing both their online and physical presence they used Google's phone data to find out that at 2 30 a.m there was a huge amount of activity in the building which is odd

for a company that usually works nine to five and so doing this type of ocean they realized well we've seen some physical activity does anyone have a pair of binoculars nearby instead of binoculars what is even better is having a drone being launched and live streamed to the rest of the group so that they can actually see what's inside of the skyscraper now they're pretty high up and it's in the middle of the CBD but someone nearby was able to launch that drone and be able to look into the offices and determine where they're packing boxes where they're making trades late at night you know what can we do here using this footage in a way that combines digital

and physical ISR into a point where we can get to somewhere that's really hard to reach using this information they could do certain things they could either continue to trade or back off or do something else but regardless I just really want to kind of explain the the intersection of these two areas and how drones are incredibly useful to do this kind of thing and a range of different topics which we'll get through today um one of the reasons why we consider drones to be super important it's why I do it as a day job all day long is because they can operate indoors they can operate Outdoors they can operate in many different weather types they can

operate you know up near planes and helicopters but also down near people right and so they're not just like a uh an iot connected fridge which is sitting there in your kitchen that if affected by a botnet couldn't do anything more than maybe drop some ice out the the front they really are kinetic right they can fly around they can drop things you can attach things to them you can hack with them you can perform surveillance uh cameras audio and what have you so they're incredible tools um and that's what I'm really going to get into today um just a bit of a background so uh drone SEC um focuses on threat intelligence for drones and you may be wondering why I'm

sharing this type of slide and just because you know with the cyber security industry over the years we have seen it get to the point where our psych analysts have seen hundreds or millions or billions of events per day drones are still at that point where we're seeing about 150 to 200 kind of major incidents per month but that is going to ramp up and I'll explain why um but personally you know we started hacking into drones as soon as uh or as as far as 2016 and we realize we have to start tracking the vulnerabilities the exploits they come out for drones how they're being utilized the counter measures that take down drones with

hacking techniques and we want to try and document these tdps so we have a live drone incident map some of it is cyber security some of it is physical issues um but when we get to the end of this presentation you'll realize why we bundle two together uh the rear can't just be separate um we we actually are a team so what happens behind the scenes as a team of uh red team operators pen testers Air Force pilots and military drone Pilots all of us commercial drone Pilots as well who wanted to focus on this area um and so we've done a lot of research and that's what I'm here to tell you today um for myself my name is Mike Mike

um I have stood up olsons and Red Team operations um within organizations doing this against critical infrastructure high security facilities we've done everything from open source intelligence to utilizing drones for these um and we see it as a great way to combine physical and cyber security to replicate a threat actor right and to be able to give your your customer an experience of what adversaries could do to them um I personally have created hundreds of CTF challenges ask me about any of them some of them are on GitHub if you want to enjoy doing some of those and in my spare time or personal time I am very passionate about using open source intelligence for missing persons

um Trace labs mpam are great organizations but we also try to do that uh in our own free time as well um and I do enjoy the nature and actually flying my drone so we're not all here just about uh hacking into and breaching drones themselves now I'm coming from Australia when most people think of Australia it's one of two images it's often a cute cuddly koala or it's a koala when it gets wet uh in the rain or the alleged image that did the the rounds a few years ago um for me none of these are really what I think of when I think of Australia um personally we have some incredible things like the wall of my Pine uh it

can be viewed via a drone it sits in a national park is one of the only trees found in a small Canyon in Australia it's from the Jurassic era it looks really drastic and historic and it sits in Jurassic Canyon and uh I'm telling you this because if you want to do an interesting CTF combining Drone footage uh open source intelligence and geospatial intelligence try to find the wall of my Pine it's one of the most incredible efforts of our government or of Our National Parks Authority to wipe information off the internet and keep its location a secret a highly protected secret it's an extremely fun challenge anyone from around the world can do it so if you

want to experience it and send me a message that you found it uh please go and have a look for the wall of my Pine and find its original location and send me proof we'll come over to Australia I'll take you for a hike and maybe we can go find it together so I want to start off just by talking about some drone instant Trends um because you know we have the cyber security element but what does that mean with the overall picture um and we've seen in the news over the even the past few days things like uh tracking IDs that have been leaked from DJI aeroscope systems we've seen dros that have been up and encrypted uh we've

