Site Loader
Rock Street, San Francisco

section{Evaluation}
In this chapter, the implementation of the HoneyDrone is evaluated. Since there are no existing honeypot solutions for a drone to the best of our knowledge, our evaluation is based on the effectiveness of the HoneyDrone in the chosen attack scenarios, and the efficiency of the HoneyDrone. The attacks are based on the protocols namely Telnet and MAVLink, and the metric used to calculate the efficiency is the CPU utilization.
subsection{Attack Scenario 1: Telnet Attack}

As discussed in chapter 3 under section 3.1.2, Parrot AR Drone 2.0 can be easily attacked by making a Telnet connection to the drone. In this attack scenario, we perform a Telnet attack on a Parrot AR Drone 2.0 followed by a similar attack on the HoneyDrone. In order to hijack the drone, it is necessary to de-authenticate the device which is currently controlling the drone. When such de-authentication attack is carried out on clients connected to the HoneyDrone, it neither causes any damage to the HoneyDrone application nor to any hardware.

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!


order now

egin{figure}h!
includegraphicsscale=0.8{graphics/arconn2.png}
centering
caption{Telnet connection to Parrot AR Drone 2.0 }
centering
label{fig:TELNETCONN}
end{figure}
par For a Telnet connection to the drone however, a de-authentication is even not necessary. Hence, it is possible to connect to the drone and issue commands to the drone even when the drone is mid-flight, thereby shutting down the drone or deleting important files from the drone’s operating system. The Telnet connection to the Parrot drone is not password protected and any connected client is granted the root privilege on the file system. In our scenario, a Telnet connection has been established with the drone after connecting to the drone’s Wi-Fi network. Once connected, we issued a sample command ‘ls -l’, to list the contents of the directory. From the listing, it could be seen that the root user has the write privilege on every file which allows deletion of these files. Figure 10 shows the output of the list command issued on the root directory of the Parrot drone.

par This scenario is repeated on the HoneyDrone which is configured to run on the same IP address ‘192.168.1.1’, as used by the Parrot Drone and an open Wi-Fi access point has been set up. On establishing a Telnet connection to the HoneyDrone, the command ‘ls -l’ is issued in the root directory. In addition to this command, a second command ‘rm -r bin’ is issued with a motive to delete the bin folder completely from the root directory. Figure 11 shows the result of the command ‘ls -l’ issued to the HoneyDrone.

egin{figure}h!
includegraphicsscale=0.8{graphics/honeyconn3.png}
centering
caption{Telnet connection to the HoneyDrone }
centering
label{fig:HDCONN}
end{figure}
par From Figure 10 and Figure 11, it could be seen that the file system of the Parrot drone and the HoneyDrone are almost indistinguishable. Further, the deletion of the folder does not cause any harm to the HoneyDrone as the file system is not real.
par HoneyDrone logs all the information about the attack in the mongodb database. In the scenario discussed above, it records information about the attacker, namely, the IP address, type of connection and the port used by the attacker and the events along with the timestamp of each event. Figure 12 shows the logs inserted in to the database. There are three events recorded, one for the new connection establishment and two events for the commands issued by the attacker. When a command issued by the attacker is not yet implemented by the HoneyDrone, the attacker is shown the message ‘Command not found’ and the issued command is also logged in the database.

egin{figure}
centering
egin{BVerbatim}fontsize=footnotesize
{
“_id” : ObjectId(“5131d0100fa4c416dc63c210”),
“clientinfo” : {
“ip” : “192.168.1.31”,
“type” : “TCP”,
“port” : 40784
},
“eventinfo” :
{
“timestamp” : “2017-12-20 21:03:12.141377”,
“event” : “New Connection ”
},
{
“timestamp” : “2017-12-20 21:03:15.718012”,
“event” : “Command found: `ls -l`”
},
{
“timestamp” “2017-12-20 21:04:35.567345”,
“event” : “Command found: `rm -r bin`”
}

}
end{BVerbatim}
caption{Mongodb sample log for Telnet connection}
end{figure}

subsection{Attack Scenario 2: MAVLink Attack}
The next scenario that is used for the evaluation of the HoneyDrone is an attack using the MAVLink protocol. This scenario has been directly tested on HoneyDrone as the Parrot drone did not support MAVLink communication at the time of testing. However, this attack can be successfully carried out on any drone with a weakly secured access point and with the support for MAVLink communication. Using a ac{gcs} application that supports MAVLink, the attacker can issue new mission way-points to the drone and steer the drone away from its owner. In this scenario, it is assumed that the drone’s Wi-Fi network has been compromised and an attacker can connect the drone’s Wi-Fi network after de-authenticating the original controller.
egin{figure}h!
includegraphicsscale=0.45{graphics/qgc2.png}
centering
caption{QGroundControl connection to HoneyDrone }
centering
label{fig:MAVLINKCONN}
end{figure}

