Drone hijacking and
other IoT device hacking
Alexander Chemeris
CEO, founder
Alexander.Chemeris@fairwaves.co
Sergey Kostanbaev
Head of engineering, founder
Sergey.Kostanbaev@fairwaves.co
Fairwaves, Inc.
GNURadio Conference’16
Arthur Garipov
Senior Specialist,
Network Application Security Team
chopengauer@gmail.com
Pavel O Novikov
Senior Specialist,
Network Application Security Team
ponovikov@ptsecurity.com
Positive Technologies
nRF24 chips and other crunchy things
 nRF24 chip
• extremely popular
• Inexpensive RF devices
• 2.4GHz ISM band
• speed upto 2Mbps
(250kbps, 1Mbps)
https://github.com/TMRh20/RF24
nRF24 chip clones

https://sigrok.org/wiki/Protocol_decoder:Nrf24l01
nRF24+rPI based scaner

https://github.com/chopengauer/nrf_analyze
 A little more expensive - XTRX SDR

• Small size
• Embedded friendly
• Low latency
• From 2x2 to 16x16 MIMO
and more
• Inexpensive
• Same board for hobbyists,
massive MIMO R&D and
production BTS/eNodeBs

https://xtrx.io
 A little more expensive - XTRX SDR

• 100khz-3.8Ghz
• ADC up to 160MSPS /
• DAC up to 640MSPS
• 160Mhz RF bandwidth
• SIM card connector
• TCXO + GPSDO clock
• MiniPCIe x2

https://xtrx.io
 GNURadio based scaner

http://blog.ptsecurity.com/2016/06/phd-vi-how-they-stole-our-drone.html
 nRF24 packet format

―Common packet

―ShockBurst packet
(nRF24+)
 nRF24 packet format

―Common packet

―ShockBurst packet
(nRF24+)
Drone hacking is fun
 Syma drone

• bk2423 chip – nRF24 clone

• 250 KSPS sample rate
• Starts on channel 9 for synchronization
• Frequency hopping over 4 channels while operating
• Channel numbers derived from device address
• No encryption
Drone hacking demo
Send more packets!
Keyboard hacking is scary
 Mousejack

https://www.mousejack.com/
 Microsoft keyboard and mouse
• Also uses nRF24 at 2MSPS rate
• Listens to 4 devices
• Keyboard channel is encrypted
• Mouse channel is NOT encrypted (woo...)
• Mouse channel accepts keyboard pakets (huh!)
Keyboard hacking demo
Fuzz it!
Prior art / Other NRF24 hacks
• Travis Goodspeed
https://github.com/travisgoodspeed/goodfet
• Marc Newlin / Bastille Networks
http://insecurityofthings.com/
• Thorsten Schröder and Max Moser of the KeyKeriki
v2.0 project.
http://www.remote-exploit.org/articles/keykeriki_v2_0__8211_2_4ghz/index.html
• nRF24L01 multi-protocol RC transmitter
https://github.com/goebish/nrf24_multipro/tree/master/nRF24_multipro
• Deviation firmware for various RC Transmitters
https://github.com/DeviationTX/deviation
 Thank you!

Alexander Chemeris Arthur Garipov

CEO, founder Senior Specialist,
Alexander.Chemeris@fairwaves.co Network Application Security Team
chopengauer@gmail.com
Sergey Kostanbaev
Head of engineering, founder Pavel O Novikov
Sergey.Kostanbaev@fairwaves.co Senior Specialist,
Fairwaves, Inc. Network Application Security Team
ponovikov@ptsecurity.com
Positive Technologies

GNURadio Conference’16