been seeing you know things like red team drones or malicious adversary drones that have Wi-Fi snooping equipment that sit on the roofs of locations and track that information what I can tell you right now is none of this is new and none of this is the highest impact points whatever is reaching the media at the moment is only the very tip of the iceberg um and we're going to go through some of those and we're going to reveal some of them and we're going to keep some of them uh still protected but explain what happened so why do we care about drones well number one as I said they're getting larger they're going further they're

becoming faster they're much cheaper to purchase and they can hold different payloads of you know explosives or digital systems as well and thread actors are using drones more and more in fact if you have a drone linked up to a system which you can route through you can do a whole lot of different things and it increases anonymity it reduces the attribution or the the forensics and it just means that your malicious operations are so much more advanced this is basically your your what you can call it Anonymous hacking but doing it in the physical world with a physical barrier between yourself and the problem that we face is to a lot of organizations they just see it as

this kind of magical flying box right they don't see it as I.T equipment they don't necessarily know that it goes through procurement measures they don't know what kind of drone security Frameworks and policies are out there and what often happens is an employee will be a hobbyist and they'll show the value of the Drone to a company and that company will be like this is awesome let's buy some drones however because they're purchasing drones and doesn't fit into their idea of I.T assets it just skips that process so right now I can almost guarantee you that very little organizations have their soft or have their it management even including drones in their ecosystem um or their asset management or their

security and that's why it's uh it's super important in terms of what we're seeing within the drones and what they're actually doing today the most common we see are drones flying across borders with narcotics or Contraband uh they're conducting surveillance against places for doing a robbery they're intruding on you know baseball games and and uh you know netball games and that kind of thing that we've seen and causing flight delays the most dangerous side of things is where you have drones that are weaponized and this can be with explosive payloads it can mean you know before critical infrastructure used to have physical security measures and controls uh for example for hostile vehicle mitigation these days drones

just fly past anything that used to be there for hostile vertical mitigation whether it was bollards whether it's fences cztv it doesn't matter they get past that and they can also Aid in helping people get past that so when we use red drones and Red Team operations we'll often Scout for low-lying offenses lockout for areas where we can drag a rope or something with the drone over a fence we'll be able to drop something and front of the CCTV camera like there's an incredible amount of use for a drone to be able to infiltrate and then exfiltrate out of the facility terrorists and lone wolves like to use drones because it Blends in with civilian activities it's very hard to

pick up whether it's a genuine or malicious just like packet inspection it's really hard to tell whether it's a legitimate use and then lastly we've got to think about the the Drone fleets that we own or the counter drone systems which I'll get into which are are sitting on the internet they are internet connected they are connected to the cloud and there are various opportunities to break into and manipulate those systems so we'll cover that um today and look on a monthly basis between 150 to 200 incidents occur some of these can be hijacking of drones some of them can be physical incidents others can be mitigation events um but we track these and and log as many as as we can to try

and determine what's new or what's quite old and existing when a drone incident occurs this is something like what you might see various payload droppers with narcotics and string and the Drone itself in other cases you might have a remote trigger IEDs that link to 4G sim cards so that the Drone can explode on Trigger or on command or sit there and wait with a timer based IED that's often used by cartels or militants in other cases you've got drones with uh propellers that try to reduce that noise or modifications which help it go further and defeat no-fly zones so something quite interesting that I just want to add to the impact here is what other technology other than than

hacking has been used against militaries and often military uses military equipment but in the case of Ukraine for example in the very first days we saw for example the Russian army the Ukrainian Army using commercial off-the-shelf drones and the complete risk here is that these are systems that have not been tested for vulnerabilities or security implications yet they're using them above their group to assess the field and make sure it's safe they're using them to to guide artillery fires they're using them in close quarters combat and so when you think about the risk there it's immense but the reason they're doing this is because the innovation has led to these systems being so incredible that even the

military wants to use them right they beat other military systems and that's just to show you the impact they're having and so where there are drone vulnerabilities or exploits they may apply to defeat a military-based company that is using these in the field so the impact is certainly there something really interesting was in the first part of the war you know the ukrainians were using a lot of these drones to drop weaponized payloads or to identify any assets and one of the key concerns was that you know their drones were being picked up by these detection systems and the operator himself was being picked up and then guided artillery files being sent to his position and what ended up happening was

