Thread Tools
Jun 11, 2014, 08:32 AM
Registered User
Thread OP
Discussion

Phantom 2 Vision+ and Vision owners please read


Hi Everyone,

Just a Public Service Announcement. A significant security flaw is in the wild and may allow people to severely affect the software and cyber attack your Phantom Vision+ drones even while in flight.

The below is written for a technical savvy audience and just lays out the facts.

The Phantom Vision+ and WiFi repeater run a Linux-based operating system. All of the machines come from the factory with the same password set for the Root user. The Vision+'s root password is now in the public domain, and may allow people to hack into your Phantoms via WiFi. The worst case is complete deletion of your operating system's file system which would render your drone a paperweight.

Phantom Vision owners may want to check if the Root password is same as the Vision+, if so then the Vision is vulnerable.

Phantoms 1, 2 (non-Vision) without WiFi connectivity are not affected by this vulnerability.

I suggest you read this post then log into your your own Phantoms and change the Root user password.

http://www.phantompilots.com/viewtopic.php?f=27&t=17568

DJI will likely issue a new firmware at some point to address this.

The upshot of this is that the current DJI Phantom is very amendable for user hacking and software modification (e.g. it is not a closed box). But I don’t expect this to continue.

To change your root password:

1. Connect to your Phantom over WiFi using any computer
2. Run your favourite SSH client (e.g. PuTTY, SSH from terminal line in Mac/Linux)
3. Log into either:

- 192.168.1.1 (FC200-Vision+)
- 192.168.1.2 (WiFi repeater)

As user 'root'. Password (as listed in the PhantomPilots link).

4. Type 'passwd root'
5. Enter your new password twice
6. Password is now changed.
7. Type 'exit' to disconnect from SSH session
8. Repeat step 3-7 for the other device.

As the Phantom Vision+/Vision network are open (not protected by WPA or WEP encryption), ANYONE can connect and log into your aerial system. If they manage to log in as a Root user, they can:

- Shutdown all operating system processes which means the FPV goes down and the Phantom stops talking to your smart devices.

- Even scarier, is the potential for complete erasure of the operating system's filesystem. This will probably mean bricking of the Phantom.

Conclusion: I advise all Vision+ (and Vision owners if the root password is known) to change your passwords to prevent this type of attack.

Evidence for this post:

I logged in as root into my Vision+ today, and saw this:

I tried a nice and simple 'halt'. That stops the Phantom OS and straight away cuts the WiFi link.

[email protected]:/# ps
PID USER VSZ STAT COMMAND
1 root 1504 S init
2 root 0 SW [kthreadd]
3 root 0 SW [ksoftirqd/0]
4 root 0 SW [kworker/0:0]
5 root 0 SW< [kworker/0:0H]
6 root 0 SW [kworker/u:0]
7 root 0 SW< [kworker/u:0H]
8 root 0 SW< [khelper]
9 root 0 SW [kworker/u:1]
68 root 0 SW [bdi-default]
70 root 0 SW< [kblockd]
99 root 0 SW [kswapd0]
143 root 0 SW [fsnotify_mark]
157 root 0 SW< [ath79-spi]
215 root 0 SW< [deferwq]
216 root 0 SW [kworker/0:1]
381 root 0 SWN [jffs2_gcd_mtd3]
383 root 0 SW [flush-mtd-unmap]
398 root 1556 S {rcS} /bin/sh /etc/init.d/rcS S boot
399 root 1556 S {rcS} /bin/sh /etc/init.d/rcS S boot
400 root 1504 S logger -s -p 6 -t sysinit
421 root 0 SW [kworker/0:2]
427 root 0 SW< [cfg80211]
436 root 0 SW [khubd]
506 root 1516 S /sbin/syslogd -C16
508 root 1496 S /sbin/klogd
510 root 844 S /sbin/hotplug2 --override --persistent --set-rules-f
516 root 1288 S /sbin/procd
539 root 1532 S /sbin/netifd
542 root 0 SW< [kworker/0:1H]
543 root 876 S < ubusd
637 root 1508 S /sbin/watchdog -t 5 /dev/watchdog
817 root 1652 S hostapd -P /var/run/wifi-phy0.pid -B /var/run/hostap
936 root 1156 S /usr/sbin/dropbear -F -P /var/run/dropbear.1.pid -p
943 root 3384 S /usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf
944 root 6080 S /usr/bin/php-fcgi
946 root 6080 S /usr/bin/php-fcgi
947 root 6080 S /usr/bin/php-fcgi
950 root 6080 S /usr/bin/php-fcgi -b 1026
952 root 6080 S /usr/bin/php-fcgi
969 root 1140 S /usr/sbin/uhttpd -f -h /www -r Phantom -x /cgi-bin -
971 root 6080 S /usr/bin/php-fcgi
972 root 6080 S /usr/bin/php-fcgi
973 root 6080 S /usr/bin/php-fcgi
974 root 6080 S /usr/bin/php-fcgi
997 nobody 944 S /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf
999 root 1564 S {S95done} /bin/sh /etc/rc.common /etc/rc.d/S95done b
1000 root 1504 S sh /etc/rc.local
1004 root 876 S ser2net
1007 root 1504 S sh /etc/watchdog_wireless.sh
1023 root 1220 S /usr/sbin/dropbear -F -P /var/run/dropbear.1.pid -p
1024 root 1512 S -ash
1048 root 1224 S /usr/sbin/dropbear -F -P /var/run/dropbear.1.pid -p
1053 root 1512 S -ash
1060 root 1496 S sleep 30s
1064 root 1504 R ps
[email protected]:/# halt

