Jump to content

  • Recently Browsing   0 members

    No registered users viewing this page.

Recommended Posts

You can't fix idiots, you can't stop them.  Laws just make them go underground.  People are amazingly resilient and often willing to put a lot of effort into circumventing attempts to restrict their action.  Morons are still lighting up aircraft with laser pointers.  Tried to regulate CB radios, that didn't seem to help at all.  Low power radio... they gave up banning that.. etc..  Once the equipment is available to people for a price they will pay, the cat is out of the bag.

IMO emergency services need to actively seek out penetration testers, white hat hackers, etc..   Give emergency responders tools to jam/destroy or otherwise render drones inoperable.  Solve the actual problem without creating another bureaucracy.  

I screwed with an idiot flying one outside my house last year, it was a cheap WIFI controller model.  All it took to take it down was pointing a directional antenna connected to a 2.4ghz fuzzer (legal equipment I use to test hardware).  It stopped immediately and landed.  Turn off fuzzer, and his remote would connect he'd fly again... I did it again and again until he left the area...    Obviously this wouldn't work on all of them, however the consumer grade drones I've seen are all very weak as far as security.   Pro drones may not be any better, I wouldn't be at all surprised.  The frequencies used aren't going to interfere with aircraft or communications systems.

There are of course the more amusing methods, birds of prey seem to enjoy taking down drones.  ;-)

Share this post


Link to post
Share on other sites

You are right, you can't stop all of them. It has always been that way with people, but I don't think we can let this go on.I dunno what the answer is.

I don't think we want to deputize hackers, I wouldn't want one working on a major disaster with me. I've been in a number of those Unified Incident Command events, and the last thing we needed would be an outside entity without the training or networking, or accountability to anyone wondering around with that level of access or authority. Whoever is tasked with this is going to have to have some sort of authority, because with it comes responsibility and accountability, and we are gonna want all of that. I can see tasking someone in IT crimes with setting up a program to create a method of doing what you did with the fuzzer but on a bigger scale, and when the FAA creates a no fly zone at that point word goes out that the are will be a no fly zone for non official aircraft of any kind for the duration of the event. Then shut it down, with severe penalties for ignoring the law.

I worked for the .gov for a long time and believe me another level of bureaucracy  isn't something I like either, but we the people need to be able to hold the people implementing the fix accountable, and I don't know how to do it if they don't have something on the line. Like their job, fer instance.

I am with you on the more amusing ideas... I have a friend in another area who had some clown flying one around and trying to catch his wife through the windows of their house. Called the cops, filed an info report. They had several other instances with the same facts, but no suggestions.

One day he heard the thing coming and had her go into the den in front of the window. She kept the pilots attention and he went out in front of the window, behind the drone, with the cargo net from her SUV. He caught it and turned the thing in. Apparently the pilot decided not to go claim it.

Looking at DJI products and it appears registration is already a fact. Lovely.

The prices have come down a bunch. I remember when you were going to have to spend over $1200 for a good machine, that price is now about half that number. I need to do some more research on this....

Share this post


Link to post
Share on other sites

I wasn't proposing deputizing hackers,, none I've ever met would take the job.  Point is that their are resources available to develop systems that could deal with this problem very easily, systems that could be fully automatic and deployed on fire fighting aircraft. 

Share this post


Link to post
Share on other sites
14 hours ago, braindead0 said:

It already has a remote, adding a small LCD screen and the support hardware wouldn't add much to the cost.   I'm not going to upgrade my phone AND run an insecure/overprivileged app on it for functionality that IMO should not assume everyone carries around a supported phone.  I'll pass.

