How to Hack a Drone

Annoying drones invading your private property?

By Dominic Alvieri

December 25th, 2024

@AlvieriD

Hacking is Illegal and for Nerds

Stopping a common drone is easier than you think.

Hacking drones is not new. We're not firing up Kali and taking over a drone for an offensive campaign but merely expressing the defensive capabilities available to take down an illegal drone illegally invading your private property. You will be surprised by how easy it actually is.

I have always believed that anything that communicates from a point to another point can be intercepted or hacked. Drones are no different. It's been a few years since I have compromised a drone so this refresher was inspired from the recent panic of drone sightings in New Jersey.

In simplest terms most drones need to use Wi-Fi to communicate with and receive commands from the operator via the controller...so don't forget to log the MAC addresses.

nist.gov

Defensive Techniques 

The basic ways to defend against a drone offensive is to take control of the drone, shoot down, destroy or otherwise capture and stop the drone physically, disable drone communications and force a "Go Home" landing or otherwise disable the drone itself to force a landing.

Check the laws in your state or country

Drones over about a half of a pound must be registered in the United States and generally must be flown lower than 400 feet and controlled within your eye sight.

FAA

Dependency Confusion, if you will

Since most people don't have access to a high powered device to emit an electromagnetic pulse and wouldn't want to risk shooting a drone down most lean towards another path. 

I like to call it creating a dependency confusion. Dependency confusion can have multiple definitions and also be known as a substitution attack which is an attack path that creates and registers malicious packages publicly to mimic and fool users of privately coded packages. This is also called namespacing.

Roughly speaking most spoofings are also a form of dependency confusion. You would fool a device or service to connect to and receive commands form an apparent authorized device which you control.

GPS Frequencies

Detecting a drone using radio frequency sensors is quite easy if you were so inclined. By detecting the exact frequency you can obtain the serial number and MAC address of the drone and target it directly but you shouldn't have to get that granular. You would start with a radio frequency jammer.  

Generally speaking certain frequency bands will have more common household devices using it so this method will create unintended interference so check your local laws.

Drone frequency bands vary and include 433 and 915 MHz, 1.2 & 1.3GHz, 2.4 GHz and 5.8GHz.

Radio Frequency Analysers, Spoofers and Jammers

The goal is this simple hack to mask the signal between the drone and the controller and either force it into "Go Home" mode and either go to the pre programmed home location and fly away or land or crash where it currently is. 

Once again drones that use Wi-Fi communicate between the onboard unit and the controller and can have advanced RF Analysers detect their communication and even their MAC addresses but they are not commercially available. RF Spoofers and difficult to find and legally in the gray area. 

The simplest way is to jam the signal and confuse the drone. If that fails we can always open up Kali and get more granular in detail for another attack. Certain details have been left out for safety.

Stay safe, online and off.

Is This Email Phishing You Off?

How to Immediately Tell if This Email is from MetaMask or Phishing You

By Dominic Alvieri @AlvieriD

August 31st, 2022

Is this a phishing attempt?

Yes.

Here is how to find out immediately. 

Most people don't remember but MetaMask did not collect your email when you created your account. MetaMask does not send emails. If you receive an email from "MetaMask" it is a phishing attempt.

The cover photo is from a current phishing campaign using a sense of urgency and fear of terminated access.

This phishing attempt obviously did not come from MetaMask. Official support @MetaMaskSupport Twitter

New redirected verification landing page and QR code linking to the phish.

This fake MetaMask email has a convoluted journey with websites hosted in Denmark and redirected to China with an Alibaba registered domain hosting the actual phish. I will post an update to this blog post or my Twitter when I close this file as the campaign is still active and a new dated email circulating.

Not another QR code...

Remember MetaMask Does Not Send You Emails

What if this tip doesn't work with others?

This sounds easy enough and it is, whenever a question arises about whether an account has been hacked, suspended or restricted in any way is to go directly to the account in question, not through any courtesy link, notice or email.

Hovering Over a Link is Not as Safe as You Think

Decoding HTML is not illegal but this line of code should be

By Dominic Alvieri

October 18th, 2021

Twitter was abuzz this week when inspecting HTML elements came to the headlines with the Governor of Missouri threatening to prosecute a reporter for simply viewing readily accessible web site code and attempting to help rectify the problem. The Governor is unaware of the basic structure of a website. Everyone can F12.

