Modified off-the-shelf drones carrying a wireless network intrusion kit have been found in a very unlikely location.
The idea of using consumer-focused drones for hacking has been explored at security conferences like Black Hat 2016 in both the US and Europe over the past decade. Naomi Wu, a DIY tech enthusiast, demonstrated a related project called Screaming Fist in 2017. And in 2013, security researcher Samy Kamkar demonstrated his SkyJack drone, which used a Raspberry Pi to take over other drones over Wi-Fi.
Now these types of attacks are actually taking place.
Greg Linares, a security researcher, recently reported what he believes happened over the summer at a financial firm on the US East Coast that focuses on private investments. He said The registry that he was not directly involved in the investigation, but interacted with those involved as part of his work in the financial sector.
The registry corresponded with a person associated with the company concerned, who confirmed Linares’ statements and asked not to be identified due to a non-disclosure agreement and labor law concerns.
in the a twitter threadLinares said the hacking incident was discovered when the financial company discovered unusual activity on its internal Atlassian Confluence page originating from the company’s network.
This led the team to the rooftop, where a “modded DJI Matrice 600” and a “modded DJI Phantom” series were discovered
The company’s security team responded and found that the user whose MAC address was used to gain partial access to the company’s Wi-Fi network was also logged in at home several miles away. That is, the user was active off-site, but someone within the building’s Wi-Fi range attempted to use that user’s MAC address wirelessly, which is a red flag. The team then took steps to trace the Wi-Fi signal and used a Fluke system to identify the Wi-Fi device.
“This led the team to the roof, where a ‘Modified DJI Matrice 600’ and a ‘Modified DJI Phantom’ series were discovered,” explained Linares.
The phantom drone was in good condition and had a modified Wi-Fi Pineapple device used for network penetration testing, Linares said. The Matrice drone carried a suitcase containing a Raspberry Pi, several batteries, a GPD mini laptop, a 4G modem and another Wi-Fi device. It had landed near the building’s heating and ventilation system and appeared damaged but still operational.
“During their investigation, they found that the DJI Phantom drone had originally been used a few days earlier to intercept a worker’s credentials and WiFi,” Linares said. “This data was later hard-coded into the tools provided with Matrice.”
The attackers specifically targeted a limited-access network used by both third parties and internally, which was not secure due to recent changes in the organization
According to Linares, the tools on the drones were used to target the company’s internal Confluence page in order to access other internal devices with the access data stored there. The attack, he said, had limited success and is the third cyberattack involving a drone he has seen in the past two years.
“The attackers specifically targeted a network with limited access, used by both third parties and internally, and due to recent changes in the organization (e.g. one of these scenarios),” Linares said The registry.
“For this reason, unfortunately, this temporary network only had limited access to log in (credentials + MAC security). The attackers used the attack to access an internal IT Confluence server that contained other credentials for accessing other resources and storing IT procedures.”
Long-term problem comes alive
Linares said he worked on a drone project to test network attack capabilities in 2011, and at the time performance, transport weight and range were limiting factors.
“We revisited it in 2015 and drone technology had come a long way,” he said. “Now, in 2022, we are seeing truly amazing drone advances in terms of performance, range and capabilities (for example, the amazing synchronized drone China is releasing is showing absolutely fantastic).”
“This coupled with drone payload options that are getting smaller and more powerful – e.g. E.g. the Flipper Zero kit – … makes viable attack packages to use sensibly,” Linares said. “Fintech/crypto and supply chain or critical third party software targets would be ideal targets for these attacks, where an attacker can easily cover their initial operating costs with immediate financial gain or access to more lucrative targets.”
Although the attacker’s identity has not been released, Linares believes those responsible did their homework.
“This was definitely a threat actor that probably had internal reconnaissance for several weeks, was physically close to the target environment, had a reasonable budget, and knew its physical security limitations,” he said.
Sean Gallagher, senior threat researcher at Sophos, said The registry said the attack described was something people have done using Wi-Fi pineapples, or the equivalent “warwalking”.
“They repel a user from the real network and try to get them to connect to your fake network,” he explained. “Honestly, for most organizations, this is very low on the threat modeling priority list unless there is very specific targeting, especially when there are so many other ways to gain network access without being physically present.”
Still, it can be worth checking the roof every now and then for parked or hovering drones. ®
https://www.theregister.com/2022/10/12/drone-roof-attack/ Wi-Fi spy drones to spy on financial companies • The Register