- Posts: 1868
Taking over a DSMx receiver in flight
- hexfet
-
Topic Author
- Offline
Less
More
27 Oct 2016 13:05 #55438
by hexfet
Taking over a DSMx receiver in flight was created by hexfet
Please Log in or Create an account to join the conversation.
- HappyHarry
-
- Offline
Less
More
- Posts: 1136
27 Oct 2016 20:22 - 27 Oct 2016 20:24 #55458
by HappyHarry
Replied by HappyHarry on topic Taking over a DSMx receiver in flight
i think it's similar to a mitm attack, they listen to the traffic, work out the txid and the channel hopping sequence, then by sending the packets just ahead of the original tx take over control, i think a quick way to stop this is to obfuscate/encrypt the txid, but i don't know enough about the protocol to know if this would work? but reading the article they say the timing attack is the simplest of their methods and they have more complex hacks already working, and that this method will work on all existing protocols not just dsmx :/
Last edit: 27 Oct 2016 20:24 by HappyHarry.
Please Log in or Create an account to join the conversation.
- Cereal_Killer
-
- Offline
28 Oct 2016 12:45 #55475
by Cereal_Killer
Taranis X9E | DEVO 10 | Devo U7E | Taranis Q7
What I do in real life: rivergoequestrian.com/
Replied by Cereal_Killer on topic Taking over a DSMx receiver in flight
I'm afraid there must be some [illegal] jamming going on, atleast for a brief period and here's why I say this:
As we all know we can force control over our TXID's to not have to re-bind between devo transmitters. When you do this and you're flying and you switch on the 2nd devo (with identical TXID) does the first loose control? Absolutely not...
All that happens is if/when you do switch off the first TX the second one INSTANTLY has control (zero delay and zero glitch. It's a seamless transition).
I feel just capturing the TXID and copying it wouldn't net you a take-over attack without first disrupting comms from real TX to model. I believe there must be jamming at atleast that last second right when the attacker initiates the first flight commands he expects the model to reply to...
Again, I've personally confirmed MULTIPLE TIMES, just firing up a TX with identical TXID does not net a take over, you MUST break communication between original transmitter and model.
As we all know we can force control over our TXID's to not have to re-bind between devo transmitters. When you do this and you're flying and you switch on the 2nd devo (with identical TXID) does the first loose control? Absolutely not...
All that happens is if/when you do switch off the first TX the second one INSTANTLY has control (zero delay and zero glitch. It's a seamless transition).
I feel just capturing the TXID and copying it wouldn't net you a take-over attack without first disrupting comms from real TX to model. I believe there must be jamming at atleast that last second right when the attacker initiates the first flight commands he expects the model to reply to...
Again, I've personally confirmed MULTIPLE TIMES, just firing up a TX with identical TXID does not net a take over, you MUST break communication between original transmitter and model.
Taranis X9E | DEVO 10 | Devo U7E | Taranis Q7
What I do in real life: rivergoequestrian.com/
Please Log in or Create an account to join the conversation.
- Fernandez
-
- Offline
Less
More
- Posts: 983
28 Oct 2016 13:20 - 28 Oct 2016 13:30 #55476
by Fernandez
Replied by Fernandez on topic Taking over a DSMx receiver in flight
But what if you time shift slightly sooner, so first you syncrhonise th dummy transmitter with the original transmitter than start the secondairy transmitter slightly upfront time shifted, the new signal arrive first to take over original signal ?
I am wondering in a 2.4ghz crowded environment, with wifi, Bluetooth possible many drones with different rf protocols chipsets etc flying around. Are you able to determine the different signals?
In addition to detect, what chipset is in use, what mode it is in and then find hopping pattern etc out of the air on the fly? then last but not least flying the unknown drone? find were is the throttle, rudder, how is the flight controls rates arm switches etc etc mapped all on the fly?
personally I think, it is done in a lab environment, one Tx active, were they know very well chipset the drone etc etc Maybe once developed a software tool database for all rf protocols and common systems around, then the system can determine it?
but hack any drone on the fly in the air, when drone comes in land it, don't think so.
Just a high power 2.4ghz jammer should be able to get any RX into failsave?
But then there are drones flying on waypoint do not need any RX....
Also there are long range drones out just use 3g/4g cell network.
I am wondering in a 2.4ghz crowded environment, with wifi, Bluetooth possible many drones with different rf protocols chipsets etc flying around. Are you able to determine the different signals?
In addition to detect, what chipset is in use, what mode it is in and then find hopping pattern etc out of the air on the fly? then last but not least flying the unknown drone? find were is the throttle, rudder, how is the flight controls rates arm switches etc etc mapped all on the fly?
personally I think, it is done in a lab environment, one Tx active, were they know very well chipset the drone etc etc Maybe once developed a software tool database for all rf protocols and common systems around, then the system can determine it?
but hack any drone on the fly in the air, when drone comes in land it, don't think so.
Just a high power 2.4ghz jammer should be able to get any RX into failsave?
But then there are drones flying on waypoint do not need any RX....
Also there are long range drones out just use 3g/4g cell network.
Last edit: 28 Oct 2016 13:30 by Fernandez.
Please Log in or Create an account to join the conversation.
Time to create page: 0.040 seconds
-
Home
-
Forum
-
General
-
General Discussions
- Taking over a DSMx receiver in flight