Drone Blind Spots: Pentesting the Airspace Above Critical Infrastructure

[music]

[applause] Thank you everybody. All right, I do have a couple questions for you all. Uh, who here has flown drones? Who here wants to fly drones? Yeah. All right. Um, who here is scared of drones? You should all have your hands up. All right. So, um, good afternoon besides and welcome to, uh, drone blind spots. Uh, today we're going to be talking about, uh, pentesting the airspace above critical infrastructure. So, we need to define critical infrastructure. Um, CISA, the cyber security and infrastructure security agency, defines these 16 sectors as critical infrastructure. All of them are vulnerable to drones. Some of them more than others. The ones here on the right are our supply chain, our water treatment facilities, our

power grid, our transportation systems, chemical refinement, and our dams. Speaking of dams, who here has been to Henry Hag Lake? Well, this is the perspective of a dam technician. Uh, and the photo is, you know, quite beautiful, but I I would ask you all to see if you can find anything strange about this photo. It's rhetorical, but there is an anomaly here. So, what could that be? Is it a bird? Is it a plane? Uh, well, if this dam had been equipped with the most basic of uh DTI systems, that stands for detection, tracking, and identification. It would know immediately that this is a Chinese-made DJI Mavic Pro 3. And that drone is really there. I'm flying that

drone. Uh, this is what the drone sees. This is about 1,500 ft away. It's very far away for where a drone would normally take photos. This is 7x zoom. We can now see our uh technician standing over there near the damn spillway. This is 28x zoom. Our technician is now waving at us. Well, that's not a damn technician. That's my coworker Noah. And I am Alec Hunter. Uh, I am a cyber physical security consultant for Spookseac. I specialize in IoT and um physical pen testing. I'm a licensed locksmith, proud investigator, and part 107 pilot. I provide drone services to Oregon and beyond and have been doing it for 10 years plus. I am pretty decent at

following the rules, but I don't always like to. And the reason I talk about rules is because getting that photo was not easy. There's a lot of rules around drones. So, that blue X is where my drone was when I took the photo. There are some problems with our LLC. That stands for launch and landing zone. I can't launch environmentally because under trees, um, if the drone loses connection, it will try to come back to me and it will land on the canopy. How am I going to get my drone? Uh, I can't. So, I have to find a new LLC. In Washington County, I can't fly a drone at any of the parks. I can't fly

over, launch, or land. I also can't LLZ private property without permission. That's really difficult to get sometimes. I can't stage my drone on a shoulderless roadway. Uh that means I can't take off on this stretch of land in the forest. In [snorts] Oregon, you cannot fly a drone over critical infrastructure. Federally, you cannot fly a drone near a dam. Kind of the same restriction. It's 400 ft at the ceiling and on the sides. However, if you look at the bottom right there, you'll see a little blue triangle. I was able to take off there. That is okay as long I as I'm following the Federal Aviation Administration's uh rule sets. Let's talk about more rules.

So, you if you're going to fly a drone, have to be flying under one of these rules, trust or part 107. Part 107 requires an exam. It's a very rigorous and um arduous process, but for the most part, they have the same rules. Um, everything up there is very basic. We need to register our drone with the government, mark it like a with a license plate, and the drone has to have a remote ID. That basically is a Bluetooth transmission that tells you where the drone is and who's flying it. Anyone around who has the receiver knows that there's a drone flying and who you are flying it. There's pre-flight checklist you have to do, and you always have to maintain

visual line of sight. You can only fly up to 400 ft with the exception with part 107. You can do it over structure, so 400 plus the structur's height. You have to respect temporary flight restrictions. But the cool part about part 107 is you can make money. You also get access to waiverss. The money part is how you pentest with a drone. So there's a lot of rules here. Who doesn't follow rules? Adversaries don't follow rules. Why would you? There's so many. It's kind of ridiculous. So, this is kind of where critical infrastructure sits with defenses. There are law and rules. There's premmitigation. There's access control. There's detection, monitoring, there's triage, and there's response. There

