Monday, May 22, 2017

Parrot Drone Reverse Engineering to View Camera Stream, Edit Settings, and Flash LED

My friend had a camera board out of some old Parrot quadcopter thing.  When powered on, it creates a wi-fi network that you connect to with your smartphone.  Then user downloads an app on their smart phone, and can control the quadcopter and view the video. As a fun project, I decided to find out how easy it is to view the camera feed without an app and see how much was open.  In the end, the project turned out to be really easy - there's no security.

We powered on the board from a 12V power supply and waited for it to boot.  It created a wi-fi network with a visible SSID.  I connected to the network with my laptop running  MATE 14.04 with DHCP enabled and was assigned an IP address of 192.168.1.3.

The IP address of the camera board was found with
arp -a
which was 192.168.1.1 for mine.

To see which ports were open, I ran 
nmap 192.168.1.1
which revealed three open ports: ftp, telnet, and port 5555, which nmap (incorrectly) identified as some sort of multiplayer Linux game.

The ftp server accepted an anonymous connection, but put me in an empty directory.  I'm assuming it's for sending firmware updates, so I didn't try much else from here.

Next, I investigated the mysterious port 5555.  I first pointed windows media player at this port, and nothing happened.  Same with VLC.  Running
ffplay tcp://192.168.1.1:5555/
gave me a ~25 fps, 320x240 video stream with around 5 seconds of latency from the big camera.  You'll have to add the PPA for ffmpeg and install ffmpeg if you're on 14.04 - ubuntu was dumb and switched to libav, which I still haven't gotten around to learning about.

Finally, I connected with telnet and got a busybox bash shell.  The board has a fairly complete basic Linux install and has things like grep and vi.  You can toggle the red/green on the LED just by running `export 1 > /.....path_to_gpio....`.  The root user has no password, so you have full access to the system.  This is usually a good idea - ssh doesn't let users without passwords connect, but they set up telnet.  From a security standpoint, the telnet without password is really dumb.  If somebody malicious gets root access, you're screwed.  They can delete everything on the device, retune your gains, or even mess with settings for the device's power management, which stand a good chance to damage the hardware.  Even if the remote user executed rm -rf /, the device is unrecoverable for consumers.