Embedded Files
We need first identify a UAS before we can apply various tools to identify, monitor, and hack it. In this subproject, we focus on the analysis of wireless traffic between a UAS and its controller. As the first step, we focus on WiFi traffic, because most commercial UASs support the control on a cellphone or a tablet. For WiFi sniffing, we can perform on Windows PCs or a Linux platform, e.g., Kaili Linux already has some tools built in for WiFi.
1) WiFi Sniffing on Windows.
(a) Hardware. Most WiFi cards on Windows do not support the "Monitor Mode". So, we need to use the cards we ordered instead of default WiFi cards.
(b) Software. We use Wi-Fi network traffic sniffer, https://www.acrylicwifi.com/en/blog/sniffer-traffic-wifi-windows-7-8/
Please read the web page and take notes. I will add more into this page.
Please write a draft of the installation process and the sniffing tests. We will discuss how to process the sniffed traffic later.
2) Kaili Linux.
Our IEEE-Cyber paper is attached in the following.
Parrot Profiling Summary.
1. Packet protocol:
1.1 A packet can contain multiple frames. frames are simply added one after another in the UDP packet.
[YINGFEI: Hualiang, please draw a figure about the formats of a packet and a frame.]
Hualiang:
1.2 A frame contains the following information:
1.2.1 Data type (1 byte):
There are 4 types of data:
ACK (1): Acknowledgement of previously received data
Data (2): Normal data (no ack requested)
Low latency data (3): Treated as normal data on the network, but are given higher priority internally
SYN (4): Data requesting an ack. The receiver must send an ack for this data
To acknowledge data, simply send back a frame with the Ack data type, a buffer ID of 128+Data_buffer_ID, and the data sequence number as the data. E.g. : To acknowledge the frame "04 0b 42 0b00000 12345678" you will need to send a frame like "01 8b 01 08000000 42"
1.2.2 Target buffer ID (1 byte)
Buffers IDs are separated into three main sections:
[0: 9]: Unkown
[10: 127]: Data buffers
[128: 255]: Acknowledge buffers.
By convention, Controller to Drone buffers starts at 10 and up [YINGFEI: what is max? 126?] , while Drone to Controller buffers starts at 127 and decrease.
1.2.3 Sequence number (1 byte)
Each buffer has its own independant sequence number, which should be increased on new data send, but not on retries. The ARNetwork library will ignore out of order and duplicate data, but will still send Acks for them if requested. If the back-gap in sequence number is too high (we use 10 in ARNetwork library), then the frame is not considered out of order, and instead is accepted as the new reference sequence number.
1.2.4 Total size of the frame (4 bytes, Little endian)
1.2.5 Actual data (N bytes)
1.3 Multiple frames in one packet (patterns?)
The packet "(hex)01ba270800000042020bc30b00000012345678" can be split in the follwing way:
• Read the type of the first frame: (0x01), or Ack • Read the buffer id of the first frame: (0xba)
• Read the size of the first frame: 0x00000008 (written in human read- able endian): 7 bytes of header + 1 byte of data
• Read the data of the first frame: 0x42
• Since there is remaining data in the buffer, start again the process for a second frame
For this exmample, we have an ack for buffer 0x0a, sequence number 0x42, and non acknowelged data for buffer 0x0b, with content 0x78563412.
2. Profile feature #1: Different sizes of packet has its unique time interval distribution
First, we analysis the packet size distribution among all the packet:
The X-axis is the different sizes we observed in our data set. Y-axis is the number of a specific size packets. For example, the number of packets with size 134 is around 4000. As we can see, the majority size are 134, 137, 127, 133 (80% of the total packets). Therefore, we use these 4 type of sizes to compare their time interval distribution:
The graph shows 2 data sets that captured in different scenario, one in the filed, the other one in the Lab. First row 4 pictures are in one data set, second row 4 pictures are in the other data set. Each 4 pictures are corresponding to 4 majority sizes we discussed above. The X-axis in each sub-plot is the interval rank for that size. The Y-axis is the time interval between a specific packet and its previous packet. We can see there is some similarity between two data set. If we can define a way to measure the similarity of two curves, I think we can use it as a feature to profile the data.