exists mitigation for both a ground and an aerial threat. The difference is an aerial threat is the capability of the drone times the intent of the pilot. It's a little different than doing physical pen testing when you're on the ground. Now, here's the gap. That red is something none of these facilities have for the most part, unless it's like a military defense base, but some zones were smart enough to get a geoence, which you can apply for. And if you're flying a DJI drone or any of these other uh name brand commercial drones, they won't let you enter the no-fly zone. Their firmware uh doesn't allow it. But for the most part, your risk uh as someone on the ground is

extremely high. You're probably going to get caught. probably going to go to jail. But with a drone, the pilot, I it's virtually zero. You're not going to get caught. And I mean, almost no one gets in trouble for flying drones in general. So, even if you're breaking all those rules I just taught you, okay, prove it. So, the CISA has uh said that we should probably start considering uh implementing drone detection and it's a part of their error aware guidance and that's what we're going to talk about next. This is the aerial defense program life cycle. The first thing we have to do as operators is establish legitimacy. It is much easier to do this when you

work for a company that's already providing physical pen testing services because they can just add aerial assessments as something to do right now. Getting buyin is going to is its own talk. Uh I had to cut it from this one cuz it's not long enough. But uh this is the definition. Get the right people to say yes to your plan, your terms, and your resources in writing. If we can get past that, we're in the site threat modeling and pen testing stage. That requires an initial assessment. We perform some scenarios and we give them the pentest report. If they like what they see, if your recommendations are good, they might implement uh DTI or C

drone. C drone stands for counter drone. Uh we have to tune those systems and then we have to retest all the scenarios we already did and we'll talk about that. But the end of life cycle is basically constant red air operations. This is the reality of someone who works as a W2 employee and someone like me who started as a 1099 trying to get buyin with a lot of different companies to hire me to do this. [snorts] It is endlessly difficult to try to be a 1099. Um I I will tell you right now that if you work as a defender or a pentester, you're going to have a lot easier of a time trying to convince your

leadership to let you be the drone guy than to be a drone guy and try to get a company to hire you to do pentesting. So the first thing you'd have to do is you have to form an LLC. Then you have to get general liability insurance. You have to take on the liability of how you store data. You have to do quoting negotiation contracts. The li the liability is really on you. And then you have to coordinate your travel logistics. You have to go out of pocket on getting the part 107. And the authorization again is the hardest part. But at the end you need a drone. You need a lot of drones. There's different

drones for different missions. And let's let's talk about some of those drones. Uh but first we're going to define what a drone is. So drone is informal. That is an informal term for a UA an unmanned aircraft. Uh basically a small unmanned aircraft is under 55 lbs. And that last S that we append on the end means system. The system is this. Then these are that were collocally known as drones that we see you know DJI and all those other ones. This is what it looks like. Um, I I made it color-coded so you can understand what the parts are a little easier, [clears throat] but it's an airframe, a power system, a propulsion system guidance navigation and

control, payloads, and a companion computer. These are the ones I recommend to anyone in this room who wants to try to get into this. Um, if you are a physical pen tester, you should own a drone like this. These are the DJI Mavic, the Autel EVO, the Sky DO2, and the Parrot Anafi. I want to warn you, there's a little warning symbol next to the Chinese-made drones. It is very likely that in the United States of America in December, Chinese drones will be banned. I don't know how, but uh some sort of airspace restrictions will apply. These are the drones that counter those drones. Um these are three examples. There are so many counter drones now. Uh but the

