Drones as Cyber Weapons: A Reality, Not a Hyperbole

Image

On the aftermath of the Mati wildfires in Greece that killed 100 people, the Greek Fire Department spokesperson made an announcement on June 2018, stating "Any manned and unmanned aircraft systems flights in an area of operations is a serious infringement and creates safety risks for flights. Any breach entails criminal and administrative liability. Excludes flights made with the permission of the Civil Aviation Authority and the approval of the Fire Department." Two months later, on September 2018, the US Federal Aviation Authority issued a similar warning that “drone owners and operators may face significant fines if they interfere with emergency response operations in the areas affected by Hurricane Florence.” The statements above highlight the efforts that entities around the world are taking to address the dangers posed by unmanned aerial vehicles to airspace safety. According to DHS and NASA, the number of commercial drones in the U.S. airspace is estimated to grow to more than seven million in the near future. When so many drones fly in the air, the potential to create serious safety and security issues is high. To confront this risk, NASA, the Federal Aviation Administration (FAA) and industry have partnered to develop a capability to manage national airspace drone traffic called the Unmanned Aircraft Systems (UAS) Traffic Management (UTM) infrastructure. A cloud-based software architecture, the mission of UTM is to organize the flight of drones registered with the FAA. You can think of it as an air traffic management system, but automated and in the cloud. Anyone flying a commercial drone will need to submit flight intent to other users and receive authorizations for specific access.

Drone Security Challenges

In accordance with DHS, commercial drone flights “produce challenges for law enforcement as they try to identify and interdict illicit activity.” This “illicit activity” surfaced after the chaos at Gatwick airport just before Christmas 2018 when the airport closed down due to unknown drone flights. In view of this chaotic situation, the terrorist Islamic State launched a new propaganda campaign against the West, threatening U.S. and EU cities with drones. Let us not forget that the Islamic State has a long story using cheap, commercial-off-the-self drones to launch offensive operations against U.S. Forces in Iraq and Syria. Hijacking of drones is doable considering the technology behind commercial drones and how they are being controlled from the ground. Recognizing this possibility, DHS stated that “Given their rapid technology advancement and proliferation, the public safety and homeland security communities must address the fact that drones can be used nefariously or maliciously to hurt people, disrupt activities and damage infrastructure.” So the question that arises is this: what are the drone cybersecurity risks and threats, and how can we mitigate them?

Cybersecurity Risks of Drones

Commercial drone technology is an emerging sector within IoT. As such, the risk of hacking could cause data breaches as well as pose a major risk to public safety. However, as it happens with many IoT devices, security is often an afterthought, leaving many drones vulnerable to hackers. Malicious actors can use commercially available tools to hack the drone and control it in order to perform their nefarious actions. The Department of Homeland Security and insurance company Allianz have highlighted the cybersecurity risks of commercial drones in two separate reports. Most commercially available drones are operable through applications that run on a user’s phone, tablet or computer. These apps allow the user to manage and pilot the drone and to receive data such as video or images. Drones are also equipped with USB ports that allow the transfer of recorded data. In accordance with the DHS report, commercial drones can thus be vulnerable to exploitation since they communicate with their operators using unencrypted means such as radio, WiFi or GPS. This can allow a malicious actor to intercept and review data sent to and from the drone. (It is important to highlight that this is not the case with military owned drones, where the communication between the ground control and the drone is secured through hardware or software encryption.) Security analysts have demonstrated the ability to hijack and take control of a user’s drone while on orbit, including drones designed for commercial industry and first responder use. Once hijacked, the malicious actors can extract data from the drone including flight path and any images or video being taken. What is worse, they could also control the movements of the drone, thereby posing a physical danger to nearby aircraft and personnel, as it has been reported by FAA. Exploitation of drone vulnerabilities could facilitate physical access to networks and equipment within critical infrastructure sectors and, hence, facilitate the extraction of information from systems they could not otherwise access due to range limitations. Drones also provide a level of anonymity to the intruders because of the vast numbers of privately owned drones and because of the fact that drones are almost undetectable. Furthermore, researchers highlighted the risk of penetrating highly secure critical infrastructure, such as nuclear facilities, in its recent report. Their research is based on security incidents in France involving drones that made flights in restricted airspace over 13 nuclear power plants in a coordinated and organized manner, sometimes simultaneously over plants that are hundreds of miles apart. Finally, researchers have demonstrated that drones can be used to wirelessly compromise access points and unsecured networks and devices. For instance, in 2016, researchers in Israel flew a drone outside of an office building and were able to infect smart light bulbs installed within the building by exploiting a flaw in a radio protocol called ZigBee, which is used in home consumer devices. You can just imagine the consequences of such an attack in cities like New York or Paris.

Mitigation

The legislation being introduced for drones focuses on flight safety. However, it is equally important to secure the communications between the drone and the ground operator. DHS offers some valuable mitigation strategies. Securing wireless networks and devices can minimize the vulnerabilities that malicious drone operators could exploit. Mitigation practices can follow a “defense in depth” approach and should include installing updates and patches as soon as they are available, changing default passwords, restricting access, encrypting data and installing host-based firewalls. In addition to securing wireless networks and devices, operators can also ensure that their drones have the minimum necessary privileges, minimize access to other networks and encrypt data.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.