If this list of permissions doesn't make you nervous...  I've added a * after all of these permissions that are commonly used as attack and malware propogation vectors and # on the ones that the app has no legitimate reason to access, and can be a privacy/security risk

 

Version 4.1.18 can access:
Device & app history
  • retrieve running apps*
  • read sensitive log data#
Identity
  • find accounts on the device# *
  • add or remove accounts# *
Contacts
  • find accounts on the device#
Location
  • approximate location (network-based)
  • precise location (GPS and network-based)
Phone
  • directly call phone numbers# *
  • read phone status and identity# *
Photos/Media/Files
  • access USB storage filesystem
  • read the contents of your USB storage
  • modify or delete the contents of your USB storage
Storage
  • read the contents of your USB storage
  • modify or delete the contents of your USB storage
Camera
  • take pictures and videos
Microphone
  • record audio ??
Wi-Fi connection information
  • view Wi-Fi connections
Device ID & call information
  • read phone status and identity#

 

Other
  • Access download manager.#
  • download files without notification#
  • full license to interact across users#
  • manage document storage#
  • control media playback and metadata access#
  • close other apps#
  • view network connections
  • read battery statistics
  • pair with Bluetooth devices# *
  • access Bluetooth settings# *
  • send sticky broadcast# *
  • change system display settings*
  • change network connectivity# *
  • connect and disconnect from Wi-Fi# *
  • control flashlight
  • full network access *
  • close other apps *
  • run at startup *
  • draw over other apps *
  • use accounts on the device * #
  • control vibration
  • prevent device from sleeping
  • modify system settings * #
  • add words to user-defined dictionary * #
  • Google Play license check*
  • read Google service configuration*

Audit the rest of your apps, and report back. 

But, this is why I said >10 years ago, only a fool will put sensitive information on a black box 'smart' device.  Root my phone?  Have fun.  Nothing to see/grab/use. 

Share this post


Link to post
Share on other sites
17 minutes ago, desertdog said:

Audit the rest of your apps, and report back. 

But, this is why I said >10 years ago, only a fool will put sensitive information on a black box 'smart' device.  Root my phone?  Have fun.  Nothing to see/grab/use. 

The only apps installed on my phone were written by me, so I know that they do not have permissions that aren't necessary to the function.   I've reviewed the source for my firmware and it's clean (another reason I don't want to update phone, it'll take weeks to get the source and a couple more to review). 

There's more to this than data on your phone.  That application has permissions that would allow it to track your location 24x7 and upload your whereabouts via cell or wifi network.  In addition it could use BT/WIFI (surprised it doesn't have NFC as well) to discover other phones in the area, if it finds other phones that are accessible it could propagate malware in both directions.  Your phone could be an attack vector into other systems, phone.. network...etc..

Lack of care for security is what gives us the most damaging botnets.  'smart' phone apps are becoming more of an issue and it will get worse.  Keeps me working however I'd much rather be more productive.

Oh well, my systems are secure. 

Share this post


Link to post
Share on other sites

A friend of mine has a drone, a DJI Phantom 4 Pro. Last summer we had two wildfires near here, both started two days apart and burned for a total of about six days. The local airport is a regular wildfire air support base for the entire region. My friend lives about six miles from the airport. When he attempted to fly his drone around his property (17 acres) his drone shut down and refused to fly. A pop up on his phone was visible with text that said in effect that due to the wildfire suppression activity his drone would not fly due to safety concerns. His drone would not operate for about three weeks.

Share this post


Link to post
Share on other sites

DJI (and presumably other manufacturers) are trying to help the problem by implementing features such as that.  It'll help the accidental problem by an honest person, however these systems are easy to defeat.. I think the DJI's were hacked in about a week.   These keep the honest people honest, but IMO miss the mark and may cause people like your friend to seek out ways around it because the system doesn't work well.

Typically those blocks are location based, presumably he could have gone elsewhere and the drone would work...

Share this post


Link to post
Share on other sites
On 12/7/2017 at 7:38 AM, braindead0 said:

The only apps installed on my phone were written by me, so I know that they do not have permissions that aren't necessary to the function.   I've reviewed the source for my firmware and it's clean (another reason I don't want to update phone, it'll take weeks to get the source and a couple more to review). 

There's more to this than data on your phone.  That application has permissions that would allow it to track your location 24x7 and upload your whereabouts via cell or wifi network.  In addition it could use BT/WIFI (surprised it doesn't have NFC as well) to discover other phones in the area, if it finds other phones that are accessible it could propagate malware in both directions.  Your phone could be an attack vector into other systems, phone.. network...etc..