[YINGFEI: ok. We need to get the Intel or 3 DR plaintext traffic and perform the similar analysis, e.g., the distribution of top packet sizes (>80%). Then, we can show the differences in this feature.
(1) Collecting more Parrot plaintext traces. >10
(2) check what is the packet sizes of WPA2 encyrpted Parrot packet size
(3) collect Intel or 3 DR plaintext and encrypted traces
Our goal is to distinguish the encrypted traffic]
Hualiang: WPA2 for 3 DR has no padding pattern, or at least in our data set, it does not appear. The size of encrypted data = plain data + 44.
3. Profile feature #2: Find some pattern sequence.
Many network protocol have some sequence pattern. For example, 3-way handshake. There is similar pattern for Parrot:
"data.data": "02:7f:c8:17:00:00:00:xx...”,
followed by: "data.data": "02:7f:c9:13:00:00:00:xx...”,
followed by: "data.data": "02:7f:ca:17:00:00:00:xx...”,
followed by: "data.data": "02:7f:cb:0d:00:00:00:xx…",
And also SYN-ACK pattern:
Every time there is a “04:7e” sent by drone, there will always be a “01:fe:xx” from controller. The data size is 8 bytes. In our data sample, there are 208 pairs of this pattern out of 10000 packets. If we analysis the time interval between this SYN-ACK pattern, we will see that the time interval distribution is similar to normal distribution:
We then use Minimum Mean Square Error to plot a curve that describe this distribution. Then we can compare the curve in our profile and the curve we want to test. Below is a normal distribution curve that fits this data set:
Median of the data set: 618, Mean of the data set: 629.556
The repeated patterns may related to Parrot protocols, e.g., in the test_drone.c, mavlink_drone_poll_loop(mavlink_drone) is obvious a loop.
1/28 update:
1) multiple frame packets and total packet ratio: 593:9908
2) number of packet for each packet type:
01: 251
02: 9172
03: 0
04: 235
3) average size for each packet type:
01: 8.0
02: 21.1
03: 0
04: 19.8
1. Compare 4 packet in the group, why not sent in one packet but multiple packets
The average interval between each packet in whole data set is 248.397/9914 = 0.0251 second. The average interval between packet in the group is 0.0259 seconds. They are closed enough to say that each packet is sent continuously.
2. All multiple frame packets are 02 type
3. 97.5% of the ACK packet's payload are acting like sequence number, each ACK packet's payload is the last ACK packet's payload +1.
2/12 update:
1) WiFi WPA2 encryption does not use padding. The encryption used affects the lengths of the wireless packets, but in a consistent way, i.e. all packets will be L bytes larger, where L is a constant, than they would have been without encryption.
So even if one cannot decrypt the packets one can recover the original lengths easily.Reference: https://crypto.stackexchange.com/questions/10977/encoding-information-in-packet-lengths-to-actively-sidestep-encryption
2) WPA2 use AES-CCMP reference: https://docs.microsoft.com/en-us/windows-hardware/drivers/network/aes-ccmp
3) CCMP encryption. Grabbed from Youtube: https://www.youtube.com/watch?v=QeDn7bgIpIU&t=89s
1. Parrot open source github page: https://github.com/Parrot-Developers
2. API document: http://developer.parrot.com/docs/bebop/#general-information
3. STREAM Source code: https://github.com/Parrot-Developers/libARStream
4. Library used by STREAM: https://github.com/Parrot-Developers/libARSAL/tree/master/Sources
5. Use xbox controller to control Parrot bebop: https://github.com/Parrot-Developers/bebop_mavlink_ctrl
Page updated
Report abuse