Skip to content

A collection of learning resources for budding aviation security researchers

License

Notifications You must be signed in to change notification settings

deptofdefense/hack-aviation-library

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

27 Commits
 
 
 
 
 
 
 
 

Repository files navigation

Aviation Hacking Banner

hack-aviation-library

A collection of learning resources for budding aviation security researchers (aka hackers). Learn so we can secure aviation from design to implementation!

Note: This is an evolving resource, so please contribute with a pull request

Jump To: Web sites | Articles and Op-Eds | Tools and Projects | Videos | Books and White Papers | Programming Libraries | Oh and Drones! | Miscellaneous | Contacts

BACKGROUND

In order to encourage more people to become interested in investigating aircraft vulnerabilities as well as understand the problems aircraft face, Bricks in the Air attempts to represent this problem in a simple and jargon free manner. By replacing the complex and unfamiliar 1553/429 buses with the more well known I2C data bus, we remove a lot of the jargon and confusion of the problem while allowing attendees to understand the core problem: Aircraft data buses are old and unsecure, and someone should fix that.

RESOURCES

Aviation Hacking Challenges

Called Bricks in the Air, in this series of four workshops, you will attempt to send messages to a mock LEGO® technic aircraft over I2C to experiment with direct injection attacks on a data bus. This year, we’ve integrated the newly released Spike Prime robot from LEGO® Education.

For 2020, the workshops will be held in Safemode at Def Con via Twitch streams. Checkout dds-virtual.com to access the workshops, otherwise, see the github repo for the deets on game play for each of the work shops!

Articles and Op-Eds

Web Sites

Tools and Projects

Videos

Books and White Papers

Oh and Drones!

  • Drone hacking is much like any other embedded device hacking, with the exceptions that when things go bad, the propellers can actually cut you or amputate limbs. The typical setup is an ARM or MIPS SOC, running Linux or a RTOS, or sometimes both on the same SOC at the same time. For most drones, they are quite literally an Android device with some propellers attached. Many drones have multiple systems running on them. Some can run two different versions of android on two different SOCs on the same board, while also running a RTOS for the flight controller on a single core of one of those SOCs. Drone hacking can be weird.

  • Drones will have a vast mismatch of mitigations and security technologies, which makes them an excellent (but expensive) educational target. These range from platforms with zero memory corruption mitigations, to platforms making extensive use of ARM Trustzones, SELinux and advanced RF security measures. With many drone companies are still back in the 90s on security, they are an excellent way to build up your skillset from the ground up.

  • First thing we do is check and see if the device is vulnerable to exploits on similar models. Often they are, and sometimes the exploits need a few tweaks to work right, or need to be chained with another exploit to defeat some new mitigation. Is always nice to get a quick win because the work is already done, isn't it?

  • The next thing we do is an overview for the attack surface. First checking physical entry ways, do we have UART, JTAG or other debug ports? Where are all the usb ports? Sometimes they have no header or are otherwise hidden. Then we move more towards the software level. What kind of interfaces are up on USB? Is there a serial port open over USB? Is TCP over usb up? What services are running on the network if one is up? FTP? Telnet? Is the RC Wifi based? If so can we get on that wifi network? How does the app communicate through the RC? Is the app obfuscated or packed at all? The attack surfaces on many drones are huge, and varied. Lots of room to have some fun.

  • Then I move to firmware. Do they have the firmware on their website? Has anyone dumped the firmware? Can we just reverse engineer the update software? Does the update system have any hidden engineering software? Is the update package encrypted? If we can't get the firmware trivially, then we pull the storage and manually extract the firmware. Probably should have bought two drones, but thankfully Amazon Prime exists.

  • Once firmware is in hand, we can treat this like any other embedded device. Since the drone world really hasn't caught up with security, a quick overview looking for low hanging fruit like simple command injections, hard coded credentials, weakly generated passwords or debugging interfaces (cough backdoors cough) often leads to a quick and easy win. No luck with the low hanging fruit? Then the painstaking task of auditing every exposed interface and service.

  • Check out these other resources:

  • Happy Drone Hacking!

Miscellaneous

CONTACTS

Aviation Security Contacts

Defense Digital Service Library Custodians

<<<Back to Top

About

A collection of learning resources for budding aviation security researchers

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •