[HN Gopher] DroneSploit - A pentesting console framework dedicat...
___________________________________________________________________
DroneSploit - A pentesting console framework dedicated to drones
Author : Researcherry
Score : 88 points
Date : 2021-10-02 14:34 UTC (8 hours ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| kevinsundar wrote:
| Just curious, what non toy drones these days use wifi for their
| control link? I've been in the hobby drone space for 5 years and
| really have only seen cheap toys drones use wifi (due to limited
| range).
|
| I know DJI uses some communication method built on top of wifi
| but is it the type that is susceptible to standard wifi based
| attacks?
| jcims wrote:
| Not many, but that's just PHY stuff. The threat model is really
| the barycenter of these targeted offensive security platforms.
| Adding support for new protocols is generally trivial if
| there's an option, and a place to leverage them will tend to
| incentivize development when there isn't.
| dapids wrote:
| No, adding support for new protocols is far from trivial.
| There are so many factors that can make this non trivial such
| as encryption, channel hopping, DSS, hardware required, etc.
| jcims wrote:
| I spent about eight years working alongside a software
| defined radio project. I saw the effect first hand. If you
| build an ecosystem in which folks with the appropriate
| skills can make a contribution, they tend to show up.
|
| The main challenge is licensing, not technical
| siphistication. Most of the protocols in question are quite
| a bit less complex than wifi or Bluetooth.
| lazide wrote:
| "Just PHY stuff" is a pretty big barrier though isn't it?
| khancyr wrote:
| Yep, and not so much recent example : Tello, bebop... Those are
| quite old and well open to allow external control from custom
| softwares
| Rebelgecko wrote:
| On older DJI Phantoms, you could connect to the Wifi hotspot
| and SSH into the drone. Not sure if that's still possible.
| meltedcapacitor wrote:
| Disappointed it is not about pentesting by physically sending
| drones into data centers through the ventilation pipes.
| ganoushoreilly wrote:
| There are some cases of drone use in pentests that while less
| exciting than flying in vent pipes I still enjoyed. I had a
| pentest with a large cargo and shipping facility on the east
| coast and used off the shelf commodity equipment. We stripped
| hardware to the bare minimum in size to reduce weight,
| connected a cellular modem to a raspberry pi powered by battery
| and landed the drone on top of a building on the yard (that
| turned out to be a union break facility). The intention was to
| design it so that we would never recover it(granted it was
| authorized so we indeed recovered it). It gave us enough time
| to passively collect the data needed to breach the wifi in the
| break room / building, which in turn was hard lined into the
| main network.
|
| All in I think the expenses were around $1200 total for the
| drone and this was like 8 years ago. Not something most would
| be willing to waste, but with time and effort you could make
| something now for probably a third the cost.
|
| We also used a similar setup wired into a Jetski that we left
| attached to an adjacent dock once too. I can only imagine what
| others are doing ;D
| idiotsecant wrote:
| Always curious about this - I work in infrastructure that
| would be a major public safety issue if it was compromised,
| and our security seems equal parts useless and overly focused
| on things that don't matter. We did some pentesting at one
| point and when it was demonstrated that security was
| demonstrably trivial to breach rather than getting to work
| fixing things it was hushed up internally and nobody
| important ever saw it.
|
| Do your customers actually pay you to break security and then
| act on what is found? Or are most of them paying you to
| demonstrate that their security is perfect and then quietly
| burying results if they don't go that way?
| ganoushoreilly wrote:
| It's a good question and it's one that can go either way
| depending on the pentesting company. In my first Security
| Startup I founded, we took most contracts large and small
| with only standard questioning. We found that while
| sometimes we made less upfront, the clients that were more
| in sync with solving a known or suspected problem and were
| using the pentest as part of moving forward.
|
| There are tons of companies looking for simple check boxes,
| or affirmations. Tons that don't acknowledge their issues.
| I can say first hand that I had a project I was involved
| with that identified a substantial breach at a company
| under acquisition for an obscene amount of money. Most M&A
| seem to skip technical diligence beyond code review. Long
| story short there were actually three separate issues /
| actors within the network. They even had one authorized
| access by a competitor that a salesman had naively setup
| under the guise of a collaboration. They paid for the
| onsite investigation then realized that it was going to
| create a PR nightmare based on our findings. It would have
| been a huge exposure that would counter the obscene amount
| of marketing they were doing for the tech acquired. Their
| response was to not only ignore us (i'm assuming they
| eventually fixed things) but refuse to pay for the
| investigation performed and basically said.. we're a
| billion dollar company what are you going to do, sue us? We
| got stiffed with probably a quarter mill in work because
| they were right. Worst part is we called them to let them
| know originally because we found EXTREMELY sensitive source
| code and documentations of a crypto nature. Incidentally we
| saw some 0-days later on that leveraged undocumented
| functions that were curiously documented in our findings.
|
| So yeah.. you see it all. That's why I love working with
| startups, make less, but they're appreciative and long term
| relationships are more worth it for us.
| ianelbert wrote:
| Me too
| R0b0t1 wrote:
| Hack a drone to pentest with that same drone. Genius.
___________________________________________________________________
(page generated 2021-10-02 23:00 UTC)