wifi dos attacks

[birddogg]

should we push for a plan to give us the ability to change the SSID of the phantom wifi links? also the ability to hide the SSID might be a good thing.you don't need to be a skilled hacker to make 802.11 dos attacks. I'm worried as DJI becomes more popular having our SSID's locked to say phantom_dxxxx etc will put us at risk to juvenile wifi attacks.this has been tested with simple tools such as aircrack-ng using deauth packets.being able to change the SSID might make us less of a specific target.

As for 802.11 encryption i'm not sure its needed RIGHT NOW , but maybe in the future it will be. PEN test on the phantoms ssh sockets have not been successful in my testing.though in the future this might be a problem with more skilled attempts at packet capturing and brute force hash cracking, if its not already been done its just a matter of time.

thoughts?

Jay "birddogg" Warren

 

[ServPilot]

While I don't own a Phantom 2 Vision yet, I've been thinking about potential security issues regarding communication as well. Must be the evil geek in me

Since I have no hands on experience with the P2V yet, I may overlook things, but here are some of the issues that might occur if you run into the wrong crowd :

- open SSID on the range extender may possible allow others to connect to it, or connect to it too. How does it react if two or more phones are connected to it? (and running the DJI app, possibly even sending out instructions for the cam)
- If a more powerful phone is brought into range on purpose, is it possible to take over the phone/range extender link and as such have your drone hijacked?
- Is each P2V tied to a unique range extender, or it is possible to connect your extender to the drone of your neighbor, and literally "take off"?
- is it possible to view the feed of the camera on several phones when connected to the range extender?

Whether or not the above issues are real life exploits that could be used, I believe having some extra safeguards in place could prevent these things from happening.

1. Limit one connection to the range extender
2. encrypted connection between phone and range extender, possibly pair them by sending the range extender a code through the phone, so no other devices can connect to it.
3. Encrypt the control wifi stream between the drone and the range extender, to make sure only valid instructions are received and executed by the drone
4. encrypt the videofeed between the drone and the range extender and phone to prevent others to capture the feed.

Downside would be that the whole setup gets a bit more technical and possibly more prone to errors, as well as requiring more power (and thus reduced flight time?). I believe the choice however should be in the hands of the pilot, to turn on all these extra control safeguards.

I certainly wouldn't want to see my drone get hijacked in mid flight, or crashed on purpose.

Always willing to learn, I'd love to hear feedback on these issues, maybe even prove me wrong.

Kind regards,

ServPilot

(edit : added extra info)

 

[LeoS]

Sure.

Having control over the network settings will give us more flexibility to make use of 3rd party repeaters or even piggyback on top of existing systems (even cellular network). Now, if we can somehow also use IP for control channel..

 

[birddogg]

It is possible for more than one connection to be made into the P2V wifi network. Although the connection between the app and the P2V seems to be protected to some extent. There are no default root ssh or http logins on the discovered open ports.

As to the behavior when two connections are present , the first device to make the connection has control over the P2V the second device is just "on" the network. I have successfully synced one folder across three devices on the P2V wifi network with no adverse effects.

Folder sync was my initial reasons for running nmap scans, and there are no less than nine unfiltered open ports on the network.I'm busy at work right now but if you want some of the wireshark and nmap data i will send it to you later on this evening.

One interesting port was a nessus https interface... really?

EDIT:
The fact a nessus scanner is onboard is somewhat comforting, to know there trying to eliminate basic threats. Still not giving us control over basic network security is disappointing to say the least. A simple dos attack could easily be enough to cause a crash in bvr.

 

[varmint]

Useful reasons to get telemetry access

Hey all, first post here. I ran into this topic while searching on the Phantom Vision's wifi. I've also been sniffing around on the wifi's network looking for ports, and it's definitely got some interesting services running, but nothing that looks like an obvious avenue for access. What I would like to do is actually quite benign, and involves getting at the telemetry data and parsing it out in order to drive some servos (via Arduino or Raspberry Pi) for an antenna platform. If I can get the lat/long/alt (or even bearing), it would be trivial to keep a directional antenna constantly pointed right at it ( no spotters required!).

Alas, networking is NOT my field, so my lame attempts to sniff out the packets have all been met with failure. There ARE other reasons this info would be useful, especially if it was published as an API, but I get the feeling DJI isn't interested in sharing. If anyone does come across a bridge to the telemetry data, I'd love to hear it.

 

[jadebox]

If you're concerned now about the Wi-Fi connection to the repeater, you could use a different repeater (see the More Powerful Repeater? thread) and enable a secure connection between it and the phone.

But, of course, it doesn't seem like it would be difficult for DJI to allow you to do that with the current repeater.

-- Roger

 

[ianwood]

I don't have a P2V so I don't know much of the details but broadcasting an SSID that's hard coded with the word Phantom doesn't sound very safe. However, the odds are that it'll never happen as even here most people probably don't know what a DOS is let alone know how to do it let alone have the equipment and where with all. There is a video of a P2V strapped with a WiFi hack tool being used to kill the WiFi connection of a Parrot ARdrone:

[youtube]http://www.youtube.com/watch?v=Fk1Bpy5ccPU[/youtube]

 

[TechJunkieRC]

I don't have a P2V so I don't know much of the details but broadcasting an SSID that's hard coded with the word Phantom doesn't sound very safe. However, the odds are that it'll never happen as even here most people probably don't know what a DOS is let alone know how to do it let alone have the equipment and where with all. There is a video of a P2V strapped with a WiFi hack tool being used to kill the WiFi connection of a Parrot ARdrone:

[youtube]http://www.youtube.com/watch?v=Fk1Bpy5ccPU[/youtube]

NOOOOO! You beat me to it. I just watched that the other evening. I actually thought it was pretty cool geekdom to see this happen. Then I thought it was pretty scary that it actually seemed so easy! I guess there are devices which could block 2.4 too if someone wanted to actually pull it off. In that case the Phantom would go into RTH mode I guess or start to fly back to China, who knows.

What would be more impressive would be for the guy to have his quad truly take control of the P2 and make it follow wherever it went. He mentioned in the video that it would technically be possible but he didn't go to that length. Imagine your buddys face when his P2 is following your P1 around like a dog on a leash! That video would probably get DJI to reconsider security!