What is HTML? HyperText Markup Language (HTML) and Extensible HyperText Markup Language (XHTML) are the foundational coding languages and technologies of designing web pages. 

But do you know HTML? What is XHTML?  Is it CSS or XSS? You need one for style.

Luckily I happen to know both.

Dropper files, phishing kits, payloads...

We are at HTML5 and HTML file paths are used to find the geolocation of a user. 

The latest from Info Security by Dan Raywood is the Top Ten Ways to Detect Phishing above. 

Hovering over a link was not on the list.

There are several ways to weaponize a link and a hover and script to a link. A hover over instance of malware is not new. Zusy banking trojan comes to mind but it was easily detectable because you needed to open a Microsoft PowerPoint first. You did not need to enable macros or JavaScript for the dropper file to download the malicious trojan. 

No click was needed either, just hovering over the link. 

So what does this all mean today?

There are several different variants and tricks that can be coded and multiple languages and programs to fool the unsuspecting visitor after arrival to a web site and page. Basic HTML coding will be required for all web pages as a basic framework. Finding the location beforehand is essential for all. Cyber security practitioners should be aware of the changing threat landscape. Phishing accounts for the vast majority of initial network entry for malware, 89%, and malware deployment, 95%,  according to Sans, Info Security and others. 

Start with the basic terminology

Markup Language

By definition a set of symbols or tags that allow you to render text on a web browser or in print.

SGML

Standard Generalized Markup Language defines the syntax of a markup language.

HTML

HyperText Markup Language files enable navigation from one page to another web page via links invented by Tim Berners-Lee in 1989. HTML is defined syntactically by SGML. The main difference between HTML and XHTML is basically syntax-based rules. HTML was created basically for text while XHTML is more dynamic and defined.

XHTML

Extensible HyperText Markup Language is a combination of XML and HTML and has been a World Wide Web Consortium (W3C) recommendation since 2000. XHTML is based on XML which is restrictive and stricter than more lenient HTML. It is used for more consistent display across browsers to accommodate for mobile browsers.

XML

Extensible Markup Language is a subset of SGML and used to define the syntax of a markup language. You can create and define elements. Elements are a set of instructions.

CSS

Cascading Style Sheets are a set of rules to define the appearance of a web pages color, style, etc. There are three types of Cascading Style sheets: embedded, inclined and linked.

Elements

Elements are a set of instructions.

TAGS

TAGS are indicators and are used to identify the type of content in this section. There are many types of TAGS such as <h1>,  <span> etc. Opening and closing TAGS are required. <title></title>.  For empty elements the slash would follow the tag to be syntactically correct,  <tag/>.

Attribute

An attribute is a part of an element that modifies the characteristics of that element.

JavaScript, PhP, Python...more to know.

An email, a mobile site or a traditional web page can all be manipulated differently. These are the simple basic terms of one of the many ways used to manipulate a malicious link.

Mouse over script in an HTML element 

October 13th, 2021 CNBC article about the new iPhone Watch series 7 has a blue underlined hyperlink with the text "Apple" in the first sentence of the paragraph, also know as an HTML element. Where does it take you? Implicit trust is implied with a reputable site such as CNBC so trust shouldn't be a major concern in most cases. A programmer from CNBC most likely.

The web page was coded this way.

Technically the link can lead anywhere if you do not inspect the element. Attacking the host site and other entries are topics for another day. Lets focus on the simple things first. I was expecting the link to go to the Apple website but instead it was coded and directed to CNBC's Apple stock quote below.

What coding is required to enable or disable functions of an element? JavaScript? Python?

The Apple example above is technically an HTML element. There are several ways to accomplish obfuscation of origin but with simple HTML you can code as you wish. You can change styles, fonts, links, text and input the address you want to show on the mouseover, or your hovering script. You can even disable the hover over script. How about blocking the security feature in an email that shows the address when hovering? Sound easy? Let us drill down deeper.

Disable hover text over an HTML element

visibility: hidden;

Here is a tool tip. I just disabled the hover over text on this HTML element by hiding the visibility. By removing the hover text script now when you hover over the text there is no hover over the text showing again hiding the actual link or any text. 

Creating believable, clickable copy text is the next step in making you click. 

The line to locate is <a href

It isn't the line, it's how you use it. 

