Introducing the 0x00Drone

diy
0x00drone

(Community & PR manager) #1

CURRENT STATUS: PROTOTYPE DEVELOPMENT


Hello 0x00Sec. Many of you follow my twitter. If so, you could notice me dropping a few hints to a DIY project: the 0x00Drone. Today, me and the other team members (@Leeky and @ricksanchez) have decided that we have come far enough in our pre-research phase and that we are ready to introduce the concept to the public.

This thread will serve as our main communication channel to the 0x00sec community about our little project. I therefore ask @pry0cc to lift the automatic closing of the topic one time for as long as the project’s development lasts.

Be sure to check this first post regularly because I will edit it often!


First a word of apology

I know that I’ve tweeted about the project a lot and then suddenly the news stopped flowing in after the first prototype PCB had been designed. For that I am sorry. All 3 of us recently had a busy period with school and work, so none of us could do anything to aid the project. Right now we can take a break from those and continue on the project in a better way than before.


What is the 0x00Drone?

The 0x00Drone is a joint effort between three core members of 0x00sec to weaponize a drone for hacking purposes, in the name of 0x00sec. Now this has already been done before by some people, but what sets us apart from the others is that we want to make the 0x00Drone as compact and stealthy as possible, specially designed for red teamers and covert-ops on big companies. The 0x00Drone uses the DJI Mavic (either Air or Pro) as our drone. It features:

  • A long flight time. According to my estimates, with our “package” attached to the drone, the flight time will be no less than 15-20 minutes
  • The drone has a long range, from 5 to 7 km!
  • The drone has a high resolution camera for all your physical recon needs.
  • The drone is capable of following a human being, perfect for tracking individuals.
  • But the most important feature why we choose to mod this drone is because both drones can be folded to the size of a water bottle! This allows for low-profile attacks because you can just put the drone in one pocket and our hacking package in another pocket. You can walk close to any facility without looking suspicious (unlike other weaponized drones that are a big red flag because you can’t put them away easily). Then when you are close enough you hide, unfolde the drone, attach the 0x00Drone package to it, and take off!
  • Another reason why we have chosen this drone is because we already have firmware samples available for it that are ready to be modded. That’s right, we may or may not write custom firmware for the drone.

The only con to this drone is that it may be expensive to build, we are guessing at around 1k€. We assume that a red teamer (for who this drone is mainly intended) will have such a budget available if he is hunting big game.


The hacking package

The 0x00Drone consists of two parts:

  • The drone, as we have already discussed above.
  • The hacking package.

The hacking package is a micro-computer (like a Raspberry Pi) that is attached to the drone and communicates with the attacker over 3G/4G data networks, thus making it completely independent from the drone. This allows the hacking package to be ejected from the drone. This is extremely handy to make physical backdoors because the package can survive for up to a week on it’s own.

The hacking package is what contains the Linux OS and will be used for hacking. We are still unsure on what microcomputer we want to use, but atm it looks like it will be a raspberry pi.

The hacking package is supposed to be ejectable from the drone and to be picked up again.

Furthermore, @Leeky is the software engineer of the crew and handles the software on the micro-computer. He has made it possible to let the package communicate to the attacker over a TOR hidden service, so even when captured and if the self-destruct fails, they only have limited proof against you.

Below is a badly-drawn communication architecture of the 0x00Drone made by me. The “0x00Drone framework” is a misleading name: it is just a CLI app to communicate to the package that contains some custom scripts.

I am the hardware designer of the crew. Currently I am developing a self-destruct mechanism to destroy the SIM-card since that is the only thing that could lead back to you. The best approach to this is by blowing up a capacitor. The self-destruct has two modes: normal and paranoid. In normal mode, you can request a snap from the on-board RPi camera and then choose to destroy the evidence. In paranoid mode, you will be sent an alert and a snap from the camera if the camera detects any movement. If you don’t respond within 30 seconds when the alarm was first triggered, it will continue to blow up anyway. This self-destruct is only useful when the hacking package has been ejected from the drone and is serving as a physical backdoor.


