I have some red team/pentest jobs coming up and I was trying to think of how I could get into an organisation with a bit of style while having some fun. I could walk through the door and plug in a USB charger cable somewhere or send some elaborate phishing emails that have been artistically crafted to be so perfect that even I could fall for it. No, that doesn't seem that exciting to me, how about I break into your company systems using a drone?
I could load up a special attack platform on a tricked out raspberry pi, attach it to a reliable drone with some great range and snap I could attack mobile phones, tablets, Wi-Fi networks and possibly much more if I get creative. In all honesty, I am slow to the party when it comes to using drones for hacking, there are several examples of this method being used. One particular drone concept was called Danger Drone, the creators of this unit stated that it could be as essentially a hacker's laptop but could be flown to a target location with minimal visibility of the device and no real threat to a malicious actor/red teamer. Back in 2016/2017, they did several basic demonstrations of how this device could be used for flyby hacking or mobile phone attacks to help find an entry point.
A great example of the effectiveness of this unit was the wireless mouse hijack demo that you can see here, in just a few seconds the victim’s laptop was breached, the guy picks up his coffee cup to presumably go make himself a refill and he is only out of the shot for 10-15 seconds. When he gets back there is a message on his screen indicating he had been hacked. This would be a very effective attack method especially if you could boost the range so you aren’t hovering just outside the window (it’s a bit of a giveaway) or let’s say the office was at the 20th floor, you could just scan the office for an empty desk, move in and boom breached. Let’s take a deeper look into this type of attack.
Since 2016/2017 drones have shot into mainstream use with a good quality drone setting you back anywhere from a few hundred dollars to around $3-4K. My choice for an off the shelf option would be a fishing drone like the one in the link, as they will be waterproof, can handle wind gusts, have a payload carry and release option (apparently for it to carry out a fishing line from the shore to extend the reach of a fisherman’s cast out). They also have a good battery life as well as GPS tracking and fly home feature that could come in handy. If you’re a DJI fan one of their drones would work just as well, you would just need to choose the correct model for battery life and lift ability or any other good quality DIY unit could be just as effective if you want to be a bit more custom (DJI does some very cool DIY Kits starting around $200 and I am sure there are many more from other brands as well).
Create yourself some sort of raspberry pi or mini pc setup that is light enough to not chew through the battery life and you have a very effective mobile hacking platform. Just think about what you could do with a machine that you could fly into place and within minutes be actively breaching your target networks without anyone any wiser.
Let’s run a scenario here, your business is a large enterprise with offices around the world, your office in Sydney or Brisbane is on the 21st floor and Wi-Fi is available 24/7. The Wi-Fi uses WPA2 security with a router that has not been updated in years. Computers are regularly left on and unlocked. There is even some iPads and tablets that are in the office with some not having any security access requirements and Bluetooth always on.
An attacker has created a custom drone with an integrated video, Wi-Fi raspberry pie configuration that has a Wi-Fi range of 100-150 metres. The raspberry pie has a custom set of automated attack tools that it can run against multiple targets via Bluetooth or through Wi-Fi once the network is breached. Within minutes a drone of this type could gain access to your systems install malicious or remote access and be gone.
How do we defend against attacks like this? It's a tuff vector to defend against but there are some things we can do. Systems such as Geo-fencing, radar can be used to help detect and stop drones from getting to close to company assets. Geo-fencing is a method used by airports to stop drones entering their space but there has been evidence that the manufacturer configurations on drones can be bypassed (and have been) but the best protection is good old fashioned security hygiene.
Keep systems up to date so vulnerabilities are not available, make sure Wi-Fi is configured to be as secure as possible with all routers patched with latest protections. Ensure machines are locked or turned off when staff are not in the office, use multifactor authentication and if you leave devices on making sure they are locked. Simple and very effective solutions to a growing security threat.
Look I think this idea is pretty fun and may build myself a prototype one day but at this time I think I will stick to the good old (on land) security attack methods for my red team engagements. If you have already built yourself a hacking drone or similar I would love to hear about it? Or maybe you have some thoughts on how we better protect IoT infrastructure from these types of attacks moving forward.
Till next time…