(FPV stops dead)

Phantom could still be controlled but smartphone link was down until I rebooted the Phantom.
Last edited by HunterSK; Jun 11, 2014 at 08:42 AM.
Sign up now
to remove ads between posts
Jun 11, 2014, 07:22 PM
Registered User
Quote:
Originally Posted by HunterSK
Hi Everyone,

Just a Public Service Announcement. A significant security flaw is in the wild and may allow people to severely affect the software and cyber attack your Phantom Vision+ drones even while in flight.

The below is written for a technical savvy audience and just lays out the facts.

The Phantom Vision+ and WiFi repeater run a Linux-based operating system. All of the machines come from the factory with the same password set for the Root user. The Vision+'s root password is now in the public domain, and may allow people to hack into your Phantoms via WiFi. The worst case is complete deletion of your operating system's file system which would render your drone a paperweight.

Phantom Vision owners may want to check if the Root password is same as the Vision+, if so then the Vision is vulnerable.

Phantoms 1, 2 (non-Vision) without WiFi connectivity are not affected by this vulnerability.

I suggest you read this post then log into your your own Phantoms and change the Root user password.

http://www.phantompilots.com/viewtopic.php?f=27&t=17568

DJI will likely issue a new firmware at some point to address this.

The upshot of this is that the current DJI Phantom is very amendable for user hacking and software modification (e.g. it is not a closed box). But I donít expect this to continue.

To change your root password:

1. Connect to your Phantom over WiFi using any computer
2. Run your favourite SSH client (e.g. PuTTY, SSH from terminal line in Mac/Linux)
3. Log into either:

- 192.168.1.1 (FC200-Vision+)
- 192.168.1.2 (WiFi repeater)

As user 'root'. Password (as listed in the PhantomPilots link).

4. Type 'passwd root'
5. Enter your new password twice
6. Password is now changed.
7. Type 'exit' to disconnect from SSH session
8. Repeat step 3-7 for the other device.

As the Phantom Vision+/Vision network are open (not protected by WPA or WEP encryption), ANYONE can connect and log into your aerial system. If they manage to log in as a Root user, they can:

- Shutdown all operating system processes which means the FPV goes down and the Phantom stops talking to your smart devices.

- Even scarier, is the potential for complete erasure of the operating system's filesystem. This will probably mean bricking of the Phantom.

Conclusion: I advise all Vision+ (and Vision owners if the root password is known) to change your passwords to prevent this type of attack.

Evidence for this post:

I logged in as root into my Vision+ today, and saw this:

I tried a nice and simple 'halt'. That stops the Phantom OS and straight away cuts the WiFi link.