Much like real world real estate, virtual real estate is all about location, location, location. There is another way to code the location but lets stick with the basic that is known rather than educate the nefariously minded phisherman should one come across this.

href basics indicate actual location in quotes > followed by text to show.

<a href="Actual address of this link">What I am showing you goes here</a>

Link address is dictated by the location attribute in the href element shown highlighted in line 13 of code below. Line number will vary depending on site and complexity. Very easy to code and see.

It is as simple to code as entering text and seeing it is as easy as inspecting an element. Be aware of redirects, MiTM, MiTMO and other tactics, but the basic address of where you are going is shown.

The actual location goes first and is in quotations, ""> with text component to follow before closing the tag, </a> in <a href example above. It is all in the code.

For the early stages I have not coded any CSS or JavaScript yet so we are just creating the basic frame. This one line of HTML code determines the location in the href element and additional text can obfuscate or add to the ploy. 

Be aware of actual location and ip address, among other things.

Hover over text in an email

Playing with location in an email

The following email was obfuscated without any header spoofing which is another topic. 

Adding to the deception most email platforms will let you input your desired location and text. Below you can see the safelinks protection status in Outlook. I created the text to look like a secure, safe link.

The hover over email

Other security features for the email hover over include showing the destination address at the lower left of the screen. Working on a bounty to disable an email hover over but it requires more work and I have had inconsistent results so far. Full details will be released at a later date after completion and repair or patch.

The security location bar at the bottom left of the screen does not disable so far, but what if you created your own camouflage pop up to block or surround the actual location message may be an option and an alert.

How easy is it to get safelinks protection status?

The idea is to protect the user and not give away too many secrets to cyber criminals but it is no big secret that garnering safelinks status is quite easy. The header and other coding will be adjusted and not discussed here. This isn't a how-to-hack guide. 

Insert link as you wish.

Hover over text in a smartphone?

Yes. On Apple iPhone and most modern smartphones just lightly tap and hold and security pop up appears. Please note the safelinks status. This is actually safe and from NIST, the National Institute of Standards and Technology.

This Facebook link below actually leads to my Twitter profile. 

I deleted my Facebook account last year

As always be aware of where you click or even hover.

 Always look for the actual location and do not take blue text for what it is worth. 

Stay safe. More blue text.

Twitter @AlvieriD

Dominic Alvieri

 

The Masters of Spoof

 Can anyone compete with Chinese spoofs?

What makes a good spoof?

Chinese imported counterfeit goods have been around as long as time itself. Reproducing an item as close to the original as possible. Logo color and style. 

For the cyber criminal the goal is the same, just replicate and add urgency.

Amazon is a global target.

The links are difficult to replicate but they they try.

The Chinese gangs use the same MO: NameCheap registers, Alibaba hosts and anything that can be will be spoofed. Amazon, Apple, Hulu, Netflix, USPS. The online version of the knock off brand.

NameCheap often surfaces with these new short link scam domains. The Chinese aren't the only ones playing this game but with years of experience they are ahead of the pack.

Often targeting the largest companies Amazon, Apple and Netflix to name a few.

Often rerunning the same campaigns with great success.

2020 Netflix scam resurfaces again.

The devil is in the details. Examine all links with great care. Or you can just not answer any email, text or call. Warranty anyone? 

Some are easier to spot. Best Buy and spot gold.

You can always go back to a landline, otherwise examine all links and go directly to the company.

The above spoofs are all pedestrian, at best. The better spoofs have been withheld to avoid duplication.

The email spoof is still the number one entry for a cyber criminal to gain access to your system.

Stay safe online and off.

The Cyber Show

by Dominic Alvieri

Twitter, @AlvieriD

What the Spoof

All Spoofs All the Time. 

By Dominic Alvieri, @AlvieriD

March 10th 2021

Everyone wants something for free.

Free Netflix and Hulu for a year to help us stay home? 

Forget about that the BMW lottery came in, and some alert in France? 

All of the following offers are coming from China. 

Fake USPS delivery notices continue.

Fake USPS SMS spoofs coming from China.

------.py

Free Netflix for a year to help you stay home.

Free Hulu for a year to help you stay home?

Is it Netflix or Hulu?

The new short domain attack continues.

                                  DO NOT

                               [click here] 

Spoofed emails have been around since the beginning of the internet. Spoofed SMS texts have been proliferating in the past few years. Knowing the domain endings is critical. Newly created short domains have been popping up with the same group. 

