Serious Security Problems with the ALL Bebops 2022

[ParrotAnafiFan]

Both the Bebop 1 and 2 can be disconnected/deauth while you fly, by anyone with aircrack program
This means loss of ALL control while flying and will not RTH
Having WPA2 on makes no difference.

I wish this would get fixed.

 

[mikeexplorer]

Never heard of this, is there an article or other information about this?

 

[Bebop2 burt]

Is this correct ? Awaiting more information

 

[Assemblybhz]

I’m not worry at all, normally drones don’t bother to encrypt data anyway. Analog video @ 5.8Ghz or radio data protocols like frsky D8 or D16, flysky AFHDS or even express LRS are much less secure and much easier to hack than that and no serious problems have been found about this for the last 20 years. If you really care about security don’t fly a 9 year drone, go instead after more secure radio links like occusync 2.0 or better.
I know people flying bebop for years with no Wi-Fi password at all and never get any problems.

 

[mikeexplorer]

Unlikely there would be an update for it since the drone has been discontinued for some time now. I have never had a problem with it and still fly it. Still works for me.

 

[Assemblybhz]

This security flaw is from 2017. Noting changed.

 

[Boggy B]

Considering the Bebop 2 is pretty much impossible to fly in places with a ton of wifi noise anyway, who cares?
I leave mine open with just MAC restrictions for my devices, which won't protect against de-auth, but I'm generally miles away from other people much less populated areas where I fly.

 

[Boggy B]

Anyone who can figure out how to sniff and spoof a MAC can figure out how to de-auth, so your security margin with a password is pretty much nil.

 

[Boggy B]

De-auth works by simulating disconnect initiated by the client, using its MAC.
MAC filtering works just fine on my Bebops.
But you're right, if you fly your drone a lot in the same area and are observed by technically-inclined individuals, your drone may be targeted by these types of attacks. Still, the Bebop 2 will attempt to land gracefully when the battery drops below whatever threshold, so as long as you're not over water (or maybe tall trees), you'll still be fine.

 

[Boggy B]

I said open with MAC restrictions. Again, your concerns are overblown. Bad actors aren't going to waste their energy on your $150 drone. Do secure your home wifi, though.

For MAC filtering, here's the note I wrote for myself (based on the hacking guide). This has worked on 4 different Bebop 2's:
1. Press the power button 4 times to enable the adb server.
2. Connect to the drone's wifi.
3. Connect to the adb server, remount the file system, and edit the wifi config:

   adb connect 192.168.42.1:9050
   adb shell
   mount -o remount,rw /
   vi /sbin/broadcom_setup.sh

4. Insert the following lines after the line containing `bcmwl sgi_tx 0`:

   bcmwl mac A1:B2:C3:D4:E5:F6 1A:2B:3C:4D:5E:6F
   bcmwl macmode 2

Save the file. Spoof to connect if devices are lost.

 

[mikeexplorer]

It nothing I am worried about with my Bebop2

 

[ParrotAnafiFan]

It nothing I am worried about with my Bebop2

I am near a big city so this happens.. This thread is about solving the issue. You can get away with it in the zones you fly in mike. I cannot, without traveling 30 miles away each time wasting gas to some farmland. The bebops - other than this HUGE problem are EXCELLENT drones quality wise and I have mine dialed. So instead of switching drones I will keep looking for a solution against these deauth frames/packets.

 

[roykaandorp]

bump for this again. No one to join me?

I've looked at it, it seems like it's not supported in the driver. It should be set with "bcmwl mfp 2". I've read Broadcom supports it with the newer opensource driver which is not compatible with the bcm43526. So the options are:
replacing the chip or connect a WiFi usb dongle and compile the kernel module for it with PMF enabled.
Connect little WiFi repeater/router connected via usb ethernet adapter (probably too much extra weight)
Create a watchdog that will send the rth command after deauth. (should be simple)
And 4g mod of course. You could set it up that it will only connect to 4g when the WiFi is disconnected.

 

[ParrotAnafiFan]

I've looked at it, it seems like it's not supported in the driver. It should be set with "bcmwl mfp 2". I've read Broadcom supports it with the newer opensource driver which is not compatible with the bcm43526. So the options are:
replacing the chip or connect a WiFi usb dongle and compile the kernel module for it with PMF enabled.
Connect little WiFi repeater/router connected via usb ethernet adapter (probably too much extra weight)
Create a watchdog that will send the rth command after deauth. (should be simple)
And 4g mod of course. You could set it up that it will only connect to 4g when the WiFi is disconnected.

Informative post. PLEASE ANYTHING! I WOULD TRY ANY OF THOSE FOR THE PEACE OF MIND. I AM BAD WITH CODE.

 

[ParrotAnafiFan]

Create a watchdog that will send the rth command after deauth. (should be simple)

Right, BCMWL MFP command doesn't set, is there another commands we have to have to set first?

I don't want it to even allow and get deauthed, Because BB1 GPS is not so great, RTH may not make it back.
So this is off the options for me.

Replacing the radio chip would require different drivers as well?

I know of no dual band wifi dongles that support PMF, that also works with bebop's linux. There probably are.

 

[roykaandorp]

Right, BCMWL MFP command doesn't set, is there another commands we have to have to set first?

I don't want it to even allow and get deauthed, Because BB1 GPS is not so great, RTH may not make it back.
So this is off the options for me.

Replacing the radio chip would require different drivers as well?

I know of no dual band wifi dongles that support PMF, that also works with bebop's linux. There probably are.

It's capital letter sensitive and needs a digit behind it 0=off 1=supported 2=required.
But is will say "unsupported"
To see all available options just type "bcmwl". But nothing to prevent a deauth, AFAIK, the only way to prevent it would be a PMF enabled connection or use LTE as backup. The last one would be the easiest choice, but you would need a (extra) sim card, takes about 1gb an hour @480p.

There is only 1 wifi driver as a module in the kernel, so the kernel does support loading modules. The ath9k driver was one of the first that supported PMF. Possibly there needs to be more software installed/updated to be able to use it, I'll look at when I see time for it.

And the client needs to support it as well, big chance the Skycontroller doesn't.

 

[ParrotAnafiFan]

Ah yes, you refreshed my memory. That is the correct command. Indeed you are correct. Yes the only bad thing on 4g is that you will have to pay to fly (sim service) like the bb2 4g mod, where wifi is free. The SC2 would need to support it as well which it doesnt, but all newer phones from around 2016 on do support pmf if you want low to medium range flying through phones wifi but still good flying and at least would have pmf that way.

If you do find a way I would be super interested as well as other fliers, thanks for your research.

 

[ParrotAnafiFan]

This article says that you can send continual authentication packets to client and router to block the deauth packets
Using airplay.
How do you detect and prevent WiFi deauthentication attacks?

Blocking spoofed packets​

Another way of preventing WiFi deauthentication attacks is to block spoofed packets from reaching your network or devices. You can use a tool, such as Airmon-ng, to put your wireless adapter in monitor mode and capture the packets on your network. Then, you can use a tool, such as Aireplay-ng, to inject packets into the network and disrupt the spoofed packets. For example, you can send authentication packets to the access point or the client, overriding the deauthentication packets and keeping them connected.

Any idea on this procedure?

 

[ParrotAnafiFan]

Any progress at all?