As digital circuitry and wireless technology become an integral part of increasing numbers of consumer and industrial goods, the opportunities available for cyber-criminals to compromise or exploit these items grows, in tandem.
Unmanned Aerial Vehicles (UAVs) or drones are now being looked upon as an emerging security issue in this respect – both as targets for cyber-attack, and as potential attack vectors for malicious actors, themselves.
An Expanding Range of Influence
Following their successful deployment in military and intelligence applications, drones have seen rapid adoption in the commercial sector, with unmanned aerial vehicles acting as a supplement or substitute for traditional modes of delivery. Retail outlets, food chains, and restaurants are now routinely using drones to fulfill customer demands for high-speed service.
UAVs have been successfully deployed as crucial links in supply chain logistics for the pharmaceutical industry, enabling delivery of fresh blood plasma and essential drugs to remote regions inaccessible to other forms of transport. Drones have also proven their value as reconnaissance and delivery agents in the health care and emergency services sectors.
In agriculture, drones are being used to chart patterns and success rates for irrigation, and to monitor the health of growing crops via infrared and other technologies. Video and still cameras mounted on UAVs provide promotional imagery for the real estate market and innovative angles for documenting sporting events and other public gatherings.
And with U.S. trade group The Consumer Technology Association and the Federal Aviation Administration (FAA) confirming sales of anywhere from 400,000 to one million UAVs to the Christmas holiday consumer market last year, drones are fast becoming a household item.
Susceptibility to Compromise
Unfortunately, “widespread” doesn’t necessarily equate to “safe to use”. Many UAVs have inherent and potentially serious design flaws, several of which were showcased in 2015 by security researcher Oleg Petrovsky at the Virus Bulletin conference in Prague.
Analysis of the configuration and flight controllers/microprocessors of several popular UAV models having multiple rotors revealed weaknesses associated with both the telemetry links streaming data to and from a drone via serial port connections (in which information could be captured, modified, or injected), and the UAVs’ connections to their ground station interface (whose data link could be spoofed, enabling hackers to assume complete control of the vehicle).
Protocols implemented on the ground station applications enabling communications with the UAVs (and permitting users to pilot them via wireless remote control) were found to be unsecured, allowing hackers to install malware on the systems running the ground stations. In addition, the telemetry feeds used in monitoring the vehicles and facilitating information transfer through wireless transmission were vulnerable to interception, malicious data injection, and the alteration of pre-set flight paths.
Considering that all the models tested routinely fly pre-programmed routes (as do drones used in product delivery, courier services, and for some military applications) such manipulation could potentially have alarming consequences in the field, ranging from the theft of high-value cargo, to product tampering and the redirection of UAVs for the delivery of explosives, biological weapons, or other terrorist payloads.
Concerns About File Transfer
The physical movement of drones is only one aspect of their potential vulnerability. The still image or video cameras routinely fitted to UAVs serve as a live link back to their operators – and enable drones to be used as highly maneuverable real-time “eyes in the sky”. This makes them ideal for officially sanctioned surveillance, intelligence, and espionage operations – which also renders the visual and location information they carry and transmit a high-value target for malicious third parties.
To say nothing of the privacy concerns – and the possible repercussions should drone surveillance operations be intercepted and exposed on public forums, the media, and other outlets.
Usage of Drones in Cyber Attacks – Wireless Vulnerabilities
Given their maneuverability, small size, and the fact that their combination of onboard processing power, photographic equipment, and connectivity makes them the equivalent of flying laptops, it’s no wonder that drones are now perceived as viable threats to information security.
Poorly secured or unsecured wireless networks are seen as particularly vulnerable, with attack scenarios envisaged where compromised or purpose-bought UAVs could be flown or discreetly landed in the vicinity of a hot spot, and used to stage Man in the Middle (MitM), data injection, and similar attacks over guest and short-range WiFi, Bluetooth, and other wireless connections.
The success of such attacks might be bolstered by the fact that traditional security measures operate on the assumption that no-one could get close enough to such short-range wireless connections to pose a serious threat.
Not Just Scaremongering?
The involvement of UAVs in security incidents has already moved beyond the notional stage to practical realities.
At the 2015 DEF CON event, security researchers successfully knocked a Parrot A.R.Drone out of the sky by using open WiFi and an open Telnet port to remotely terminate the process that makes it hover. And in early 2016, hackers at AnonSec claimed to have developed a method for gaining partial control over one of the Global Hawk drones used by NASA.
Meanwhile, researchers at the Singapore University of Technology and Design have devised a technique for using drones to orchestrate MitM attacks which exploit wireless printing networks on a corporate scale, to eavesdrop on print jobs.
The Flip Side: Counter-attack
As with so many potential attack vectors, unmanned aerial vehicles may feature as a weapon in the armory of both defenders and attackers.
For instance, the MalDrone backdoor malware kit has been developed as a universal hack, applicable to all makes and models of UAV. MalDrone silently interacts with a drone’s device drivers and sensors, allowing the user to hijack and control the UAV remotely. While a potential gift to malicious actors, the developers hope that MalDrone will be deployed by enterprises as a counter-measure against malicious or compromised drones which target their organizations.
Other counter-measures are more prosaic. Michigan Tech University and the police in Tokyo have deployed “drone catchers” – large drones fitted with nets to catch smaller ones – while a police force in Holland has been training an eagle to hook suspect drones with its talons.
It sounds laughable, but such outside the box thinking may be just what’s required in these comparatively early days of drone development. As the technology evolves and new opportunities for cyber-attackers present themselves, security professionals will need access to a range of measures – however bizarre on the surface – to combat a growing threat.
Share this Post