Complete tx take over..facts or fiction?
10-27-2016, 08:36 AM
#1
Complete tx take over..facts or fiction?
This guy claim he can hack any DSMX system and take full control of the craft...very cool video 
https://www.youtube.com/watch?v=2YjQPPc5VW4
https://www.youtube.com/watch?v=2YjQPPc5VW4
10-27-2016, 10:04 AM
#3
It appears to be legit from other articles I've seen discussing it. While it appears that there are no plans to offer it for sale other than perhaps to law enforcement if someone did it, then others could too, especially now that someone has pointed out this vulnerability. Looks like it would probably be difficult for Spektrum to fix as well since the fix would need to be applied to the receivers which aren't field upgradable.
10-27-2016, 10:26 AM
#4
Looks like they hack (decode) the GUID number, effectively rewrite the new Tx's GUID into the Rx on the fly, an inflight rebind so to speak, and they're in.
There's been some talk about encrypting the uplink data by XPS and maybe others. Likely the way to go. Maybe possible to include via update to Tx software. Receivers might be a whole other problem.
There's been some talk about encrypting the uplink data by XPS and maybe others. Likely the way to go. Maybe possible to include via update to Tx software. Receivers might be a whole other problem.
10-27-2016, 11:00 AM
#5
More info in this article: http://arstechnica.com/security/2016...-in-midflight/
Note that this attack is apparently usable with any of our RC systems, according to this comment: http://arstechnica.com/security/2016...&post=32136399
...jim
Note that this attack is apparently usable with any of our RC systems, according to this comment: http://arstechnica.com/security/2016...&post=32136399
...jim
10-27-2016, 11:05 AM
#6
I really can't see how you can guard against a identical copy of your tx transmission...I will be watching this closely.
"To be clear, ALL the current RC systems are vulnerable to this timing injection attack. I was the one who picked DSMX as our first target because it's the most popular system, my favourite and the one I currently use for all my drones, planes, copters, boats and cars. The attack hardware was a teensy and a cyrf6936 transceiver from my friend at 1bitsquared.com, but we could have just as easily implemented it using the same teensy and a ML2724 to attack DJI and Futaba systems. The issue is that all the RC systems from ALL the manufacturers count on frequency hopping obfuscation to "hide" their broadcasts which are easily gathered en masse and reversed with an SDR, or by using a logic analyzer on their transmitters, there is no cryptographically secure authentication layer on any of the current systems. This timing attack is not difficult, just requires some low level radio and embedded system knowledge and about $100 in parts, and is only the tip of the iceberg in the potential attacks available on current systems. Timing is the low hanging fruit that we picked to attack and demonstrate first. We have further demonstrations planned and Would be glad to talk to any manufacturer about securing their gear. Jonathan will be us in drone hijacking as a lab excercise in his CanSecWest SDR Dojo training course next March, and I highly recommend this course for anyone interested in this area. There are many places this kind of system could be used to detect drones flying in restricted areas (because the attack system can also be used as a drone detection system passively) and to take them over and make them perform controlled landings in safe areas, rather than all the crude systems proposed so far, and we have even more interesting systems, demonstrations and applications planned for future presentations, with the next one likely being at the CanSecWest conferece after Jonathan's training. An interesting side note is that you can actually use a second attack system to hijack the first hijacker, so this gets complicated very quickly."
"To be clear, ALL the current RC systems are vulnerable to this timing injection attack. I was the one who picked DSMX as our first target because it's the most popular system, my favourite and the one I currently use for all my drones, planes, copters, boats and cars. The attack hardware was a teensy and a cyrf6936 transceiver from my friend at 1bitsquared.com, but we could have just as easily implemented it using the same teensy and a ML2724 to attack DJI and Futaba systems. The issue is that all the RC systems from ALL the manufacturers count on frequency hopping obfuscation to "hide" their broadcasts which are easily gathered en masse and reversed with an SDR, or by using a logic analyzer on their transmitters, there is no cryptographically secure authentication layer on any of the current systems. This timing attack is not difficult, just requires some low level radio and embedded system knowledge and about $100 in parts, and is only the tip of the iceberg in the potential attacks available on current systems. Timing is the low hanging fruit that we picked to attack and demonstrate first. We have further demonstrations planned and Would be glad to talk to any manufacturer about securing their gear. Jonathan will be us in drone hijacking as a lab excercise in his CanSecWest SDR Dojo training course next March, and I highly recommend this course for anyone interested in this area. There are many places this kind of system could be used to detect drones flying in restricted areas (because the attack system can also be used as a drone detection system passively) and to take them over and make them perform controlled landings in safe areas, rather than all the crude systems proposed so far, and we have even more interesting systems, demonstrations and applications planned for future presentations, with the next one likely being at the CanSecWest conferece after Jonathan's training. An interesting side note is that you can actually use a second attack system to hijack the first hijacker, so this gets complicated very quickly."
10-27-2016, 11:40 AM
#8
So the GUID on your transmitter is used to, among other things, set the hopping sequence. If you know the algorithm that is used to go from the GUID to the hopping sequence and you monitor and record the hopping sequence, you can figure out what the GUID is.
