Archive for April, 2015

Precision guided counter-UAV solutions, a thought piece

April 19, 2015 2 comments

Most counter-UAV techniques are illegal or very closely regulated outside of a war zone. The proliferation of consumer and commercial UAVs is prompting people to consider ways to disable them or take them down outside war zones. So far, we have seen shotguns, brooms and even kangaroos. How about some more precise options?

What follows is a thought exercise. Jamming, firing weapons indiscriminately, and even taking down a UAV with a net are all likely to be illegal wherever you might be reading this.


Most UAVs are controlled by a pilot using a radio transmitter or by a ground control system that instructs the UAV to fly to a particular set of waypoints. It is possible to jam the control signal, monitor the data channel, and even hijack the UAV. (A subject for another post.) This activity is certainly illegal.

A simple physical approach:

Acquiring and targeting a small UAV in motion with the Mark 1 human eyeball is tough. Attempting to shoot it down with a normal firearm is harder still. Doing so would violate several fundamentals of firearm safety:

  • Always keep the muzzle pointed in a safe direction
  • Be sure of your target and what’s beyond it.

If you really want to physically take down a UAV using a projectile weapon, consider using a net gun or a paintball rifle. (More on that later.)

Automatic targeting:

Let us put aside “how to bring down the UAV” for a moment and address UAV detection. There are commercial solutions in this space and interested parties should explore those options for definitive, professional solutions. For the sake of this exercise, lets consider something like the Bluetooth Sniper Rifle.

Many consumer UAVs use 2.4GHz for command & control or data links. Such a “rifle” should detect a UAV using 2.4GHz at long range. Mount such a device on a tripod with a gimbal driven by a system that can point the detector in the direction of maximum signal strength. (Exercise left to the reader, as my professors used to say.) This provides a bearing and elevation from your location to the device you are targeting. You’ll have to spray the air space with rounds as you don’t have range information to provide a precise targeting solution but you could have the paintball gun fire in a pattern to place shots around the target. A few paintballs in the rotors should do the trick.

Now, tie two or more of these targeting systems together and you’ll have bearing, elevation, and range to the target. If you know the ballistics of your paintball rifle, you could probably place some pretty precise shots rather than spraying the air. It has been awhile since I used a paintball rifle but I recall that figuring out the trajectory of a paintball round was quite difficult.

[If anyone wants to try building this, please let me know and I’ll help.]

TrackingPoint – a precision solution:

TrackingPoint has a commercial solution for calculating targeting solutions for rifles, what they call “precision guided firearms”. Their solution uses a human to acquire and mark the target and then fire the round. Once the human marks a target, a computer tied into the rifle calculates the appropriate solution and guides the human to make the precise shot.

So the system takes targeting information in electronic form and uses it to provide a targeting solution. Can’t we take the targeting data from something similar to what we postulated above and use it to guide the human? I imagine so. (I asked TrackingPoint about this possibility and received no response.)

Keep the human on the trigger and use frangible, rubber, or other non-lethal rounds. You may have a long distance, precise, counter-UAV solution.

Categories: UAVs Tags: ,

Outline of Upcoming Presentations on UAV forensics

I will be presenting on forensic analysis processes and techniques at the following conferences this summer:

BSides NOLA – May 30th, 2015
HTCIA/ISSA in Los Angeles – June 4th, 2015
SANS DFIR Summit in Austin – July 7th & 8th, 2015
HTCIA Orlando – August 30th – September 2nd, 2015

To whet your appetite for the presentation, here is an outline of the talk. You’ll note that we cover everything from why you should be interested in this material to an overview of a typical UAV to an analysis process to specific analysis steps for each component to real time analysis techniques.

Read more…

Categories: UAVs

Frontier blocking access from Mediacom

April 10, 2015 3 comments

Update: 5 days later. Frontier still can’t tell me anything, but they asked me to check with Mediacom. Mediacom agrees, Frontier is dropping the traffic, it is Frontier’s problem.

Hey David,
Thanks for contacting us via email! I'm sorry to hear about the issues you're encountering when trying to access Looking over the trace route since it's dropping on Frontier's end there is not much we can do from our side. Since you've already submitted a ticket with Frontier the best option would be to wait until they can resolve this issue. If you have any other issues or questions feel free to contact us again here!

Update: 12 hours later, Frontier still has no explanation for their apparent blocking of Mediacom IP addresses:

Ask Frontier @AskFrontier
@dckovar Hi David, I wanted to let you know that we are still investigating this for resolution. -KH

Original post:

I’ve been trying to pay my Frontier phone bill for a week now. Sure, I could use a check, but this is the age of the Internet and I’d also like to set up automatic billing.

But I cannot get to For days.

It finally dawns on me to do a traceroute:

traceroute to (, 64 hops max, 52 byte packets
 1 ( 2.671 ms 0.996 ms 1.035 ms
 2 * * *
 3 * * *
 4 ( 119.509 ms 12.377 ms 16.368 ms
 5 ( 29.432 ms ( 19.789 ms 14.916 ms
 6 ( 25.615 ms 25.803 ms 25.520 ms
 7 ( 33.190 ms 39.948 ms 31.791 ms
 8 ( 31.831 ms 30.923 ms 35.987 ms
 9 ( 35.811 ms 32.269 ms 31.755 ms
10 ( 96.169 ms 173.662 ms 31.426 ms
11 ( 29.736 ms 29.467 ms 28.955 ms
12 ( 31.577 ms 33.271 ms 38.361 ms
13 ( 44.077 ms 46.896 ms 44.600 ms
14 * * *
15 * * *
16 * * *
17 * *^C

That is via a Mediacom connection. I switched over to a Frontier connection that I happen to have handy and ran the traceroute again:

traceroute to (, 64 hops max, 52 byte packets
 1 ( 3.033 ms 2.051 ms 1.182 ms
 2 ( 25.556 ms 27.117 ms 24.808 ms
 3 ( 23.762 ms 35.961 ms 23.907 ms
 4 ( 38.245 ms 37.857 ms 36.997 ms
 5 ( 91.912 ms 37.640 ms 27.502 ms
 6 ( 115.455 ms 38.203 ms 38.660 ms
 7 ( 36.852 ms 41.143 ms 36.730 ms
 8 ( 38.250 ms 41.218 ms 37.705 ms
 9 ( 42.477 ms 37.212 ms 38.697 ms
10 * * *
11 * * *
12 ( 38.683 ms 38.508 ms 38.329 ms

It seems that does not accept traffic from a Mediacom source.

I’m sure this is legal, but it certainly makes me rethink using Frontier for any services.

Categories: Random Musings