par On connecting to the HoneyDrone’s Wi-Fi network, we establshed a connection to the HoneyDrone’s MAVLink service through the UDP port 14550 using the ac{gcs} application, QGroundControl. Since the HoneyDrone runs the SITL simulator, the QGroundControl application gets the simulated paramaters such as pitch, GPS coordinates, speed, etc., from the HoneyDrone, just like it would receive from a real drone. From the QGroundControl application, telemetry commands have been issued to the drone using the MAVLink protocol. Figure 13 shows the QGroundControl application connected to the HoneyDrone. It can be seen that the QGroundControl has received the new way-point co-ordinates from the attacker and started its mission along the received path. To an attacker, the drone appears to fly over a fake location as specified in the configuration file of the HoneyDrone. The application behaves in the same way as it would behave when it is connected to a real drone.

par In our evaluation, new way points have been created and uploaded as a mission to the HoneyDrone. Once uploaded, ‘arm’ and ‘takeoff’ commands have been sent to the HoneyDrone. The HoneyDrone responds by sending the fake GPS coordinates as per the waypoints uploaded. The QGroundControl software shows the movement of the drone using the paramaters received from HoneyDrone. All the MAVLink messages exchanged between the ac{gcs} and the HoneyDrone are logged into the mongodb database. Figure 14 shows a subset of the event info containing the GPS coordinates exchanged between the honeypot and the QGroundControl.
linebreak
egin{figure}
centering
egin{BVerbatim}fontsize=footnotesize
{
“timestamp” : “2017-12-20 21:54:06.900751”,
“event” : “MISSION_ITEM {target_system : 1, target_component : 190,
seq : 0, frame : 0, command : 16, current : 1,
autocontinue : 1, param1 : 0.0, param2 : 0.0, param3 : 0.0,
param4 : 0.0, x : 49.8767967224, y : 8.65258693695, z : 50.0}”
},
{
“timestamp” : “2017-12-20 21:54:07.022121”,
“event” : “MISSION_ITEM {target_system : 1, target_component : 190,
seq : 1, frame : 3, command : 21, current : 0,
autocontinue : 1, param1 : 0.0, param2 : 0.0, param3 : 0.0,
param4 : 0.0, x : 49.8753738403, y : 8.65268516541, z : 0.0}”
}
end{BVerbatim}
caption{Mongodb sample log for MAVLink connection}
end{figure}
subsection{CPU Utilization}
In this section, we evaluate the percentage of CPU utilized by our honeypot. The evaluation is based on Raspberry Pi 2 model B v1.1 which runs on a 900MHz ARM Cortex-A7 quad-core CPU and 1GB of RAM.

egin{figure}h!
includegraphicsscale=0.8{graphics/cpuutil2.png}
centering
caption{CPU Utilization of the HoneyDrone on the Raspberry Pi }
centering
label{fig:MAVLINKCONN}
end{figure}

par We have measured the CPU utilization in five different stages which are explained below.
egin{itemize}
item extbf{Stage 1 – Idle state}: In this stage, the Raspberry Pi is powered along with the Wi-Fi access point but the HoneyDrone application is not started.
item extbf{Stage 2 – Application Start}: In this stage, the HoneyDrone application is started and the services SSH, Telnet and MAVLink are up and running but no client is connected to them.
item extbf{Stage 3 – Telnet client connection}: In this stage, a single client (Ubuntu) is connected to the Telnet server of the HoneyDrone and random commands are issued manually.
item extbf{Stage 4 – SSH client connection}: In this stage, a single client (Ubuntu) is connected to the SSH server of the HoneyDrone and random commands are issued manually. During this stage, the Telnet connection established in stage 3 is still active.
item extbf{Stage 5 – MAVLink client connection}: In this state, a single client is connected to the MAVLink service of the honeypot through the android app ‘Tower’ and the commands ‘ARM’ and ‘TAKEOFF’ are issued. During this stage, the Telnet and SSH connections established in the previous stages are still active.

end{itemize}

par On all the above mentioned stages, the total CPU utilization (all the processes) of the Raspberry Pi has been captured using the ‘ps’ command available in Linux. Figure 15 shows a plot of the calculated CPU Utilization in percentage against the time, measured in seconds. Here the total Utilization is converted such that the maximum CPU Utilization available is 100\%. During stage 1, the CPU Utilization is at its minimum value of around 2\%. The CPU utilization peaks during the start of the HoneyDrone application in stage 2 reaching a maximum utilization of approximately 50\%. Once the application has started and the servers are running the CPU utilization drops and during the stages 3, 4 and 5, the CPU utilization is consistent with an average of 20\%. As inferred from the results, HoneyDrone application uses approximately one-fifth of the total CPU. The CPU utilization added due the client connections is negligible and does not affect the overall CPU utilization of the Raspberry Pi. Therefore, the HoneyDrone can support more parallel connections without degrading its performance.

Post Author: admin

x

Hi!
I'm Eunice!

Would you like to get a custom essay? How about receiving a customized one?

Check it out