Lack of care for security is what gives us the most damaging botnets.  'smart' phone apps are becoming more of an issue and it will get worse.  Keeps me working however I'd much rather be more productive.

Oh well, my systems are secure. 

You could use one of the alternative apps to control the drone.  There are a few to pick from, but I haven't bothered to investigate them much, yet.

There are reasonable precautions to take for anything in life.  What defines "reasonable" varies from person to person, being a subjective measure of balancing risks and benefits.  If you really think you're going to become the attack vector, then don't get a drone, or write your own controller software, or invent a better wheel, or just sit this one out. 

I'm going to strike a balance, somewhere between negligent and paranoid.  Having a phone with apps that only you have authored, and with code-reviewed firmware, goes well over the line for me.  It also goes well over the line of what's feasible and possible for most humans.  What you propose is an impossibility for 95% of the population.  

Share this post


Link to post
Share on other sites

What I propose is that people should pay a little attention to what is installed on their phone, computers..etc.  Certainly most people cannot manage the level of security I can. 

I think anyone can read that list of permissions and plainly see that this software is over-reaching, most people don't even bother to read it I'm sure.

That being said having 95% of the population wide open for exploit makes securing systems much easier for me.. just don't be the low hanging fruit.  

I opened up a guest network here this last summer, just to see how many people are setup to blindly connect.    In one week I was able to compromise over 200 distinct devices, simply because they connected to my network.  The 'malware' in this case was benign pinged back to me with a few details to identify individual hardware, then removed itself..  I could have used this foothold to do all manner of bad things so those people devices, likely everyone they know and every network they connect to...  and so on.

You are correct, in the end it's all about the costs benefit analysis.   Problem is that people don't factor in externalized costs to other systems.  For example when someone brings malware into the workplace the costs will affect their job in one way or another... someone has to pay the price.  That latter scenario happens much more often that people realize, most aren't reported because it's bad publicity. 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Similar Content

    • By Backwoods Beast
      Hey everyone,
      so this is my first explore post, I'm probably going to be slow sharing since I'm planning on waiting until my YouTube videos come out. but I just wanted to give an update on Olinghouse Nevada. I was out there about a month ago with my friend. As some of you may know there is many rumors about the Olinghouse area being guarded by an "old man with a gun chasing people of the property".  Well I took a few trips out there because I really wanted to get some cool footage. I didn't go into all of the structures because it seemed like the floors weren't sturdy enough to hold my weight. My friend went in them but she only weighs about 115 lbs.  The mine has been purchased and is currently active. We went on a Sunday after the first ground freeze because that's usually when mining operations stop for the winter.  There was still a lot of activity of a small ATV vehicle going back and forth to the miners headquarters building, so we tried to stay hidden as possible.  I looked at the Olinghouse Facebook page just a few days ago and it said people tried to get permission to go out there but were denied, so I'm glad I got what I did without being seen. The place is still in really good shape. Its hard to tell the age of some of the buildings, most of them have probably been frankensteined over the years since its been a home to squatters, meth-labbers, and the occasional mine enthusiast.
       
      If you plan on exploring the area, I suggest at least with 4 wheel drive and drive past the headqaurters building and do a little 4wheeling to the back ranch house and you can stay hidden easier from back there.  There is also a road that seems to lead to some interesting thing that I can see from the Sat pics, but I will definitely need an ATV to get there. anyways. Here is the video if you'd like to check it out. 
      See you out there!
      Backwoods Beast
       
       
       


    • By Bob
      Anyone here use a Drone for scouting out areas? @Jack Freer I know you mentioned you had a drone, but I am not sure how good a drone would be to scout out a mountainous area? Would a DJI Phantom 3 be useful as a way to get a good view of the area from the sky while you are out in the field? I am thinking about getting the Phantom 3 standard with the 2.7K Camera to add some aerial shots to my videos and for scouting out areas. Any suggestions?
      So many times I wonder what is just over the next hill or just around the corner. I am wondering how much easier it would be to see it all from the sky, maybe 200 or 300 feet in the air?
  • Who's Online   0 Members, 0 Anonymous, 3 Guests (See full list)

    There are no registered users currently online



×