It’s a Bird… It’s a Plane… It’s Drone!

  • 3 minute read

Unmanned Aerial Vehicles (UAVs), commonly known as drones, which can be easily purchased online with just a click and are difficult to track, have recently started to pose a threat to air transportation and privacy, as we can see in the news.

Given this situation, the fight against drones is becoming increasingly important not only worldwide but also in our country. When we look at the studies being done to fight against drones around the world, the Dutch police who hunt drones with eagles, the Tokyo police who catch drones with nets, and the Skyjack study, which allows other drones (Parrot AR.Drone 2) to be hacked, maybe among the most creative works in this field.






In early 2014, I also took my first step into the drone world with the Hubsan X4 H107C (you can access the example video here). As a security expert, I had some questions that I couldn’t shake off while flying the drone. The most curious thing for me was whether the connection between the drone and the controller, which is controlled by the person who is flying the drone, could be manipulated or replayed? If the drone communicated via WIFI, then I could try to hack the WIFI network between the drone and the phone using various tools and devices like Sammy, and try to take over the connection (hijack) or manipulate it like in the Skyjack study. However, my drone, the Hubsan X4 H107C, communicates using its own protocol on the 2.4 GHz frequency, and I thought that analyzing the protocol by monitoring the SPI communication using a Logic Analyzer would be a tedious and costly task.

In this tedious path, to avoid pulling out my hair, I searched on Google to see if anyone had previously analyzed this protocol and I came across Jim Hung’s work (#1, #2, #3, #4). According to Jim Hung’s study, which was done using a Logic Analyzer, it seemed that hijacking or manipulating the connection between the controller and the X4 theoretically possible, but practically (at least for me) it was not very easy. Based on this study, I began to think about how I could repeat (replay) the signal that was sent, and the HackRF One came to mind, which I had previously experienced that could greatly simplify my job in my garage door research.

Using Jim’s study as a guide, my first step was to use the Gqrx SDR aracı tool in Kali to start monitoring the frequency range of 2400 MHz (2.4 GHz) and incrementing by +10 MHz (2410, 2420, 2430…) to detect the discovery (discovery) packet that the controller sends when searching for the X4. I was easily able to detect the discovery packet, and when the X4 responds to the packet, I didn’t have much trouble detecting the X4 on that frequency.

Hubsan X4 H107C



After finding the relevant frequency, I then use the command “X4 – turn the propellers (throttle – left stick up)” from the remote control, then began recording the relevant signal with the HackRF One device using the following command help.

hackrf_transfer -r Hubsan-2442Mhz-8M-8bit-1.bin -f 2442000000 -l 40 -n 5

Then, by sending the signal that I recorded with the following command to the relevant frequency, I saw the X4’s propellers move and successfully repeated the signal between the X4 and the remote control. In this replay attack, I sometimes saw the connection between the X4 and the remote control cut off, which meant that the X4 fell. (Not too bad for fighting against a drone, don’t you think ? :))

hackrf_transfer -t Hubsan-2442Mhz-8M-8bit-1.bin -f 2422000000 -x 47






In conclusion, it appears that it is possible to misuse the X4 H107C by performing a replay attack with HackRF One (such as causing it to fall). It could be an interesting detail in the fight against drones.

Hope to see you in the next article.

image_pdfShow this post in PDF formatimage_printPrint this page
Total
0
Shares
Tweet 0
Share 0
Share 0
Share 0
Share 0
Related Tags

Mert is a well-known and respected Cyber Security Researcher, Speaker and Blogger. He has been living and pursuing his career in the United States with an Alien of Extraordinary Ability visa (EB-1A), an employment-based green card, since October 2022.

As of February 2023, Mert has been working at SOCRadar® Extended Threat Intelligence as the Head of Security Research & Operations. SOCRadar is a cybersecurity company committed to democratizing threat intelligence and providing superior cybersecurity solutions to thousands of companies in hundreds of countries. SOCRadar's mission is to provide organizations of all sizes with the tools to counter cyber threats.

In his current position, Mert has been advising the CEO on strategic decisions that align with the company's mission, objectives, and overall goals.

He has often overseen strategic initiatives by working closely with various departments, such as product development, sales, and marketing. Also, he has been managing the day-to-day operations of the Security Analyst, Support, and Professional Services teams to ensure efficiency, quality, service, and cost-effective management of resources.

In addition, he has been driving innovation across the product by promoting new ideas and features.

Besides that, he has been managing, mentoring, and supporting a cadre of threat researchers, threat hunters, security analysts, and technical content writers who research cyber threats, vulnerabilities, and trends.

From October 2020 to September 2022, Mert demonstrated his expertise as an Executive Vice President / CISO of IT Security & Risk Management Group which incorporates Cyber Defense Center, Cyber Security Technologies, Cyber Security Architecture, Information Security & Risk Management teams (40 HCs) at Intertech. Intertech is an Information Technology subsidiary of DenizBank, owned by Emirates NBD

From January 2018 to September 2020 as the Vice President, Mert was responsible for the management of Akbank's Cyber Defence Center (CDC) which incorporates Vulnerability Management, Threat Detection, Threat Response & Intel, and Security Engineering teams. (26 HCs)

From 2007 to 2017 Mert was responsible for performing and managing penetration tests, malware analysis, security incident detection, and response as a Technical Lead in the Threat & Vulnerability Management team at IBTech. (Information Technology subsidiary of QNB Finansbank)

From 2014 – 2016 Mert instructed Malware Analysis course in Cyber Security Graduate Program at Bahcesehir University.

In 2003 Mert’s career journey began by discovering a security vulnerability on the e-portal web application of the Yeditepe University where he was studying at that time. After sharing his findings with the executives of the university, he was awarded an achievement grant and recruited as an Ethical Hacker. Mert graduated from Yeditepe University, Information Systems and Technologies in 2006 and Yeditepe University, Master of Business Administration program in 2010.

From the beginning of 2011, Mert spoke at more than 30 technical cyber security conferences. In addition, he was invited as a guest speaker to more than 40 universities to share his cyber security career journey and his profession “Ethical Hacker” to the students as a role model.

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like
Read More

Antimeter Tool

Generally I prefer writing my articles in Turkish and I support my articles with proof of concept codes, videos and small tools. In my previous article, I created a small tool called antimeter which scans memory for detecting and also killing Metasploit’s meterpreter. I did not expect that much interest…
Read More
0
0
0
0
0
Read More

WhatsApp Scammers

Introduction I recently received my share of calls and messages from foreign cell phone numbers, disturbing almost everyone, especially in Turkey, who has used the WhatsApp application in recent days. Of course, as in my articles on other scams (Exposing Pig Butchering Scam, LinkedIn Scammers, Instagram Scammers), I rolled up…
Read More
0
0
0
0
0