Hacking the DJI Phantom 3 drone

PAOLO STAGNO
Finally, during Christmas, I had some spare time to play with my flying beast; I’m talking about trying to hack my DJI Phantom 3.

It was my first time operating with drones or similar embedded systems and at the beginning I didn’t have any clue about how I could interact with it.

The Phantom 3 comes with an aircraft (UAV), controller and an Android/iOS app.

Let’s start from the beginning:

As a first step, I have analysed the protocols, the connection between the aircraft and the controller is communicated via Wi-Fi 5.725GHz – 5.825GHz (and not the Lightbridge protocol, for long range), while the connection between controller and mobile device is operating at 2.400GHz-2.483GHz, the controller is acting like an access point (AP).

Wi-Fi encryption is WPA2 and the default SSID is derived from the MAC address of the remote controller: PHANTOM3_[6 last digits of MAC address]. The default associated password is: 12341234

Inside the network, I was able to find out these IP addresses:

  • Controller: 192.168.1.1
  • Aircraft: 192.168.1.2
  • Camera: 192.168.1.3
  • Phone (DJI GO App): 192.168.1.20

Interestingly, the camera is separated from the aircraft, I suppose because in that way, image feedback won’t interfere with the aircraft navigation.

Here the nmap result for every device:

nmap drone

As you can see from the above scan, some of the services drew my attention:

  • FTP
  • SSH
  • Telnet
  • landesk-rc
  • rrack

Since I didn’t have any passwords for these services I decided to have a look at the Android App (DJI GO) and surprisingly, I found these details while reversing it:

  • res/raw/upgrade_config.json

Highlighted area: 

nmap drone

  • res/raw/flyforbid.json

Highlighted area: 

"ftpPwd": "Big~9China",

While the first file contains the root password for the FTP access to every device inside the network, the second file contains some areas where the drone cannot fly (no-fly zones/virtual fence/geo-fance) like: airports, stadiums, military bases, cities, etc.

Unfortunately, on the latest firmware (V01.07.0090), the root ftp access to the drone is chrooted and I wasn’t able to escape the /tmp directory, plus, Telnet and SSH access are disabled.

“I tried to replace the firmware with a modified version but the firmware is signed and resilient to tampering.”

Downgrading the firmware to its precedent version (V01.06.0080) result in an unrestricted root FTP access, so, I dumped the file system and started diving into it.

nmap drone

The drone’s underlying system is a fork of OpenWRT 14.07Barrier Breaker, r2879, 14.07” built for “ar71xx/generic“, same version for the controller.

Root access to the aircraft is something hard to achieve because the root password is strong, I tried to crack it but it resists to some days of cracking (thanks to the Hacktive Security’s guys).

So, I decided to take another path, re-enabling the Telnet service. Searching inside the filesystem I found these files:

  • /etc/init.d/rcS
  • /etc/init.d/rcS_ap
  • /etc/init.d/rcS_aphand
  • /etc/init.d/rcS_cli

These scripts run during the boot process, enabling the code on line 61 to start the telnet server:
telnetd -l /bin/ash &

In this way, I managed to get root access to the aircraft and the controllers underlying system:

hacking dji phantom

 

Further work:

  • Check the rrac and landesk-rc services for some cool exploits
  • Check the SDK to hijack an inflight drone
  • Perform a GPS Attack
  • Check the device queue trying to de-authenticate mobile phone and perform the takeover

This was a guest post by Paolo Stagno originally published at his website VoidSec.

While we’ve previously looked into hacking the Parrot AR2.0 Drone, and listed many other drone hacking vectors there has been very little research into the security landscape of the DJI Phantom series.

DJI Phantom overall security

This area of coverage is essential with DJI being one of the most popular commercial drones in the skies today. DroneSec checked in with Paolo to get his thoughts on the security of the Phantom drone as a whole – noting that his research indicated tampering the latest firmware was not possible.

Paolo’s comments reflected back to his findings that both telnet and FTP access were both restricted and disabled in the latest firmware – a mitigation we haven’t yet confirmed on the latest Parrot AR drone releases.

GPS attacks & more

What’s next for hacking the DJI Phantom 3? While still very much a work in progress, Paolo believes a GPS attack is a viable vector, and is looking to conduct some research in full take over via help of the Source Development Kit (SDK).

Currently, the Parrot AR2.0 drones are susceptible to full mid-flight takeovers – even to the point of controlling the drone with an attacker’s keyboard. DroneSec will be following Paolo’s activities closely to see if ta reliable method of interception for the DJI Phantom 3 is possible.

Drone Security Hardening Guidelines

With the rise in counter-drone solutions, the market must also meet minimum hardening requirements for drone-protection. DJI has so far shown that minimum security standards for drones can be achieved, however they still have some way to go. DroneSec looks forward to bringing together researchers in the hopes of forming a Drone Security Hardening Guideline (a similar task was looked at a couple months ago here for those interested).

Get in touch with Paolo

Paolo is very approachable and we’ve found him eager to share his knowledge on the subject. If you enjoyed this article and would like to get in touch with Paolo, please contact him via LinkedIn, Twitter or email at: [email protected]

Join the discussion:


Reddit Comments

/r/CyberPunk

/r/netsec

/r/multicopter

/r/drones