Full Report
Hello from Las Vegas! Yesterday (ed: uh, last week, my bad) I gave a talk at DefCon 22 entitled ‘Practical Aerial Hacking & Surveillance‘. If you missed the talk the slides are available here. Also, I’m releasing a paper I wrote as part of the talk entitled ‘Digital Terrestrial Tracking: The Future of Surveillance‘, click here to download it. Whiskey shot! The Snoopy code is available on our GitHub account, and you can join the mailing list here. Also, congratulations to @AmandersLPD for winning our #SnoopySensor competition! You can see the output of our *amazing* PRNG in action below: I’ll update this post to point to the DefCon video once they’re released. In the meantime, the specifications of my custom quadcopter I had on stage are below:
Analysis Summary
# Tool/Technique: Snoopy
## Overview
Snoopy is associated with the concept of "Practical Aerial Hacking & Surveillance" and is presented as code available on GitHub, likely related to or controlling the custom quadcopter used in the presentation. The context suggests it is part of a system for aerial surveillance or hacking demonstrations.
## Technical Details
- Type: Tool / Custom Codebase (Likely related to C2 or payload execution on an aerial platform)
- Platform: Likely targets embedded systems on Unmanned Aerial Vehicles (UAVs) such as the custom quadcopter mentioned (which uses a BeagleBone Black as a payload).
- Capabilities: Includes code for a system that operates on an aerial platform, potentially for data exfiltration, tracking, or other surveillance functions, demonstrated with an "amazing PRNG."
- First Seen: Associated with a talk at DefCon 22 (August 2014).
## MITRE ATT&CK Mapping
*Note: Since Snoopy is described as proprietary code for an aerial surveillance platform, direct mapping is based on the implied surveillance/hacking function.*
- [TA0001 - Initial Access]
- [T1185 - Drive-by Compromise] (If used to deliver payloads aerially)
- [TA0007 - Discovery]
- [T1441 - Network Service Discovery] (If used to enumerate local networks via the aerial platform)
- [TA0008 - Lateral Movement] (Unlikely, but possible if used to pivot from the aerial asset)
- [TA0009 - Collection]
- [T1119 - Automated Collection] (If Snoopy automates data gathering/surveillance)
- [TA0011 - Command and Control]
- [T1433 - Application Layer Protocol] (Dependent on communication mechanisms)
## Functionality
### Core Capabilities
- Aerial surveillance or hacking demonstration platform control.
- Execution of code/functionality housed on the BeagleBone Black payload.
- Features an "amazing PRNG" (Pseudo-Random Number Generator), likely used for obfuscation, key generation, or randomized tracking/communication.
### Advanced Features
- Integration with custom hardware (DJI F450 quadcopter, APM 2.6 FC, BeagleBone Black payload).
- Capabilities related to "Digital Terrestrial Tracking."
## Indicators of Compromise
- File Hashes: N/A (Code repository link provided, specific hashes not present in the text.)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A (Specific payload/C2 indicators are not detailed, only associated hardware is listed.)
- Behavioral Indicators: Execution context on an airborne platform leveraging components like a BeagleBone Black.
## Associated Threat Actors
- SensePost Research Team/Individuals presenting at DefCon 22 (Authorship context).
## Detection Methods
- File/Code Signature detection targeting the "Snoopy" codebase (if signatures for the GitHub repository become available).
- Behavioral detection for anomalous activity originating from or controlled by an aerial platform (e.g., unusual sensor usage, unauthorized data transmission initiated by the BeagleBone Black).
- YARA rules: N/A
## Mitigation Strategies
- Physical security measures against unauthorized deployment of aerial vehicles equipped with compute payloads near sensitive networks or installations.
- Monitoring RF spectrum around critical assets for control signals associated with the specified radio equipment (Turnigy 9x, HawkEye 1W/RX).
- Monitoring for unusual data transmission volumes from known UAV footprints.
## Related Tools/Techniques
- Digital Terrestrial Tracking (The accompanying research paper topic).
- Aerial Hacking/Surveillance techniques demonstrated at DefCon 22.
- Specific UAV components used (e.g., APM Flight Controller, BeagleBone Black).