writing secure mobile apps for drones
Post on 21-Jan-2018
858 Views
Preview:
TRANSCRIPT
Presentation Overview
• How to hack a drone
• Famous Drone Hacks
• Mobile Apps
• Manufacturer’s SDKs
• Top 10 Mobile Security Risks
• Best Practices
• Resources
9/11/2017 Writing Secure Mobile Apps 2
How to hack a drone
• Connect via wifi (ssh/telnet)
• Using RF (GNU Radio/Hack RF)
9/11/2017 Writing Secure Mobile Apps 5
How to hack a drone
• Connect via wifi (ssh/telnet)
• Using RF (GNU Radio/Hack RF)
• Hijack Video
9/11/2017 Writing Secure Mobile Apps 6
How to hack a drone
• Connect via wifi (ssh/telnet)
• Using RF (GNU Radio/Hack RF)
• Hijack Video
• Physical attack
9/11/2017 Writing Secure Mobile Apps 7
How to hack a drone
• Connect via wifi (ssh/telnet)
• Using RF (GNU Radio/Hack RF)
• Hijack Video
• Physical Attack
• Jamming
9/11/2017 Writing Secure Mobile Apps 8
How to hack a drone
• Connect via wifi (ssh/telnet)
• Using RF (GNU Radio/Hack RF)
• Hijack Video
• Physical Attack
• Jamming
• Mobile apps
9/11/2017 Writing Secure Mobile Apps 9
Manufacturer’s SDKs
9/11/2017 Writing Secure Mobile Apps 18
OWASP Top 10 Mobile Security Risks
• M1 - Improper Platform Usage
• M2 - Insecure Data Storage
• M3 - Insecure Communication
• M4 - Insecure Authentication
• M5 - Insecure Cryptography
• M6 – Insecure Authorization
• M7 – Poor Code Quality
• M8 – Code Tampering
• M9 – Reverse Engineering
• M10 – Extraneous Functionality
9/11/2017 Writing Secure Mobile Apps 21
OWASP Top 10 Mobile Security (for Drones)
• M1 - Improper Platform Usage
• M2 - Insecure Data Storage
• M3 - Insecure Communication
• M4 - Insecure Authentication
• M5 - Insecure Cryptography
• M6 – Insecure Authorization
• M7 – Poor Code Quality
• M8 – Code Tampering
• M9 – Reverse Engineering
• M10 – Extraneous Functionality
9/11/2017 Writing Secure Mobile Apps 22
M2 – Insecure Data Storage
9/11/2017 Writing Secure Mobile Apps 25
• Don’t store passwords, SSNs etc.
• Use multi-factor authentication
• Client and Server side access control
• "Sensitive data should be encrypted and very sensitive data should be stored on server" - Zapata
Best Practices
• Don’t store any sensitive user info locally
• No hard coding API keys
• Use SSL pinning and SafetyNet API
• Expire sessions
• Trust but verify
• Turn on obfuscation
9/11/2017 Writing Secure Mobile Apps 35
Good News
• Google and Apple are starting to help
• SafetyNet checks that a phone is rooted
9/11/2017 Writing Secure Mobile Apps 37
Resources
http://developer.dji.com
http://developer.3dr.com
http://developer.yuneec.com
http://developer.parrot.com
https://medium.com/@swalters/how-can-drones-be-hacked-the-updated-list-of-vulnerable-drones-attack-tools-dd2e006d6809
https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10
https://slides.com/godfreynolan/bulletproofandroidmeetup
9/11/2017 Writing Secure Mobile Apps 41
Q&A
• godfrey@riis.com
• @godfreynolan
• riis.com/blog
• slides.com/godfreynolan
9/11/2017 Writing Secure Mobile Apps 42
top related