Skyio X10, if you're a defender and you're trying to create an aerial um defense plan, this is the one you want to get your company to buy you. this is the one you want to pilot. It's Americanmade. It's going to be approved. It's compliant, and it's really cool. The uh other two are not really going to be mentioned, but I'll explain what softill and hard kill means. Soft kill is I want to capture the drone flying in my airspace, and I want to do forensics on it. Hard kill is I don't like that drone in my airspace. I'm going to destroy it. So, um, Andrew's anvil here is actually a drone designed to crash into a drone in the sky. It does it very

accurately. It's quite cool. But every defender in sight should have one CUS uh uh I should have said this to to C drone, but um SUAS is the small unmanned aircraft system and um staff at least one response pilot. So if you're a defender, you should be the guy at your infrastructure site that flies a drone because you have only one thing you can do as a defender against a drone in your airspace, and that is follow it back to whoever is in your airspace. The cool thing about that is when a drone enters your airspace, there's already limited battery life left. So if you launch your drone from your site, you can basically follow it back to wherever it goes. And

that guy wants his drone back. These are expensive devices, right? So you can take photos of them. You can get the car that they drove in. It's really important. So um this is really the only defense you have. You can't hijack them. You can't hack them. You can't jam them. Uh it violates a lot of other rules, but it's very important. These are called do-it-yourself drones. Now, who here has ever built a drone? Great. So, a Whoop is an indoor drone. I mean, it's it flies outside, too, but they're primarily used for uh indoor stuff when you're doing red air. Uh the racers are what you would expect to see in Ukraine and Russia. And the heavy

lift drones are your your heavy payload drones. You can do a lot of cool stuff with that. And I have three drones I'd like to show you today that I've built. This is a vulnerable drone. Uh, and I'm prefacing dog and pony show here because getting buyin, that's a huge part of getting buyin. When they do agree to meet with you, you need to prove to them that you are the guy and you have cool things to show them. This is sort of a wow factor thing. The, um, vulnerable drone here is in an RF chamber at Novas Labs. They're local to here. Um, uh, it's running Ardu pilot and PX4 vulnerabilities and it has a companion

computer that you can learn hacking on, and you can learn how to reverse, jam, and hijack the drone, uh, from within these chambers. So, it's a really unique drone for that. It's a training drone. The next one's also a training drone. Uh, this is a threat effects training drone. Um, this does not bomb anybody. Um, I have the Against Warfare drones, but this one is going to simulate what it feels like to be someone out in the field and have this chase you. Being hunted by a drone that can go 90 m hour is not fun. So, it never collides with anybody or anything. And it's just used for that. Just to teach people that psychological

effect of being chased by a drone. This is an AI recon drone. This drone flies itself. It uh also collects all the signals, processes them, and triages anything that's interesting. And it also acts as a mother ship. On the bottom there is a drop mechanism that can drop a small whoop. And the drone acts as a relay. So the control link can be shooting to it through a yogi from miles away and you can actually get the feedback in your FPV goggles and fly the small drone until the battery is out. So you can do a lot of things with drones. That's kind of the point. When you do get buyin, the first thing you're going to do is an authorized

initial assessment. This is what we call a site threat model. You're going to be looking for observable and actionable items on the site and anything in between. There are observable and actionable items. I'm not going to read them all to you. Uh take a second to read over them while I explain what a threat profile is. Really what we're trying to do here is we're taking that recon drone, that C drone that you all purchased as uh physical security um practitioners and you're going to go and you're going to take photos of all the critical assets on the site. You're doing this from a competitor or an espionage perspective. Uh the reason we're doing that is

because governments want espionage and sometimes companies do too. But competitor, this is a real thing. Uh China all the time flies drones over at our critical manufacturing sites. Let's see how we do stuff. So it's capability is a proumer c like the DJI and the intent is structured. This is a um classification by CISA. The scenario is always going to be an ISR and intelligence surveillance and recon. And then we're going to talk about the profiles here. This is the matrix. So this is nonexhaustive at all. But basically uh your Teimu toy class actually serve a purpose in drone pen testing. They can be used as a canary to see if they have any detection systems

or counter systems. And and and in the case of a sophisticated threat, they would just use them as decoy swarms because a swarm of cheap drones is very effective. [snorts] A proumer might be a journalist or a competitor. Uh a sophisticated person would use it as overwatch for filming while their custommade drones do the work. I'm sure we've all seen the horrific videos from Ukraine. Uh DIY is going to be uh you know, it might just be a guy racing his drone at some site. that happens all the time. Uh or organized crime, delivering contraband in a jail, could be an AP state actor. This is a scenario platter. Think of it like this. I'm holding a platter and I

