Dronetag v1.5.2 CVE-2024-22520
The Drone Scanner App is a complementary application for Dronetag hardware, which is a transmitter.Drone scanner App has been downloaded 50,000 times on Google Play.
Drone Scanner is an application designed to scan the surrounding environment to obtain data from unmanned aerial vehicles' broadcasts, such as identity and location. It collects data and presents it to users on a map.
Drone Scanner can track all aircraft nearby using the Direct Remote ID standard. It provides real-time data of drones on a detailed map, highlighting specific flight areas. Devices that can be viewed include drones broadcasting remote identification according to the requirements of the Federal Aviation Administration (FAA) and the European Union, as well as devices equipped with a drone tag (an additional transmitter).
The Drone Scanner App receives data packets generated by Dronetag devices mounted on drones, following the Droneid protocol, and displays detailed information about nearby drones on the user's mobile device.
Attackers can craft such data packets themselves and broadcast them using a transmitter. The app does not authenticate the authenticity of the data packets and directly displays them on the mobile interface.
- Attackers can launch a flood attack, generating a large number of ghost drone signals, thereby preventing users from identifying genuine drone signals in the app.
- Attackers can impersonate benign Remote ID signals, concealing their identity and engaging in illicit activities.
This goes against the original design intent of Dronetag and poses a security risk, impacting government efforts to regulate and secure unmanned aerial vehicles, leading to safety incidents.
- Write code to control the format of WiFi or Bluetooth packets as per requirements and burn the code into a microcontroller with WiFi or Bluetooth modules.
- On the app, detect the ghost drone signal we've set, including Remote ID, drone location, posture, speed, and other information.
Testing vulnerability on esp32-s3 microcontroller and Dronetag v1.5.2
Method one:
- Download Drone Scanner from google Play
- Directly burn the modified RemoteID.bin file in the directory into the microcontroller.
- Start the microcontroller. it will broadcast the fake drone information that I previously set.
I changed the drone id to ABCD123456789 (These pieces of information were originally designed for law enforcement to detect unauthorized drones):
Here is the video about testing:
verify.the.vulnerability.mp4
Method two: You can modify and build the microcontroller code yourself to send the content you specify.
-
Download ArduRemoteID source code, https://github.com/ArduPilot/ArduRemoteID
-
By modifying the default value of wifi_rate in the /home/iko/arduremoteid/RemoteIDModule/RemoteIDModule.ino file, trigger the function to make the microcontroller broadcast WiFi beacon packets.
-
Use the network card in promiscuous mode to capture the broadcasted beacon packets, which can be set on channel 6 within the range of channels 1-13. The app can receive the RemoteID from the WiFi beacon.
-
Then, modify parameters such as location and RemoteID according to your preferences.
- Use the microcontroller burning software to flash the generated bin file into the microcontroller.https://www.espressif.com/en/support/download/other-tools
CNVD(China National Vulnerability Database) has assigned a vulnerability identifier to this issue (CNVD-C-2023-940819) and plans to publicly disclose it on January 4, 2024.