Firmware

@ricksanchez has obtained firmware for the drone. What this might allow us to do is that the hacking package can directly interact with the drone and the other way around. There is certainly a use for this.


FAQ

When will the first prototype be released?

When it is done.

When will the first prototype be done?

When it is released.

Will the project be open source?

Of course it will be! You can find us on our Gitlab (ADDRESS WILL BE ADDED HERE LATER)

When will the Gitlab repository be created?

As soon as any of the team members have any significant files or changes to contribute.

How does the self destruct work?

Electrolytic capacitors have a constant polarity. If you put a reversed polarity over them, it blows up. The more voltage you put over it and the bigger the capacity of the capacitor, the bigger the boom. Since the SIM card is the only thing that has to be blown up (the SD card of the hacking package is encrypted with LUKS), we tape the capacitor around the external antenna. In case of emergency, we put a high-voltage reverse polarity over the capacitor to blow it up.

Isn’t an exploding capacitor dangerous for injuries?

Yes, but it is still way less harmful than napalm or thermite, which was also an option.

Who does what?

Phoenix750 makes the customized hardware and programs the main microcontroller for said hardware.

Leeky is working on the software that is present on the micro-computer and the attacker’s device.

ricksanchez keeps himself busy with decoding and modifying the firmware that is already flashed into the drone for our use.

Can we aid the project?

Of course you can! Here’s how:

  • When we feel confident in making a prototype we will open a crowdfunding campaign. You can donate.
  • Give ideas for features.
  • If you have made a modification to our software, please contact one of us and we will have a look if we can merge it.
  • Cheer us from time to time. Monkeys need motivation to do their tricks :wink:

FAQ is still under construction!


Features you can expect in the future:

  • Paratrooper mode: at the moment, the only way to detach the hacking package from the drone is by landing the drone first. Uncoupling it in the air will smash the hacking package to the ground and break it. Inspired by the way that military paratroopers jump in real life, I intend to make a parachute system with either a static line or with height sensors, so the hacking package can be dropped in mid-flight. With height sensors it should be easier hardware-wise, with a static line it should be easier software-wise. With height sensors the stealth factor also increases because we can do a HALO-drop that way.

We need your help!

We are still looking for help from within the community. I need someone who is familiar with 3D printers and is able to design 3D printed objects. We need a case around the pi to protect it from the weather and also a system to attach the coupling system to the drone.


#2

Wow, I’ve always wanted to make something like this. Was the project inspired by Watch Dogs 2 at all?


(Community & PR manager) #3

Yes, it is where I got the idea from.


(the real skid shady) #4

I have a coworker who is always trying to find something to print; if you’re interested I can pass this along. Do you have your own designs or will he need to find/make them?


(Community & PR manager) #5

I don’t have my own designs because I don’t know how to make them. However if he can’t be bothered with making them, I can learn to do it myself.

However, the printing is not so urgent. We first need to know how large the final package will be.


(the real skid shady) #6

Gotcha. I’ll see if he does designs, I’m not sure how far into modelling he got


(Frey) #7

What are you using as a brain?


(Community & PR manager) #8

See the post & image above.

At the moment the drone stands completely independent from the hacking package, which takes care of all the hacking.


(Frey) #9

Oh alright… sounds cool. Bookmarking this page for future reference.


(3,4,5-trimethoxyphenethylamine) #10

Could you send me the FCC ID of the drone for me to see what kind of wireless capabilities it has? Perhaps it would be cool to make an SDR version of the remote, this way the drone could be automatically controlled with a PC. It could even be atomized, like a satellite.


(Community & PR manager) #11

@FFY00 Do you mean this? https://fccid.io/SS3-M1P1607


(3,4,5-trimethoxyphenethylamine) #12

Exactly! It seems to use 2.4GHz for the standard drone controller and 2.4/5GHz WiFi for other operations. Depending on the chips used, it could be possible to implement a custom protocol.


(Community & PR manager) #13

We have the firmware ready to be modded. We can implement extra functions that way too.


(Community & PR manager) #14

I have updated the FAQ with questions that have been asked on IRC