DroneSploit – A pentesting console framework dedicated to drones
github.comDisappointed it is not about pentesting by physically sending drones into data centers through the ventilation pipes.
There are some cases of drone use in pentests that while less exciting than flying in vent pipes I still enjoyed. I had a pentest with a large cargo and shipping facility on the east coast and used off the shelf commodity equipment. We stripped hardware to the bare minimum in size to reduce weight, connected a cellular modem to a raspberry pi powered by battery and landed the drone on top of a building on the yard (that turned out to be a union break facility). The intention was to design it so that we would never recover it(granted it was authorized so we indeed recovered it). It gave us enough time to passively collect the data needed to breach the wifi in the break room / building, which in turn was hard lined into the main network.
All in I think the expenses were around $1200 total for the drone and this was like 8 years ago. Not something most would be willing to waste, but with time and effort you could make something now for probably a third the cost.
We also used a similar setup wired into a Jetski that we left attached to an adjacent dock once too. I can only imagine what others are doing ;D
Always curious about this - I work in infrastructure that would be a major public safety issue if it was compromised, and our security seems equal parts useless and overly focused on things that don't matter. We did some pentesting at one point and when it was demonstrated that security was demonstrably trivial to breach rather than getting to work fixing things it was hushed up internally and nobody important ever saw it.
Do your customers actually pay you to break security and then act on what is found? Or are most of them paying you to demonstrate that their security is perfect and then quietly burying results if they don't go that way?
It's a good question and it's one that can go either way depending on the pentesting company. In my first Security Startup I founded, we took most contracts large and small with only standard questioning. We found that while sometimes we made less upfront, the clients that were more in sync with solving a known or suspected problem and were using the pentest as part of moving forward.
There are tons of companies looking for simple check boxes, or affirmations. Tons that don't acknowledge their issues. I can say first hand that I had a project I was involved with that identified a substantial breach at a company under acquisition for an obscene amount of money. Most M&A seem to skip technical diligence beyond code review. Long story short there were actually three separate issues / actors within the network. They even had one authorized access by a competitor that a salesman had naively setup under the guise of a collaboration. They paid for the onsite investigation then realized that it was going to create a PR nightmare based on our findings. It would have been a huge exposure that would counter the obscene amount of marketing they were doing for the tech acquired. Their response was to not only ignore us (i'm assuming they eventually fixed things) but refuse to pay for the investigation performed and basically said.. we're a billion dollar company what are you going to do, sue us? We got stiffed with probably a quarter mill in work because they were right. Worst part is we called them to let them know originally because we found EXTREMELY sensitive source code and documentations of a crypto nature. Incidentally we saw some 0-days later on that leveraged undocumented functions that were curiously documented in our findings.
So yeah.. you see it all. That's why I love working with startups, make less, but they're appreciative and long term relationships are more worth it for us.
Hack a drone to pentest with that same drone. Genius.
Me too
Just curious, what non toy drones these days use wifi for their control link? I've been in the hobby drone space for 5 years and really have only seen cheap toys drones use wifi (due to limited range).
I know DJI uses some communication method built on top of wifi but is it the type that is susceptible to standard wifi based attacks?
On older DJI Phantoms, you could connect to the Wifi hotspot and SSH into the drone. Not sure if that's still possible.
Yep, and not so much recent example : Tello, bebop... Those are quite old and well open to allow external control from custom softwares
Not many, but that's just PHY stuff. The threat model is really the barycenter of these targeted offensive security platforms. Adding support for new protocols is generally trivial if there's an option, and a place to leverage them will tend to incentivize development when there isn't.
No, adding support for new protocols is far from trivial. There are so many factors that can make this non trivial such as encryption, channel hopping, DSS, hardware required, etc.
I spent about eight years working alongside a software defined radio project. I saw the effect first hand. If you build an ecosystem in which folks with the appropriate skills can make a contribution, they tend to show up.
The main challenge is licensing, not technical siphistication. Most of the protocols in question are quite a bit less complex than wifi or Bluetooth.
“Just PHY stuff” is a pretty big barrier though isn’t it?