Technological reverse psychology if you will by tracking the bad guys back. The building below is from a Google Earth trace address of the malicious links geolocation. 

Geolocation of malicious SMS text links.

Time to harden your network security. Use VPNs and encrypted communication like Signal to minimize your surface. Use MFA and tokenized apps like Google or Microsoft Authenticator over SMS. Incognito mode is not optimal security for your browser. Tor is acceptable but slow. Nothing is full proof. Check your home network and make sure to disable port forwarding and also disable the plug n play otherwise you are leaving a back door open.

IoT devices should be secured. Check for open standards, basic passwords and check for any and all updates and patches. Patch often and early. Do not hesitate. Within 12 hours of the server exchange hack Russian bad actors were scanning for the vulnerability according to Bad Packets, a malicious scanning alert firm. 

Security minimums are no longer effective. Update to longer more difficult passwords and do not click on any suspicious link. Or avoid all links. Not realistic but you get the point. 

This IP with "no site" is the USPS spoofed SMS malicious text link above in this report.

Courtesy of DomainTools.

The enemies are at the gates, computers, networks, phones...

The Cyber Show on Google Blogger

by Dominic Alvieri

Twitter @AlvieriD

2 Bitcoin Thieves

2 Bitcoin Thieves...

    By Dominic Alvieri @AlvieriD

        Please return the original Bitcoin stolen and keep the balance.

                               I wish it was just 2 Bitcoin thieves.

                         

Year after year I have had Bitcoin and other cryptocurrencies stolen. Every year the keep rising.

Year after year I have had my identity stolen as well. Send another email. Write another letter. Not this year. I have been fighting back. Cybersecurity has to be active, not passive. National, corporate and your personal future are at stake.

Year after year I keep waiting for something to be returned. Keep waiting. I am done waiting. Year after year I have skilled up.

 

 With the onset of the Pandemic, I was struck again. SIM jacked, May 22^nd, 2020 at 2:58am, EST. Every account compromised after the first 3 minutes. Cryptocurrency accounts were the first to go. Why? So easy. So fast. Gone before you know it. Out of your account and into another and probably off to an illegal mixing service with attempts to hide the ownership trail. It can still be traced but that is not for the faint of heart.

Cold storage. What? I term many associate with food is actually one of the few safeguards you have with Bitcoin, cryptocurrencies and certain other assets. Cold storage is keeping your assets offline. Not just cryptocurrencies, but other assets as well. Do not have all your bank accounts online. I strongly suggest it. It saved what little I had left. The national idiots are easier to catch. Once again, try reporting a cybercrime overseas. Good luck in some cases. Keep waiting. Keep getting frustrated that your investment that was stolen continues to rise.

I have a more detailed article on Bitcoin coming up. This is not investment advice. This is just my personal opinion. Store of value? Not unless you store it offline. No one says that. I am telling you. This is not an investment blog, just information and my opinion. Merchants do not want to participate in Bitcoin due to the volatility and ease of theft.

Put it on the Blockchain. If you hear someone say that, they do not know what they are talking about. Technology evolves daily. There is not just one Blockchain and it is not just for cryptocurrency transactions. That is another issue. But you have the clue.

 

Bitcoin and other cryptocurrencies have continued to rise since the years they have been stolen from me. I have officially now had more cryptocurrency stolen over my lifetime then I have made in cryptocurrency investments. Trace back the $25k in Bitcoin stolen years ago. That alone should be over six figures. Hope the thief has enjoyed it. Probably spent it years ago. 

How would you feel. Why don’t we ask the poor people who got scammed out of Bitcoin with the Twitter hack a few weeks ago. I was one of the first to report and confirm that. Twitter did a great job, as did Coinbase, a US based firm. Facts. How would you feel having your stolen investments go up and you just write a letter and send an email?

 

We are Americans, not American’ts. Be careful with your assets and your social accounts. Most importantly, your phone. Watch what you put on it. Watch what access you give to your data. Use 2FA and biometrics. Layer your protection. It can happen to you before you finish reading this blog.  

What have you done during the Pandemic?

 I am not a writer, but I am writing a blog. I am not a YouTuber, but I am making videos. I am alive. There is always hope. You can take everything and I will still build again. Protect yourself. This is what I am doing. I'm fighting back.                                                                                                                

Independent Security Researcher.   @AlvieriD