they were losing these pilots and so one of the things we took up as a company in terms of research was we've been seeing all these really interesting tactics techniques and procedures used by adversaries for quite some time right we've seen criminals use it we've seen you know militants and cartels use different techniques we've seen journalists use ways to you know protect their drones from being spotted so we actually took all these tdps we validated them in the field and we put it into one guide one document it was called the offset guide for drone use and on the left hand side we have the various things we covered some of them not relevant for cyber security you know

day and night camouflage or you know um you know recording hygiene takeoff and Landing how you would land a drone to avoid being detected but in some cases you know the firmware modifications that hobbyists and hackers and modders have used are incredibly important for security and hygiene of these Ukrainian troops same with when you unbox the Drone how do you remove that drone ID how do you remove the potential for it being picked up how do you avoid certain countermeasures whether it's GPS or RF or Wi-Fi based how do you spoof your location so that if artillery fire is focused on the Drone operator's location it hits a random place over the Border instead so an incredibly useful guide

and something that you know if you're looking at protecting your organization or using them in red teams you need to be analyzing what the threat actors are using today so that you can replicate that and so the face of cyber and physical change security uh is absolutely changing in a way that you know maybe we didn't expect a few years ago or should I say um maybe we didn't expect but but we certainly have seen the impact so Telegram and other kind of social media channels have been used for a long time to organize different types of meetups and groups and protests and activism we saw an increasedness of this in the covid-19 protest for example where they

were using things like ATAC to try and guide drones they wanted to fly them remotely by a laptop to try and spot police positions get around some of those police positions uh use drones as an impact device one police drones you know a various number of things they could use with drones and a lot of those tdps end up filtering through the protest so we've seen in Canada South Africa Germany and so forth some of this information included uh you know bypassing the throat ID or conducting or doing better firmware to try and remove yourself from being detected but what's really interesting is in some of these chat groups you know they communicate as to how to protect their own drones from

being detected they talk about Mesh networking uh covering their tracks how to land and take off um by restoring control or doing automated waypoints and this is because there are counter measures there that can detect it using radio frequency analysis and using protocol manipulation to take these drones down we've got a section on that we'll get to it um and then of course you know the last bit always makes me laugh a bit because you know they're making introductions to each other just like we are at a conference you know making introductions finding out people they do the same to try and introduce them to someone else who did a drone attack in another part

of the world so these organized criminals are getting um more and more organized they're getting more and more centralized they're putting their tdps and tradecraft together and making sure that they can do actions with drones uh that might subvert our own types of operations um if you think of any kind of breach forums or hacking forums today a lot of them will focus on hacked accounts you know CC's that have been stolen or or lifted breached passwords or database stops um these days we're seeing more and more of this kind of thing you know people that are selling the schematics or blueprints uh or the documentation of drones uh this one was going for around

18 000 USD and it was a military base drone and I mean obviously the issue here is that adversaries might take These Blueprints they look through them they're trying to reverse engineer some of those schematics so that if they intercept one of these in the field or they come across it they might be able to use those exploits to take it down a similar kind of thing with just for sale right we went from selling credit cards to selling loitering Munitions um if that's not a 20 2022 kind of thing I I don't know what it is right because you know with with all the musicians going into Ukraine a large amount of these have found them for sale on you

know popular Forums on the dark web or even sometimes on the clarinet and some of these sellers have been selling you know hacked Netflix accounts for the past few months and then suddenly ah I've got a switchblade 300 for sale um an incredibly interesting change on from cyber and physical security a similar kind of thing is happening with uh drones so not just the actual physical drones are being stolen and then used to conduct say Contraband drops um or or other nefarious reasons because obviously there's a serial number on that drone and it doesn't belong to them so it provides an even greater degree of an anonymity but they're also stealing uh and and hacking