[email protected]:/# ps
PID USER VSZ STAT COMMAND
1 root 1504 S init
2 root 0 SW [kthreadd]
3 root 0 SW [ksoftirqd/0]
4 root 0 SW [kworker/0:0]
5 root 0 SW< [kworker/0:0H]
6 root 0 SW [kworker/u:0]
7 root 0 SW< [kworker/u:0H]
8 root 0 SW< [khelper]
9 root 0 SW [kworker/u:1]
68 root 0 SW [bdi-default]
70 root 0 SW< [kblockd]
99 root 0 SW [kswapd0]
143 root 0 SW [fsnotify_mark]
157 root 0 SW< [ath79-spi]
215 root 0 SW< [deferwq]
216 root 0 SW [kworker/0:1]
381 root 0 SWN [jffs2_gcd_mtd3]
383 root 0 SW [flush-mtd-unmap]
398 root 1556 S {rcS} /bin/sh /etc/init.d/rcS S boot
399 root 1556 S {rcS} /bin/sh /etc/init.d/rcS S boot
400 root 1504 S logger -s -p 6 -t sysinit
421 root 0 SW [kworker/0:2]
427 root 0 SW< [cfg80211]
436 root 0 SW [khubd]
506 root 1516 S /sbin/syslogd -C16
508 root 1496 S /sbin/klogd
510 root 844 S /sbin/hotplug2 --override --persistent --set-rules-f
516 root 1288 S /sbin/procd
539 root 1532 S /sbin/netifd
542 root 0 SW< [kworker/0:1H]
543 root 876 S < ubusd
637 root 1508 S /sbin/watchdog -t 5 /dev/watchdog
817 root 1652 S hostapd -P /var/run/wifi-phy0.pid -B /var/run/hostap
936 root 1156 S /usr/sbin/dropbear -F -P /var/run/dropbear.1.pid -p
943 root 3384 S /usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf
944 root 6080 S /usr/bin/php-fcgi
946 root 6080 S /usr/bin/php-fcgi
947 root 6080 S /usr/bin/php-fcgi
950 root 6080 S /usr/bin/php-fcgi -b 1026
952 root 6080 S /usr/bin/php-fcgi
969 root 1140 S /usr/sbin/uhttpd -f -h /www -r Phantom -x /cgi-bin -
971 root 6080 S /usr/bin/php-fcgi
972 root 6080 S /usr/bin/php-fcgi
973 root 6080 S /usr/bin/php-fcgi
974 root 6080 S /usr/bin/php-fcgi
997 nobody 944 S /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf
999 root 1564 S {S95done} /bin/sh /etc/rc.common /etc/rc.d/S95done b
1000 root 1504 S sh /etc/rc.local
1004 root 876 S ser2net
1007 root 1504 S sh /etc/watchdog_wireless.sh
1023 root 1220 S /usr/sbin/dropbear -F -P /var/run/dropbear.1.pid -p
1024 root 1512 S -ash
1048 root 1224 S /usr/sbin/dropbear -F -P /var/run/dropbear.1.pid -p
1053 root 1512 S -ash
1060 root 1496 S sleep 30s
1064 root 1504 R ps
[email protected]:/# halt

(FPV stops dead)

Phantom could still be controlled but smartphone link was down until I rebooted the Phantom.
Hi,

Try PM'ing the author, cryptoron, and ask him/her how they ascertained the root password. I'd like to try a Naza, WKM and A2 just to be safe. I can't since I am not a member of that forum.
Jun 22, 2014, 01:41 AM
Registered User
Thread OP
I haven't ascertained how the root password was obtained as it doesn't matter now since it is out.

What has come about from all of this is that now we can install additional software on our Phantom systems to give better security.

On my Phantom I have:
- Changed my root password
- Secured both the vehicle's WiFi and Repeater WiFi connections through WPA2 encryption.
- Installed a Web UI to get easier access to the Phantom's WiFi network.

This person has written an excellent guide.

http://www.phantompilots.com/viewtopic.php?f=27&t=17704

## Disclaimer

The instructions provided here are provided as-is and with no warranty expressed or implied.
You are responsible for any issues that arise from following these instructions.
**** Follow at your own risk! ****
Sep 21, 2014, 10:46 AM
Registered User
sea_owl's Avatar
It is not as scary :-) Even if attacker will change some config files - you could press "reset" on extender, and it is reset itself to default factory settings


Quick Reply
Message:

Thread Tools