DroneView Security Problems

Written 2017-01-01

Tags:DroneView Security 

WiFi Password

The WiFi uses an open network. This should be replaced with a default password printed on the device label.

Everything Runs as Root

This means any command-injection in the web UI would lend itself to immediate system compromise.

No Shadowfile Support

Password hashes are stored in /etc/passwd. If normal processes ran as something other than root, they would be restricted from fetching password hashes.

Telnet identifies non-users

If attempting to log in over Telnet with an invalid username, Telnet displays 'getpwnam returned null'. This allowed me to quickly exclude a list of common username and password combinations used in IP camera devices. Also telnet should be replaced with SSH.

Poor Password Choices

By sharing a short alphanumeric password, ev1324, across all drones, the compromise of a single drone(mine), combined with telnet, allows wireless bricking of devices.

Weak password hashing algorithms

The root password is hashed with MD5. This took only about 20 minutes to brute-force. Since it is not common for someone to log into this device, there is little downside to using a much slower algorithm.

Unlocked Bootloader

This one I have mixed feelings on, but a bootloader password would have prevented me from extracting password hashes from the firmware. However, if the bootloader were locked, I then would have extracted it from the SPI flash. And then you need disk encryption.