DJI accounts and it's quite useful because if you can attach someone else's account to yours when you're conducting some kind of malicious operation it really does help with anti-forensics and the attribution of that um and this just means that you're not going to catch them actually purchasing the drones from a store there's not going to be point of sale information or CCTV um and so a lot of these stolen drones yes they use for Contraband drops but some of them end up in places like Syria and you're trying to look at how drones can end up being used for Terror Supply chains um and a lot of that is being stolen and then sold off on various marketplaces

um we actually built a tool for this I'm just introducing it here as it might be useful for you if you do fly drones and it's stolen a lot you can upload the Drone itself with the serial but it's also quite useful for ocean purposes so you can decode uh serials on here and find out the manufacturing date and model and make and all that kind of thing especially if you come across it but if you do come across any drone data online you can quickly check what kind of drone it might be or who owns it and so forth on the back end it was quite an interesting project because you know we set up this open source intelligence

scraping tool which took that serial and it looks through all the databases of different marketplaces and so if it finds a match which is found a few already it will then alert the person who uploaded that and say we found this serial online set this place we first thought it was just for stolen drones and then we had companies coming to us and being like can you just upload all of our serials so that if our cereals appear anywhere on the web that you're able to find it and look out for it almost like you know breach analysis um at the same time we insert these serials into various Hardware detection systems around the world and so if they

spot using RF analysis or Wi-Fi analysis they spot that cereal in the air they're going to alert us as well or potentially take it down just something interesting uh when you get to drone data and what those kind of IDs are and how you can spot them online we also try to find a a large amount of what is new right um what is something that they've just found out a new exploit a new vulnerability or even in some cases what is the hardware that they're putting together and most of you may have seen the videos coming out of Ukraine of you know payload droppers um and if you don't really know how some of those

payload droppers work uh the Drone has on your controller you've got a little button you can press the button and the auxiliary light comes on for the Drone which means that the base light turns on these droppers are you know created to receive that light when they receive light The Dropper drops which means it's it's very easy to just use a button on your own controller to be able to drop something from it what we're starting to see is you know various modding and hacking communities creating these types of things whether it's payload Shoppers whether it's you know there's um you know firmware to be able to do this whether it's even bypasses for some of

the you know fly zones and being able to share this or even sell it right and if any of you remember maybe it's still happening but back in the old days there was you know thirty dollars for this hacking tutorial for the script or something that's essentially continuing in the Drone space they're selling them online but then people are able to go and print that off or be able to use it on their drive it includes things like extended batteries um ways to make your drone go further and bypass certain controls and so forth and so you know we want to take a quick Deep dive into drone cyber security um if none of you have heard of it

before I'm sure some of you have there's the blue Seas program that stood up in the US to make sure that drones are protected to some degree against hijacking spoofing dialogue exfiltration and so forth um and so when we try to explain that uh from a base standpoint you know number one if you can carry C4 with explosive poor bearings on the Drone you can carry a wireless uh at monitoring device as well depending on the power and the weight ratio and what it requires often fpv drones are not the best bet here you'd be using a larger drone that can have extra battery packs or whatnot but there's a range of devices that are able

to be modified to suit the needs of including a cyber security element and I'm going to go back to the basics here but um if if you weren't so aware a single drone is very much like a single computer um and the way it acts a commercial drone flight as a fleet is almost like an Enterprise Network they have a central node which can often control a one-to-many situation of multiple drones at the same time and not always but sometimes that node can be able to take off land send waypoints and so forth and then you have counter drone systems um and often these are seen as kind of the anti-malware or the anti-virus of the

Drone World they are there to detect bad drones and be able to take them down and they use a variety of identification purposes for that um a typical drone stack is very similar to computers right you still have IP addresses with the various system components talking to each other using traditional computer protocols and networks um IP addresses to send that information through and again connected to the internet to send that information when a drone is actually working in the air you have your application talking to the device the device is connected to the controller the controller sends the controls to the Drone and the Drone replies with its video link back to the controller and of course most of the

time it's also hearing information from GPS now what ends up happening with the majority of drones on the market today is that they're connected by the internet and they're constantly sending all this information back to the vendor servers such as the location of the operator the location of the Drone if they're allowed to be in that area or not you know information such as the user so there's a lot of data that is surrounding drones at this point in time now back when uh when Wi-Fi drones were a thing uh still there's Wi-Fi protocols not so much um in terms of the the weak and vulnerable site but I just want to give you an idea of how easy it was to breach

a drone back in the day so often just like a monitoring device you would scan the air for Mac addresses uh you'd be able to find a MAC address that matches a drone manufacturer you could connect to that wireless network um either it was hidden or public and again using existing vulnerabilities or brute forcing methods you could just drop into one of those ports whether it's telnet or SSH you hop into the operating system you identify your own IP address you identify the operator's IP address and once you can see there's you're able to use things like IP tables because again it was a generic Linux box to be able to block out that operator