am going to figure out what threat profiles apply to your site. What I'm going to pick from these scenario uh test cases and what I'm going to say you should try you should test for. Um you're going to pick them and uh again I'm not going to go all of these, but there are three kinds. intelligence, transport, and chaos. These are the most effective types of tests you can do with drones. And when they approve any of them, you do them and then you deliver a pentest report. Your pentest report looks very standard. There are two things that uh stand out and that's a site threat model, which is usually aerial images with the drone and

then, you know, a bunch of markings. I put a very very simple one over here from the Scoggins Dam over at Hag Lake. But basically the placement of these systems is based on findings and the site threat model and the scenario outcomes. But I'm recommending for this site three RF detection and one acoustic. The acoustic would set on top of the spillway because if a drone flies near that then we know and the RF will also get bearing. So we'll know where the drone relatively is uh positionally over the dam with three um nodes. This is how DTI works. So you layer them uh from the site. So this green circle is outside of our site. It's like our

outside of our perimeter. We still want to know whenever an aircraft is going near us or over us. Uh the radar detection is an expensive unit that I would not recommend for most places, but in rural areas, they're definitely effective. The next one would be a radio frequency DTI. This is the most effective one. Uh this is um absolutely the one that should be recommended basically everywhere, but they're very cheap. They um are are tuned to detect C's drone signals uh from the control link or the feed that's going back uh the video feed. And um uh it identifies the protocols very specifically for you. The this is what we call first opportunity detection. These are called primary

detection systems. So it's the earliest moment your system could have detected a drone. We're going to talk about secondary. Now, you're also going to want to have an optical DTI that's going to identify the drone that's flying into your airspace. So, we've detected it way out here. It's coming closer. Our radio frequencies picked it up. It goes, "Hey, that's probably a drone, but I don't know. Threshold's not totally confident." Then it flies into your airspace where this optical camera can confirm that this is a drone. It looks like a drone. It's It's definitely classified as a drone. The last one is an acoustic. Uh they're not too effective, honestly. They're they're not great, but they are good for

rural areas. Um they basically compare sound profiles. So the propeller noises and things like that. Uh so tuning these systems is really interesting. Uh it's simple. If you're you buy this CS drone, it comes with automated flight capability. They all do. Basically, you open up the app, you you create the nodes or the shape that you want to make. You can do squares, you can do circles, you can do triangles, whatever. The point is is it needs to look granular in the C2. it needs to look like the shape on their end. And uh we want to focus on the approach corridors. Approach corridor is something where you're flying in from a place that they wouldn't expect. So a

lot of time um if you take off, you kind of want to fly around the perimeter and come in from the other direction. These long range systems kind of detect that, right? Kind of screws up your plan. Um and the final stuff that we'll do uh is drone skyriting. We're not really skyriting with any smoke. We are writing like a word with an automated flight uh demo test whatever. If you can read the word then you know the system is tuned and uh the next thing we have to do is retest the scenarios. This is really important. Scenarios are supposed to be completely repeatable. They are uh basically a drone classification, a pilot classification and all of the

other environmental effects that were in place during the initial test including the wind, the light, all that stuff. Blue team needs to be able to detect the drone, track it, classify the platform correctly, uh produce a succinct timeline of events that matches up with your drone's flight log, and um not have any false alarms uh popped. Optionally, if they have someone who's uh already employed or deployed to be a counter drone, to find you, the operator, they would have that guy launch it during these scenarios because it's really important to make sure that all of it works. you detect the drone. Um, your guy deploys, you go find the the guy you you reported to law enforcement. Red

