Hey all,
A standard competitive robot used in a FRC robot competition contains a router (often no encryption) that acts like a bridge between the robot and a driver station. This driverstation is typically a simple 2go computer practically confined to controlling the robot.
The setup can be found here:
http://www.usfirst.org/uploadedFiles/5-FRC_Control_System-Configuration-0-5c.pdf
With the actual router configuration here:
As a team, we were all joking around using our robot offensively and Denial of Service attacking an opposing teams router or taking control of it/ sending commands to it.
Excuse the nubness, but is it still possible to do anything if the router does not act as a AP, but rather just takes traffic from a driver station? Even when working the router does not show up on any other computer. Would it still be possible to manipulate traffic?
7 Responses
First of all, I love this question. This is great.
Second of all, yes. I think you could devise a VERY creative and lulzy solution for this.
If there is no encryption, what kind of authentication is it using? You said it does not show up on other computers, as in you can't pick up the wireless packets or it doesn't show up as a node on the wired network?
I don't have a good answer right away, but I want to take a look at your links and learn a little but about its setup. I think this would be very interesting.
I'm not exactly sure what authentication it is using. To upload code to our robot, we hook an ethernet cord from a normal computer to the driverstation, which then wirelessly communicates with the router on the computer. Being a nub (only having backtrack 5 on a live usb) I haven't tried to pickup wireless packets because I can't figure out if my laptop's wireless card can. I meant to say that it does not show up as an AP.
It looks like (from a quick, tired eyed scan of the first few pages of that manual) that the DS is using a MAC address to send frames with the commands encapsulated inside. There are a few attack vectors on the data link layer that might be useful, though I have never seen a 'proof of concept' with a robot!
I am going to read those links and get some sleep. Is this with some friends and being caught is not critical or is this going to be deployed to win? I only ask as it limits what options you might have (i.e. can you bring a laptop in there, are other people sniffing packets for cheating...etc). If you do a netstat or something like equiv to it, what does the robot and DS show up as?
Are you controlling it live from the computer that is hooked up via ethernet or uploading the commands and letting the robot sort it out?
I do not have any information of whether this kind of stuff is being tracked. I imagine it is not; having six teams compete at on time would make sniffing packets hectic at best. I'm going to a mock setup tomorrow, so I will be able to see the exact setup of a competition soon. I am quite sure that it is possible to bring a laptop in.
As one would imagine, getting caught would be very detrimental. Our team has a robot that has been worked on for about 5 1/2 weeks and has had alot of work put into it; I have no doubt that we are going to do fine without cheating. This was more of me seeing an interesting situation after reading several books on the topic of wireless security.
I unfortunately do not know what netstat is, thus have not tried it on our robot; but I remember a member of the team being able to "ping" parts of the robot (from my computer using cmd), including the router located on it by hooking (ethernet connection) up my computer to the router that the driverstation uses.
It looks like each team has it's own network, or am I wrong there?
Also it doesn't seem like any of the team networks are connected to the actual Internet, so any approach would have to either be from their network, or fooling the robot into thinking your forged frames were legit. I think that rules out any kind of realistic DOS attack, leaving us with hijacking sessions.
You are absolutely right; the computers are not connected to the actual internet, just its own network. Each team has its own driver station, which it controls its robot from.
Since there are two routers communicating (the one on the driver station and the one on the robot) would it be possible to change MAC, or somehow spoof being the driver station router?
Clarification: I was told by a member that directly connecting to another's team network is only possible at a non competition "scrimage" with the other team not being smart enough to have a password on their router. At a competition, the 2go computer is connected a routers provided by FRC, which then connect to the robot's router.
Yep, that's along the same lines I was thinking. Without access to their network you can't perform any kind of denial of service using normal means, and it sounds like the FRC routers would have security considerations taken as well.
I imagine (though could be wrong as I am unfamiliar with the config of their routers) it would be just like hijacking a wireless session at the airport. You would have to sniff the packets in the air to get the MAC addresses first though. You could pull that part off with someone in a car parked close to the building perhaps. With no AP you would need to know the SSID and channel, but it looks like they use team names for that.
How automated are the robots? How much real time control over them do you have in a match?
Share Your Thoughts