The DJI Mavic Pro Drone does support two modes of wireless operation
- Wifi: 2,4-2,4835GHz; 5,725-5,850 GHz
- SRRC: 2,4-2,4835 GHz;5,725-5,850 GHz
Since we just get started, we won’t deal with SDRs yet. So we switch the drone into the Wifi operation mode and continue. The idea:
- Connect the notebook to the wireless drone network
- Create a fake drone AP on the same wireless network card
- Connect the drone’s operator phone to the fake AP
- Tunnel all packets from AP to the drone
Gathering Wifi details
During normal operation, the Drone does expose its SSID Mavic-3be509, but more interesting WPA2 with CCMP cipher. Hence, we will fake our drone AP equal to this configuration.
Faking Drone Network
My network interface equals wlp6s0, gathered from ipconfig.
sudo apt install bash util-linux procps hostapd iproute2 iw wireless-tools haveged iptables dnsmasq git cd ~/Downloads/ git clone https://github.com/oblique/create_ap.git cd create_ap sudo make install create_ap wlp1s0 wlp1s0 Drone 12345678 -w 2
We connect now a client to our Drone network and receive following output
create_app also takes care of tunneling all the traffic. The default option is -m nat for natting. -w 2 for WPA2
We connect the notebook to the Drone, create a AP and connect the phone to the AP; launch the app and see what happens. As it seems the communication works just fine – hence no additional security measurements have been considered for such a MIT attack.
As it went much smoother than expected, we can proceed to dump all network packets onto the FS for further analysis; as one of our goals is to introduce ‘fake’ packets in-between the normal communication flow.
sudo apt update && sudo apt install --assume-yes tcpdump arp // obtain the operator's IP-Address sudo tcpdump --interface=ap0 -n host 192.168.12.139 -w ~/Downloads/dumps/drone-idle.pcap
It doesn’t matter whether we listen on wlp6s0 or the AP adapter called ap0, as both shouldn’t receive too much broadcasts. Moreover, we directly filter via the operator’s smartphone’s IP-Address host 192.168.12.139. -n gets rid of DNS resolutions.