Once you know the GUID, you can duplicate the original TX's transmission and "fool" the RX into listening to you instead of the original TX.
Back in the old 72 MHz days, you could do the same thing just by turning on a TX on the same channel that a guy was already using - and we used to broadcast that on a flag on our antenna. Remember the "dial-a-crash" TX modules where you could set the channel with a screwdriver? This is a lot more work to do essentially the same thing.
As Jim suggests, you could add encryption to the data that is being sent over the link and eventually that might be added, but I don't see this as a real threat to the every-day RC flyer on 2.4. Heck if I wanted to take down an RC plane or drone on 2.4, all I'd need is a high-power 2.4 GHz analog video transmitter with settable output channels - about $150 from your local "spy camera" retailer...
Bob
Once you know the GUID, you can duplicate the original TX's transmission and "fool" the RX into listening to you instead of the original TX.
Back in the old 72 MHz days, you could do the same thing just by turning on a TX on the same channel that a guy was already using - and we used to broadcast that on a flag on our antenna. Remember the "dial-a-crash" TX modules where you could set the channel with a screwdriver? This is a lot more work to do essentially the same thing.
As Jim suggests, you could add encryption to the data that is being sent over the link and eventually that might be added, but I don't see this as a real threat to the every-day RC flyer on 2.4. Heck if I wanted to take down an RC plane or drone on 2.4, all I'd need is a high-power 2.4 GHz analog video transmitter with settable output channels - about $150 from your local "spy camera" retailer...
Bob
10-28-2016, 01:49 AM
#16
Well, Weatronic systems are completely immune to this.
We got audited by several military customers and selected as the only system that was not easily hackable ( GUID being encrypted, you'd need to brake the 128 bit key on the fly as the system hops. Very much impossible with today's computers ).
We got audited by several military customers and selected as the only system that was not easily hackable ( GUID being encrypted, you'd need to brake the 128 bit key on the fly as the system hops. Very much impossible with today's computers ).
10-28-2016, 01:44 PM
#17
Join Date: Sep 2006
Location: Shorewood, WI
Posts: 195
Likes: 0
Received 0 Likes
on
0 Posts
Well, Weatronic systems are completely immune to this.
We got audited by several military customers and selected as the only system that was not easily hackable ( GUID being encrypted, you'd need to brake the 128 bit key on the fly as the system hops. Very much impossible with today's computers ).
We got audited by several military customers and selected as the only system that was not easily hackable ( GUID being encrypted, you'd need to brake the 128 bit key on the fly as the system hops. Very much impossible with today's computers ).
Basimpsn, I read your entire original article as well as watched the video and you made it very clear that "ALL the current RC systems are vulnerable to this timing injection attack." How are you convinced that all systems are vulnerable?. Now that this is out, it is easy for every manufacturer except the one that you used in your demonstration, to say theirs in immune.
10-28-2016, 01:51 PM
#18
Well, Weatronic systems are completely immune to this.
We got audited by several military customers and selected as the only system that was not easily hackable ( GUID being encrypted, you'd need to brake the 128 bit key on the fly as the system hops. Very much impossible with today's computers ).
We got audited by several military customers and selected as the only system that was not easily hackable ( GUID being encrypted, you'd need to brake the 128 bit key on the fly as the system hops. Very much impossible with today's computers ).
10-29-2016, 01:25 AM
#19
Olinio interesting that you keep pushing Weatronic they are out of business and only survived as a Turkish billionaire was backing them?? The moment he died and funding stopped they closed, pretty simple really.
Tell me one manufacturer that wouldn't keep on going if they were backed with serious $$. I had battles with them for years over the never ending production dates that never eventuated you could see that they had zero business skills.
Any system is capable of being hijacked the Iranians took a RQ-170 off the US or did you miss that, if you think toy RC systems are immune you are going to be seriously disappointed.
Regards,
Tell me one manufacturer that wouldn't keep on going if they were backed with serious $$. I had battles with them for years over the never ending production dates that never eventuated you could see that they had zero business skills.
Any system is capable of being hijacked the Iranians took a RQ-170 off the US or did you miss that, if you think toy RC systems are immune you are going to be seriously disappointed.
Regards,
Last edited by Halcyon66; 10-29-2016 at 04:54 AM.
10-29-2016, 06:58 AM
#20
So where all this hostility about Weatronics come from? 
It unfortunate that the brand is no longer available, but the fact that it did have (and still does for those who use it), significant technical advantages over the more established brands is backed by factual information.
I'm not really concerned about begin hijacked at this time.. maybe in the future... But it don't surprise me if that it turns out that Weatronic already had another technical advantage by using encryption. It just another example of many. I do hope that the Powerbox upcoming system, based on Weatronic technology, keep and improve on the many advantages.
It unfortunate that the brand is no longer available, but the fact that it did have (and still does for those who use it), significant technical advantages over the more established brands is backed by factual information.
I'm not really concerned about begin hijacked at this time.. maybe in the future... But it don't surprise me if that it turns out that Weatronic already had another technical advantage by using encryption. It just another example of many. I do hope that the Powerbox upcoming system, based on Weatronic technology, keep and improve on the many advantages.
Last edited by Edgar Perez; 10-29-2016 at 07:23 AM.