Port the video stream to your device using various stream methods and again Port the controls as well and then fly that train away now that was quite a a golden era of drones with inherent weaknesses um drones have changed since then they've got various protocols um and and um I guess technologies that are part of all their Stacks we have the parrot drones for example some of them are connected by a 14. then they use LTE and GSM we have other drones that are still connected via Wi-Fi and Bluetooth and operate on some of those standards that we we know and love and we also have a range of drones that operate uh via RF

so your software-defined radio principles you've got ocusync you've got light Bridge you've got other kind of manufacturer uh proprietary systems and when you look at all of these they all have their own separate classes of vulnerabilities or exploits different types of attacks that apply to them um and so when you're looking at a specific drone if you're testing that drone you need to apply the same kind of standards that you would to that protocol or communication stack as well and if you're in the field and you're intercepting a drone as well you would need to know that to be able to counter that um and so today a large amount of the countermeasures will either be

vanilla GPS jamming or it will be based on some of those protocols we already know about now many of you know about um drone light shows and of course they're at the Olympics um they love them because they are less pollution uh it reduces the chance of bushfires especially here in Australia and you've got three to five hundred drones sometimes more making beautiful pictures in the sky um of course we all thought this Innovation was great until we realized you know these drone light shows us connected to a central node and often these can be exploited and they have been as in an upwards Trend so over the course of 2020 and 2021 and then

recently in 2022 as well we've seen drone light shows affected by people trying to hack into them or breach them so they'll often have a lack of wireless security you can do a denial of service to their Ground Control stations or drones themselves and try to manipulate that ground control station um and so this is something where you know if this occurs the drones will do one of two things they'll either drop out of the sky or they'll do their return to home mechanism here you can see them hitting cars bikes falling on people in this instance it was allegedly another vendor who lost the contract to fly the Drone show and so they knew how

it worked and so they went and jammed their competitors drone show um causing a bit of mass hysteria there and I just wanted to think about you know we are getting quite a latch with the fact that we can have these hundreds of drones in the sky above people if you think about manipulating that control or potentially sending them in another direction or a flight path it starts to get quite dangerous and so this is something where I know personally security firms have offered their services to join light show vendors and because it's all about the Innovation right now they're going without they're going without testing or security um so it's incredibly important if you

are a pet testing firm I highly recommend you either try to get some of these drones to do tests on them or go to that vendor and ask to do even a a type of test to identify the risks because you know them showing Safety and Security um built with with that in mind when they go to the council they go to an organization to do this uh just makes it a safe place for everyone and so this occurred in Australia um we didn't see it happening in Western Nations as much but in Australia we had a drone light show happening in Melbourne at a docklands area and an actor allegedly with only a 350 piece of

equipment I'll let your minds wander to anything from hacker ref to a yagi setup um interfered with that entire show and so they couldn't take off they couldn't operate and so we had various law enforcement agencies over here trying to track down the source of those attacks which of course you'd be looking for that that power output you'd be looking for the various Technologies trying to do that in this case he was found and arrested um and by the way just a comment for the twitch chat uh if you've got any questions do put them in I'll get to it afterwards if we have time um and so it's not just about the drones and and of course I want to give you an

overview of everything within the cyber security here um and if you have further questions or queries you know please come talk to me and I've got many other presentations like this but what we're seeing is physical outcomes as a lot of digital links relating to drones right um if you look at DJI they have a public public Bank Bounty program as do parrot um if you look at the number of subdomains they have they have an incredible attack surface um this was some of our own research a little while ago where we're just seeing an incredible amount of you know Fleet servers you could find counter us or aeroscope servers you can find UTM and

places where they're storing this information um there's a huge attack surface to run all these these systems and yet there's still a lack of you know Focus Security on it um and so I'm going to take you through one or two huge vulnerabilities which occurred which did not end up making the news because it was responsible disclosure but I want to give you an idea of the impact there um simple Google docs to search a company that you know has a drone program they often end up having manuals that they give to their suppliers or their contractors or people who run their drones um sometimes it's internal sometimes it's external and so finding these documents means that sometimes you see

where these Technologies the platforms store information in this case we found a critical infrastructure firm had hired a company to do the analysis and this firm would never let a USB go in and out in or out of their facility they were never allowed to take photographs or take in Mobile phones yet they allowed a company to come with drones and do 3D modeling of their entire infrastructure down to the centimeter extremely close-up visuals information and again when a drone is flying in an area it can sometimes pick up things like the nearby Wi-Fi networks the Wi-Fi networks that's connected to scps locations you know all those kind of Juicy things which should not be on a vulnerable S3 bucket so

we've seen everything from Azure storage blobs to S3 buckets containing this information and still today utilizing something like Radiohead Warfare if you do have a drone program go and look for your own company or any data that may relate to it and there's an extensive amount on there far too much to be able to responsibly disclose a similar kind of thing with these drone Fleet dashboards a lot of these dashboards allow you to launch land drone set waypoints and a lot of these companies will have their front page you know that they've got a drone program or they advertise but they've got a brand new drone surveillance program and that company is affected by breach

credentials and the problem is a lot of these users will of course use those same credentials to log into their normal systems as they do into their Fleet Hub servers or their different control modes and so we have been able to log into and again responsibly disclose a report to various customers that their same breach credentials even though they may have changed it internally for their domain Works to log into their drone Fleet and be able to control those drones or disable them which is the first thing an adversary would do if they're trying to compromise a physical location it's trying to disable the security or the surveillance systems as well a similar type of thing with law

enforcement utilizing drones so there is one law enforcement um Department Chula Vista um in the US that publicly and transparently puts all their flights online and they do that for a reason so that there's trust and transparency in the um in the public but for some of those that do not realize that these are public um they're uploading all their flight data to places where they can analyze where they went what their batteries were like what occurred and so forth the issue is a huge amount of these not just this platform but a huge amount of these platforms are not private by default they haven't got security built in mind and so you can use Simple Google docs to search for it

or you could use brute force um in in terms of Idols or whatnot with burp Intruder to go through and find all these different flights and if you use start using a few dorks based on the name the date or the location or the type of drone you can really refine who you're looking for the problem with this is some of the some of these systems allow you to view the Flash but they have allow you to view the entire flight log and the drones uh log files and downloading the log file as you know there's a lot of software out there you can do this with whether it's flight reader or some of the others

CSV View and so forth you can assess the drone's serial numbers both for the batteries the control of the Drone itself you can assess who the pilot was the GPS locations if they've taken it home and flown it if they've flown it from sensitive locations there's a huge amount of Juicy data in there to be able to look at and do forensics on and sometimes includes photograph thumbnails even when they weren't meant to publish that so again a lot of these occur because there is a hobbyist employee they're bringing drone in they demonstrate value and then of course the company doesn't procure it in the same way as everything else at the and so I kind of want to get to the

culmination of this which is um and I don't think this is a quote but it sounded like a quote when I wrote wrote it uh it was where there is SEC there is anti-sac um and just to keep in mind you know the public is becoming more and more aware of counter drone systems right um which are the systems that bring drones down and there's various methods um you've got kinetic methods such as shooting it down with a shotgun again losing all that forensic juicy goodness you can take a drone down with a net um but there's also you know protection measures installed on the Drone itself like no-fly zones and no fly zones are a

bunch of coordinates sitting on the Drone they can be removed by the the modder or the owner of the Drone and then you have electronic countermeasures so you've got GPS jamming or RF jamming which jams the connection between the controller and the Drone makes it return to home or land on spot or you have protocol manipulation which is the nicer way of saying we've reverse engineered the protocol and we can spoof those commands back to it and tell it to actually do something so instead of just jamming the Drone you're hijacking it you're telling it to land in a certain position right we don't really do the Eagles anymore that was a thing of the