needs to execute the profile. Exactly. Maintain signature discipline. Um, and then stay within the rules of engagement. Uh, causing not causing any accidents or safety hazards and, uh, provides clean artifacts. Artifacts are things like the video feeds and any of the payloads, uh, whatever payloads were on the drone. If you do all that, you're now prepared to begin redder operations. Reder operations are wargaming. If anyone's ever done tabletop exercises on um kind of defending assets, that's it's going to be action, reaction, and counteraction. When we do that, usually people disagree with you. They go and say, "No, that would never happen." And then you are make an argument. That argument leads to establishing rules of engagement for

this particular test. You go out and you make your red team. Your team is a specialized group of people, four to five, could be more. Under part 107, it's usually three or four. You're going to develop custom kits, hardware, payloads, and drones. And you're going to emulate structured and sophisticated TTPs. The goal is to pentest and evade the tuned DTI and the counter drone systems. And that's my speech. [applause]

[applause] So, I'm not going to go on to what's really going on here. Uh there's a little bit of shilling, of course. But um the main thing that I want to tell you about today is getting your part 107. In the middle here is a code that I was given to uh by Drone Pilot Ground School. They are the people I got my part 107 training through 10 years ago. I highly recommend them. It's super cheap. It's like 150 bucks. You get 50 bucks off with this code. I get no kickback. This is all for you. There's 25 of them. There's no like fear of missing out. Do it if you want. Anyway, uh Q&A time. Anyone have questions?

How do you get all the regulator infrastructure? >> It's a nightmare and that's kind of the part of it is you need to be good at puzzles. You have to have a red team mindset. Um you need to be able to go enumerate all the regulations and you have to have the right context to figure out what you're not seeing cuz there is a lot of that too. It also depends on what type of site you're you're you're pentesting because commercial facilities also exist. things like Intel, things like Microsoft's Campus. Um, they're they're not as regulatory heavy, but I have never pentested a military base, so I don't know what that looks like. >> How about something?

>> I have never done that. And they are allowed to use counter drone systems, the kinetic kind, where they shoot it down with a laser or have a drone that explodes on it. Nuclear facilities are one of the only places that are allowed to do that. Anything else?

How effective are the geoences that the like for DJI puts out? >> They're extremely effective for DJI. They are not effective at all for anything else. Uh even the Teimu drones don't get knockout. >> Yeah. Um do how how responsive are they to uh putting a a a geoence around something? I mean, do they have certain criteria if for a government agency? >> Almost no one does it. even even if even if they have the guidance from CISA. No one does it. >> Yeah, >> that's why this presentation is a call to action, guys. I >> I want you guys to help me do this. I I need defenders and pentesters to start doing this. Like, I don't want my power

grid going down, you know? Like, this is a this is a big deal. This is a future threat. Anything else? >> The DJ the DJI drones. Does it mean that if we happen to own one, we're not going to be able to fly it after December or are you saying get now because >> I don't know for sure. Here, let me explain it to you. So, last year um the the Trump administration basically said or FAA2, it was it was like a joint thing. They were like, "Hey, we want to have Americanmade products as our as our def our drones, right?" So, there's a bunch of American companies. And one of them and uh what they were saying is

that Chinese drones are a threat. You know, they they they send data back to China. That's the claim. So they gave China one or China gave the US and the US governors uh also gave them one year to test the DJI drone systems for these issues. They still haven't done it. So it's by default just going to get banned and there's not enough time to do the test. It takes multiple months for this type of testing. >> Yeah. Well, that was my follow-up. Do you have any evidence of anybody who's ever done reverse engineering on the firmware and the equipment on the drone to see if they have phone home equipment like has been found in solar inverters?

That's the thing about DJI drones is they are the most locked down drones ever. I have tried my best to hack them. I I've I've effectively hacked everything before the Phantom 4 and I own a lot of DJI drones. O over 86 of them. I think I have time for one more. Anybody? Oh, sorry. Yes, over here. >> It's it's it's extremely effective in rural areas where there's all there's no like civilian noises, no droning, you know, animals don't make drone noises. This is not a natural noise. All right. Thank you. [applause]

>> [music]