Writing Secure Mobile Apps for DronesGodfrey Nolan

Presentation Overview

• How to hack a drone

• Famous Drone Hacks

• Mobile Apps

• Manufacturer’s SDKs

• Top 10 Mobile Security Risks

• Best Practices

• Resources

9/11/2017 Writing Secure Mobile Apps 2

01.How to hack a drone

How to hack a drone

• Connect via wifi (ssh/telnet)

9/11/2017 Writing Secure Mobile Apps 4

How to hack a drone

• Connect via wifi (ssh/telnet)

• Using RF (GNU Radio/Hack RF)

9/11/2017 Writing Secure Mobile Apps 5

How to hack a drone

• Connect via wifi (ssh/telnet)

• Using RF (GNU Radio/Hack RF)

• Hijack Video

9/11/2017 Writing Secure Mobile Apps 6

How to hack a drone

• Connect via wifi (ssh/telnet)

• Using RF (GNU Radio/Hack RF)

• Hijack Video

• Physical attack

9/11/2017 Writing Secure Mobile Apps 7

How to hack a drone

• Connect via wifi (ssh/telnet)

• Using RF (GNU Radio/Hack RF)

• Hijack Video

• Physical Attack

• Jamming

9/11/2017 Writing Secure Mobile Apps 8

How to hack a drone

• Connect via wifi (ssh/telnet)

• Using RF (GNU Radio/Hack RF)

• Hijack Video

• Physical Attack

• Jamming

• Mobile apps

9/11/2017 Writing Secure Mobile Apps 9

02.Famous drone hacks

Some (relatively) famous drone hacks

9/11/2017 Writing Secure Mobile Apps 11

Some (relatively) famous drone hacks

9/11/2017 Writing Secure Mobile Apps 12

Some (relatively) famous drone hacks

9/11/2017 Writing Secure Mobile Apps 13

03.Mobile apps

Mobile Apps

9/11/2017 Writing Secure Mobile Apps 15

Mobile apps

9/11/2017 Writing Secure Mobile Apps 16

04.Manufacturer’s SDKs

Manufacturer’s SDKs

9/11/2017 Writing Secure Mobile Apps 18

Manufacturer’s SDKs

9/11/2017 Writing Secure Mobile Apps 19

05.Top 10 Mobile Security Risks

OWASP Top 10 Mobile Security Risks

• M1 - Improper Platform Usage

• M2 - Insecure Data Storage

• M3 - Insecure Communication

• M4 - Insecure Authentication

• M5 - Insecure Cryptography

• M6 – Insecure Authorization

• M7 – Poor Code Quality

• M8 – Code Tampering

• M9 – Reverse Engineering

• M10 – Extraneous Functionality

9/11/2017 Writing Secure Mobile Apps 21

OWASP Top 10 Mobile Security (for Drones)

• M1 - Improper Platform Usage

• M2 - Insecure Data Storage

• M3 - Insecure Communication

• M4 - Insecure Authentication

• M5 - Insecure Cryptography

• M6 – Insecure Authorization

• M7 – Poor Code Quality

• M8 – Code Tampering

• M9 – Reverse Engineering

• M10 – Extraneous Functionality

9/11/2017 Writing Secure Mobile Apps 22

M2 – Insecure Data Storage

9/11/2017 Writing Secure Mobile Apps 23

M2 – Insecure Data Storage

9/11/2017 Writing Secure Mobile Apps 24

M2 – Insecure Data Storage

9/11/2017 Writing Secure Mobile Apps 25

• Don’t store passwords, SSNs etc.

• Use multi-factor authentication

• Client and Server side access control

• "Sensitive data should be encrypted and very sensitive data should be stored on server" - Zapata

M3 – Insecure Communication

9/11/2017 Writing Secure Mobile Apps 26

M3 – Insecure Communication

9/11/2017 Writing Secure Mobile Apps 27

M5 – Insecure Cryptography

9/11/2017 Writing Secure Mobile Apps 28

M6 – Insecure Authorization

9/11/2017 Writing Secure Mobile Apps 29

M9 – Reverse Engineering

9/11/2017 Writing Secure Mobile Apps 30

M9 – Reverse Engineering

9/11/2017 Writing Secure Mobile Apps 31

Jailbreaking & Rooting

9/11/2017 Writing Secure Mobile Apps 32

Jailbreaking & Rooting

9/11/2017 Writing Secure Mobile Apps 33

06.Best Practices

Best Practices

• Don’t store any sensitive user info locally

• No hard coding API keys

• Use SSL pinning and SafetyNet API

• Expire sessions

• Trust but verify

• Turn on obfuscation

9/11/2017 Writing Secure Mobile Apps 35

07.Good News Bad News

Good News

• Google and Apple are starting to help

• SafetyNet checks that a phone is rooted

9/11/2017 Writing Secure Mobile Apps 37

Good News

9/11/2017 Writing Secure Mobile Apps 38

Bad News

• Tools are still evolving

9/11/2017 Writing Secure Mobile Apps 39

08.Resources Q&A

Resources

http://developer.dji.com

http://developer.3dr.com

http://developer.yuneec.com

http://developer.parrot.com

https://medium.com/@swalters/how-can-drones-be-hacked-the-updated-list-of-vulnerable-drones-attack-tools-dd2e006d6809

https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10

https://slides.com/godfreynolan/bulletproofandroidmeetup

9/11/2017 Writing Secure Mobile Apps 41

Q&A

• godfrey@riis.com

• @godfreynolan

• riis.com/blog

• slides.com/godfreynolan

9/11/2017 Writing Secure Mobile Apps 42