As Christmas approaches, and in this Age of Technology, there is simply no doubt in my mind that the majority of us will be shopping for the latest and greatest toys, gadgets and general stocking fillers for our loved ones. There is also no doubt that some of the purchased gifts will contain electronic circuitry, chips and I/O interfaces to entertain both young, and old minds alike. Toys to some, however, may be a potential weapon to others.
Take the average modern PC or laptop—in the right hands, it is an instrument of meaningful fun, entertainment and/or production. But in criminal or mischievous hands, it can be leveraged toward a host of activities, ranging from cyber bullying, hacking, terrorism, circulating child abuse images, and even offering up the potential to participate in taking down some unfortunate organisation on the internet with a DDoS attack—just for fun, or as part of a more malicious and malevolent act.
I like to try to stay in front of the curve of new and emerging threats, and so for the last six months I have been very interested in the new-age threats, which arrive in the form of big-boys-toys in the more physical sense—toys that take us outside to play, and to help us while away the time.
Technological toys were once unimaginable to myself when I was a young lad, which only existed in the writings and mind of H. G. Wells. But these are toys that can also be employed to serve up a very malicious purposes to kill-on-mass, maim, and in their lesser aggressive guise, conduct discreet and covert surveillance and recognisance. Have you guessed yet? Yes, I am talking about those must-have drones.
Now having experimented with a number of models, I can conclude that these toys can serve as a perfect economical weapon to deliver payload to an unexpected target in the form of say a small explosive, which could be remotely detonated, through to the transportation of toxic, or ‘BC’ [Biological, Chemical] agents which could be deployed to an awaiting, and captive audience. In fact, the possibilities to leverage such a toy for the purpose of a malicious act are actually only limited again by the imagination of the attacker.
To get into the real-time mode, let us understand the implications of the near-miss, which occurred on July 22, 2014, when an Airbus A320 had a close call after it was confronted with a mini-drone. Then, take this to the next level. Given on this occasion, the aircraft was only flying at 700 feet, and with these toy-drones, which can have operational capabilities of up to one hour flying time, with a control rage of one mile, maybe we can start to see the threat implication.
Now, imagine a set of would-be attackers locating themselves on, or close to the threshold of a major airport. Here the risk rating really does start to look significant. Add to this scenario the fact that these drones could be augmented with small containers of say inflammable materials, and we can visualise the potential severity of the implications, and potential use of subverted groups who are hell-bent on making a statement.
But then – what if we are looking to get close to an intended desk-bound target on the 17th floor. Again, such toys as these can offer the opportunity to fly outside the window, or even to fly directly at the intended target to deliver some form of small, on-impact-on-boarded-explosive.
Let us also look back at a real-life event in which a small drone entered the close proximity of the German Chancellor Angela Merkel. Agreed on this occasion it was just a nuisance prank, but think about the implications of say a HALO (High Altitude Low Operation) attack, which could have been carrying some form of adverse payload. As I said, it is the imagination that is only the limiter as to how such a toy could be used!
We then come to the lesser capabilities of gathering intelligence. Here we are seeing the use of highly functional tools enabling the would be miscreant with the cut-down powers as are used by the larger security agencies – falling into the hands of attackers, to conduct recognisance, and other such activities of meaningful surveillance.
The real point of this is, we have just entered an era in which low cost technology, and toys can now offer up real-time capability to kill, injure, disrupt, and view their intended target, or targets in support of criminal or terrorist operations. Thus, given such a threat is now in existence, and no doubt will be leveraged at some point-in-time in the future, we now need to start thinking about the mitigations, defences, and safeguards to protect against such potential threats.
Maybe the answer is placing some discreet physical netting around high-risk areas to block the potential of any intended craft flight path. Or is the answer to deploy systems which will cause an effective emission of an electronic spectrum to flood the close proximity of promiscuous airspace, thus to assure that the intended area is electronically sanitized against the possibility of any aggressive air-born signal having any control effect over is distant craft?
Or is it that with such toy-drones there will need to be an associated licence required to both purchase and operate such a device? Or would it be justified on security grounds to ban any such toy crafts, or even futuristic unmanned, and commercial carriers be banned from flying in Designated Restricted Zones (DRZ), such as London, and other high-value commercial areas?
Or would it be realistic to impose limitations as to what range a craft may be flown at without some form of qualification? I agree, overall indirect protection, but at least it is something to think about in an attempt to drive a modicum of security, and to reduce the potential unfettered access to take flight, devoid of any restrictions.
There is, however, no doubt in my mind whatsoever that we will see such tools harnessed to accommodate an aggressive purpose, and in my humble opinion we need to start thinking now about the defences – before we witness the employment of these toys in anger against some unsuspecting innocent target.
About the Author: John Walker is a Visiting Professor at the School of Science and Technology at Nottingham Trent University (NTU), CTO and Company, Director of CSIRT, Cyber Forensics at Cytelligence Ltd., Practicing Expert Witness, ENISA CEI Listed Expert, Editorial Member of the Cyber Security Research Institute (CRSI), Fellow of the British Computer Society (BCS), Fellow of the Royal Society of the Arts,and is a Certified Forensic Investigation Professional.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Image courtesy of ShutterStock.