VEX Cortex Wireless Attacks

[Tylor B.]

Hello people,

     I was recently doing some work with those VEX Robotics wireless control robots and I had some ideas about packet sniffing attacks, replay attacks, man in the middle attacks, and de-authentication attacks. The robots use the Vex cortex, which has a wireless adapter through a USB port, it says that is is 2.4 GHz, and another USB wireless adapter is plunged into a controller, like a joystick. My school did a competition with these robots, and it ended last week, now we are doing another thing just as a school, they said we were doing battle bots. When I did some research I hadn't seen anybody do anything like this and I though I would look into it.

When I was doing research I found that, the robots don't use any encryption it is end to end, the controllers or create there own network an access point that the robot connects to, the network it creates is hidden it does not broadcast its SSID and has to be pared with the cortex, they are 2.4 GHz, they all have independent channels or mac addresses (many can operate at the same time without interference). The first thing I though of would be a deauth attack, where I would send out deauth frames to disconnect their robot from the controller from the cortex leaving their robot powerless, I was tinging I could do this with Aircrack-ng, put my wireless card into monitor mode with airmon-ng, find the mac address and channel of the robot with airodump-ng, deauth with aireplay-ng. The next attack I though of was if I could intercept packets from the remote to the cortex and either replay them to keep doing an operation or send in my own by finding out what commands correlated to what packets and injecting them while impersonating the robot. I have not done much with packet sniffing/replay/injection if anybody knows anything on how I could do that? or if anybody has done anything with these robots? or if you have any ideas on wireless attacks? I am all ears and I would love help and suggestions, this seems like a really cool project. I would love to hear your thoughts, thank you

[$tRizZy]

I was thinking about the same thing, didn't think anybody was as bored in robotic class as me but here you are. im a noob when it comes to any of kali and pen testing and all that fun stuff but im trying to learn. id love to hear whats possible because were about to go to competition and it would be pretty funny if i could jam the other team up. 

[HeavyVin]

I would check the rules for the competition but if you're just with your school I would use a directional antenna so you only sniff packets from the bot your trying to attack. It could be hard to know which ap is them otherwise.

I love the vex system but I was always unclear what channels they were on. The ones I used to mess with where radio and they had these "crystals" which were little chips to set the frequency. This new wifi system sounds intriguing but would most likely be vulnerable to most of these attacks.

 

I think it would be fun to watch a team lose control over their bot and you just drive in into the wall. I once made a bot that would go after the cabling and disconnect as much as it could. This would be a level up from that. Let us know how it goes.

[Tylor B.]

Okay, I was looking at this attack more, first I fired up a wireshark, and listened while I turned on on off the robot, pair and disconnected them, and sent controls. I was able to find lots of garbled packets, things that were kinda regular with off/on actions, I was doing this at school where the network situation is terrible, there was a lot of background noise, and it was hard to find what was VEX and what was not. When we were at competition our robot did end up disconnecting during the match, and they just said too bad, you do not get any points this round because the protocol is bad, and that took up from 3rd place to 5th and top 4 advance. We think this is because interference with other robots, with like 20 teams they started disconnecting, this makes me think they may only have one mac address just on different channels or subsets? this makes me think a deauth attack would work, and I will look into packet attacks, man in the middle attacks, arp DoS, deauth DoS, and hopefully the take another robot/replay attacks! 

[HeavyVin]

4 minutes ago, kamalkachize said:

I had problems with my partner and I wanted to read her phone and whatsapp messages.
 I hired a hacker from https://goo.gl/BmZ63U and I got what I wanted at a reasonable price

1

This really is not the place for those advertisements.