Netherlands police who attempted it um number one the talons of the eagle were quite strong at the time and so it could take down a single drone but very quickly they realized it wouldn't work with an entire swarm or Fleet of drones um certain hacking groups have started purchasing these drone guns as I was mentioning before um that have some of these jamming mechanisms and they're trying to create software bypasses to try and bypass the energy or the or the power or the jamming enacted by these systems and so for example Neo booster allegedly now protects against some of these handheld Jammers so adversaries are actively looking to create TPS and Technology against Canada us so that they can fly

in zones that they're not meant to be no fly zones um or military zones and so forth so number one we need to be aware that this type of thing is is enacting the second thing is the aeroscope it's been in the news a lot recently um for a breach that apparently affected about 80 million um drone IDs which means that system has sat there and detected a bunch of drones in the air and then that information has been stored somewhere and been leaked um a couple of years ago Kevin fedister um DJI reverse engineering group um we're able to put out a spoofing script for the aeroscope mobile this basically meant that it showed thousands

of drone swarms in the area with random information uh and made it seem like it was overloaded and they couldn't find out what was actually signal or noise pairing this with the ability to remove your drone ID or remove that identification means that you could fly silently in one of those areas if this was disrupted such as active scripting and operation to create things that will bypass some of these countermeasure systems and you know a few years ago we started this research question uh and it was a little bit bold but we said you know how many drones are actually available and accessible by the internet even if they're accessible maybe we'll simply get the uh

I guess the information from the not the control but we weren't expecting um to be able to find more than a drone in fact we logged into a system which had elements of drone around it we contacted the vendor first so we said we've located this we want to analyze that in a bit more detail and what we saw was a control panel uh which basically gave us these options and when choosing option two we realized that we could completely deactivate a counter-drone system uh and so thanks to Showdown we extended that search result to a whole bunch more and found hundreds of County growing systems accessible and manipulatable online um this wasn't just systems that had API

calls that you could interact with and find the information that they were viewing it included the entire dashboard to launch drones take drones down stop the system from working and a lot of these were you know actually protecting live assets in the field um and it's incredible because a lot of these are cloud-based now right so customers want it to be remotely accessible via their sock or they want to be able to remotely log into all these various sites around the country and the problem is counter drones are also under a lot of pressure to raise start funds and to innovate very very quickly and get into their customers hands and so security isn't necessarily

the highest priority um and so your adversary who is looking to fly a drone in a certain area the first thing they're going to do is try to look up the the IP keys or the the IP blocks belonging to that company and be able to find these countermeasure systems online what we ended up planning was everything from our major airports the leaking data of even sensitive drones flying in that area to finding their GPS locations and then being able to log in and one of the key things about finding even just a GPS location of a drone detection system online whether it's via Showdown or vet whether it's by even Google cache is that you can find the physical

location and conduct physical operations against it and so within Ukraine as many of you may have seen a number of their detection systems um went down over a period of days and some of them went down just a few days before an attack occurred where drones were involved in doing intelligence surveillance or reconnaissance now there's a lot of questions over whether it's coincidence whether it was a coordinated attack trying to view the log files and find out what happened but if you are able to see this online and the pictures of those those dashboards were shared online at various telegram chat groups once you see that GPS location you could do a targeted artillery strike you could have a human

in a non-conflict Zone going physically disable it pull out the power disrupt it protecting the location of your counter drone systems is incredibly important it's like leaving the IP address and the dashboard open to your EDR or to your antivirus system open to the world right it's a little bit useless and so this type of thing meant that an attack could take place they could use drones in the area they wouldn't be detected and they'd fly out under the radar and so I want to kind of leave you with uh one last thing before I I um come up with a conclusion and I know we've covered quite a few things today it's been a little bit all over the place but

that is the the scope of drones and counter drones when it comes to the digital security space right um You also almost have to know about the counter drone Arena before you start looking at drone security because inherently they are the same thing and some of the most popular countertrome systems on the market today are a bunch of hackers working on reverse engineering the systems and the protocols and using SDR exploits or on attacks against these types of drugs um and so I just want to leave you with anti-forensics now when a raid occurs often police will try to seize a removable Media or hard drives or things like that and in a rush when a rate

