[HN Gopher] DroneSploit - A pentesting console framework dedicat... ___________________________________________________________________ DroneSploit - A pentesting console framework dedicated to drones Author : Researcherry Score : 88 points Date : 2021-10-02 14:34 UTC (8 hours ago) (HTM) web link (github.com) (TXT) w3m dump (github.com) | kevinsundar wrote: | Just curious, what non toy drones these days use wifi for their | control link? I've been in the hobby drone space for 5 years and | really have only seen cheap toys drones use wifi (due to limited | range). | | I know DJI uses some communication method built on top of wifi | but is it the type that is susceptible to standard wifi based | attacks? | jcims wrote: | Not many, but that's just PHY stuff. The threat model is really | the barycenter of these targeted offensive security platforms. | Adding support for new protocols is generally trivial if | there's an option, and a place to leverage them will tend to | incentivize development when there isn't. | dapids wrote: | No, adding support for new protocols is far from trivial. | There are so many factors that can make this non trivial such | as encryption, channel hopping, DSS, hardware required, etc. | jcims wrote: | I spent about eight years working alongside a software | defined radio project. I saw the effect first hand. If you | build an ecosystem in which folks with the appropriate | skills can make a contribution, they tend to show up. | | The main challenge is licensing, not technical | siphistication. Most of the protocols in question are quite | a bit less complex than wifi or Bluetooth. | lazide wrote: | "Just PHY stuff" is a pretty big barrier though isn't it? | khancyr wrote: | Yep, and not so much recent example : Tello, bebop... Those are | quite old and well open to allow external control from custom | softwares | Rebelgecko wrote: | On older DJI Phantoms, you could connect to the Wifi hotspot | and SSH into the drone. Not sure if that's still possible. | meltedcapacitor wrote: | Disappointed it is not about pentesting by physically sending | drones into data centers through the ventilation pipes. | ganoushoreilly wrote: | There are some cases of drone use in pentests that while less | exciting than flying in vent pipes I still enjoyed. I had a | pentest with a large cargo and shipping facility on the east | coast and used off the shelf commodity equipment. We stripped | hardware to the bare minimum in size to reduce weight, | connected a cellular modem to a raspberry pi powered by battery | and landed the drone on top of a building on the yard (that | turned out to be a union break facility). The intention was to | design it so that we would never recover it(granted it was | authorized so we indeed recovered it). It gave us enough time | to passively collect the data needed to breach the wifi in the | break room / building, which in turn was hard lined into the | main network. | | All in I think the expenses were around $1200 total for the | drone and this was like 8 years ago. Not something most would | be willing to waste, but with time and effort you could make | something now for probably a third the cost. | | We also used a similar setup wired into a Jetski that we left | attached to an adjacent dock once too. I can only imagine what | others are doing ;D | idiotsecant wrote: | Always curious about this - I work in infrastructure that | would be a major public safety issue if it was compromised, | and our security seems equal parts useless and overly focused | on things that don't matter. We did some pentesting at one | point and when it was demonstrated that security was | demonstrably trivial to breach rather than getting to work | fixing things it was hushed up internally and nobody | important ever saw it. | | Do your customers actually pay you to break security and then | act on what is found? Or are most of them paying you to | demonstrate that their security is perfect and then quietly | burying results if they don't go that way? | ganoushoreilly wrote: | It's a good question and it's one that can go either way | depending on the pentesting company. In my first Security | Startup I founded, we took most contracts large and small | with only standard questioning. We found that while | sometimes we made less upfront, the clients that were more | in sync with solving a known or suspected problem and were | using the pentest as part of moving forward. | | There are tons of companies looking for simple check boxes, | or affirmations. Tons that don't acknowledge their issues. | I can say first hand that I had a project I was involved | with that identified a substantial breach at a company | under acquisition for an obscene amount of money. Most M&A | seem to skip technical diligence beyond code review. Long | story short there were actually three separate issues / | actors within the network. They even had one authorized | access by a competitor that a salesman had naively setup | under the guise of a collaboration. They paid for the | onsite investigation then realized that it was going to | create a PR nightmare based on our findings. It would have | been a huge exposure that would counter the obscene amount | of marketing they were doing for the tech acquired. Their | response was to not only ignore us (i'm assuming they | eventually fixed things) but refuse to pay for the | investigation performed and basically said.. we're a | billion dollar company what are you going to do, sue us? We | got stiffed with probably a quarter mill in work because | they were right. Worst part is we called them to let them | know originally because we found EXTREMELY sensitive source | code and documentations of a crypto nature. Incidentally we | saw some 0-days later on that leveraged undocumented | functions that were curiously documented in our findings. | | So yeah.. you see it all. That's why I love working with | startups, make less, but they're appreciative and long term | relationships are more worth it for us. | ianelbert wrote: | Me too | R0b0t1 wrote: | Hack a drone to pentest with that same drone. Genius. ___________________________________________________________________ (page generated 2021-10-02 23:00 UTC)