occurs usually there's not enough time but if someone gets a heads up what they're usually trying to do is throw their hard drives or removal media into a microwave or bang it with a hammer something that's been floating around in various groups on a technique to use when you are being rated uh came from Russia so there was a Kremlin raid on a Putin opponent one of these was a journalist and he had a bunch of hard drives he was a little bit scared about putting these hard drives online um or putting the data from the hard drives online because some of that was tracked and assessed and so he set up this drone uh pass so that when he got

raided and he heard them coming to the door he immediately launched the Drone carrying those hard drives it flew to a friend and neighboring Tower and was able to deliver those hard drives in a way that it saved the hard drive material there was no disruption there was no evidence of Destruction he simply didn't have anything to investigate we've now seen this popping up where certain adversaries will say hey here is a drone data exfiltration methodology if you're doing something naughty of course we all know that you know police would now arrive at the counter drone system so I've got a few closing remarks here um and I think we're just good for time which is uh good but you know drones and

counter drone systems they are cyber physical right um we're starting to move into that Arena where the physical systems we used to think were hackable are not quite the same they fly they can carry payloads they can be have devastating impacts on and effects on people um and they're a great extension to hacking and Red Team operations as well right um today and we see this all the time there are major vulnerabilities and data sovereignty issues affecting a lot of uas um The Fleets the counter drone systems there are great efforts with the blue sus program I know there's great companies as well like Dark Wolf Solutions um in in North Americas as well and

they're able to do drone pen testing and things like that um there are just so many systems out there that haven't been scrutinized through this this information and so what we need is actually more people uh on the drones Arena as I said the scale is increasing so rapidly that we're looking at millions and millions of commercial and hobbyist drones and the commercial space is growing quicker than obvious right now and so we're getting to the point where many organizations can't operate anymore without drones to do those kind of dirty and dangerous jobs so we need people with an open source intelligence we need people within RF and SDR skills we need pen testers to kind of join this Arena

and if you're looking for maybe a field uh change or a career change to focus on drones there are a lot of jobs out there there's some large companies who are working on drones who need that support and they are hiring and it's a new space where you do get to make your mark and find new things and be able to publish that um to be able to make an impact and then lastly if you are doing analysis in the space and if your company offers your own pen testing or red team operations you need to understand what the threat actors are using today and how they're using that so you can replicate some of their tdps

uh in your red team operations it even gets to the point where you're going to have counter drone systems asking for a test and evaluation can you breach their system via a drone or can you also breach it by the internet and then fly your drone so there's a lot that cyber security can do in this space because they're inherently computers we're just not seeing enough of that yet so that ends my presentation I hope it was a little bit of an insight into delving into drones and so forth um you know there's a great article as well called drosint which is drones and into ocean if you're looking at using ocean within drones uh that's by Intel

Inquirer um you can also just Google grocery we do have a slack group uh dronestack.slack.com if you join that we'll be able to discuss various aspects about drones vulnerabilities hacking and so forth and we do also have a drone security training course and I'm not here to pitch that it's just it goes into a lot more detail many more hours of this that we can't fit into a single talk it's the reason why we made it um and we're happy to offer 20 off to participants here if if it's what you're looking for so um to the organizers thank you for having me I'm sorry I couldn't be there in person really enjoyed giving the talk appreciate

everyone for giving your time um and uh I'm happy to answer some questions if the organizers tell me that's okay to do foreign I do see one or two questions um so I see are there more secure drone vendors than others hopefully hopefully I can answer these I'll wait for the admins to tell me if I can answer or not

okay so there's one or two questions I'll just cover those are there more secure drone vendors than others so the first thing here is that blue suis program they've gone through a number of phases but it basically means that they are certifying which vendors create secure products right it doesn't necessarily mean the vendor itself is more secure but they've created a product which meets the standards the security guidelines and Frameworks um of as I said hijacking denial of service data exfiltration and so forth so there's a number of drones on there you can go and look up that list just Google blue seos and it will tell you which vendors are more secure than others I will caveat that

because it needs to be said by the fact that if you go more secure it's going to be more expensive and so you need to be aware that if you suddenly want to buy an entire fleet which is um you know secure suddenly you're going to have to put up a little bit more money um but some of those vendors are putting in the effort and you can find that see if there's any others here um no I don't see any others yet so that might end me for the day I really appreciate the time and thanks for having me everyone