Blog entry by Bruce McPherson
Hacked drones are breaching physical and cyberdefenses to cause disruption and steal data, experts warn.
Drones are a growing threat for law enforcement and business security officers. In the run-up to Christmas 2018, rogue drones grounded planes at London Gatwick, the UK’s second-busiest airport. But, increasingly it’s not just the air traffic controllers sounding the alarms over drones, it’s also the cybersecurity community.
Drones are already being used as one component of cyberattacks, Tony Reeves, a director at consulting and training company Level 7 Expertise, and a former officer in the UK’s Royal Air Force.
With drones costing from as little as $30 to $10,000 or more for specialist professional models, Reeves said, they can be used for any number of different style attacks.
Low cost and easy to use, drones can deliver a “payload” to carry out surveillance, to capture data, or to disrupt networks. Making matters worse, drones are hard to detect and defeat, he said at the recent CRESTCon ethical-hacking conference in London.
Reeves’ firm is unusual in combining cyberdefense work with expertise in intelligence gathering and unmanned aerial vehicles, and plans to use drones as part of an ethical penetration testing program.
“Drones are disruptive, not least because they bring a rapid reduction in the skills operators need,” he said. “You would crash an old-style remote control plane in 30 seconds, if you had no training. But kids can fly today’s drones.”
Law-enforcement agencies and aviation regulators are increasingly concerned about the risks posed by drones. They poses an unacceptable risk to jetliners. The heavy lithium-ion batteries in drones could puncture the skin of an aircraft wing, or smash the blades in an engine. Groups in Syria and Iraq have used modified remote control aircraft as flying bombs.
Cutting Holes in Geofences
In the case of the Gatwick airport incident, UK authorities responded by deploying military antidrone defense systems. The details have not been made public, but essentially it extends the no-fly area around airfields. One way authorities inforce these no-fly drone zones is with geofences, a type of software-level device programing that restricts where a drone can fly.
Off-the-shelf drones are being fitted with geofencing software, so that owners cannot fly them over airports or other restricted areas. DJI, the market leader, has geofencing for airports, prisons and nuclear power plants. Parrot, the No. 2 manufacturer, also has geofencing in its ANAFI software, but pilots can turn it off.
Rogue operators could, of course, build a drone themselves without any geofencing hardware or software. Or they could turn to basic hacks.
“We are seeing some leakage of tactics and information from Islamic State operations in Syria, where they defeated geofencing by denying the drone a GPS signal by wrapping it in tinfoil, and flying manually,” explained Reeves.
“There is a Russian website – on the open internet, not the dark web – that offers hacks for all DJI products. This apparently removes geofencing, altitude and speed limitations. If the Russians can do it, then it’s a fair call to believe that a committed Western hacker could do the same.”
“Equipment is now available to hack drones so they can bypass technology controls,” warned James Dale, a cybersecurity expert at PA Consulting, a firm with both aviation and cyber practices.
“There are now regulatory controls, in some regions, to force drone operators to use geofencing systems,” Dale said. “Yet, there are examples of online vendors selling software and hardware modifications for drones, which are designed to disable these ‘No Fly Zones’ limitations.” The threat from these hacks will only grow as regulators make more use of geofencing-based no-fly zones. Large sporting events or protests are just two occasions where regulators already restrict drone flights. They are likely to automate the restrictions if they can.
Some drone owners will view this as a challenge. Reeves categorizes these users as “disruptive enthusiasts”: drone owners willing to break the rules to obtain a cool shot or video footage. Other motives are more sinister and include crime, terrorism or nation-state actors such as intelligence services.
Spy in the Sky
Using drones is a low cost and simple way to gather information. Intelligence services can call on satellites and other high-end tools, but an off-the-shelf drone can capture video, photos and audio right out of the box. With a few modifications, a drone becomes an electronic surveillance tool, too.
“There are plenty of reports to be found of individuals or organizations building or modifying drones to carry RF-based payloads including Wi-Fi tracking, capture and access capabilities – predominantly using Raspberry Pi and Wifi Pineapple devices, but also 2/3/4G network devices,” explained Reeves. Bluetooth sniffing is also possible.
Putting a Wi-Fi access point on top of a building, or inside its perimeter, could allow hackers to listen in to data traffic. Drone operators could also drop a sophisticated microphone into a restricted area for eavesdropping, if technicians can overcome issues of power, weight and range. “Our judgment is that this is more the province of a corporate espionage operative than the average hacker,” said Reeves.
Security teams need to develop new techniques to monitor drones, and to keep sensitive information safe. Good IT security practice, including scanning for unauthorized access points, will help. But organizations will also need to look at everything from keeping window blinds closed, to how to detect and disrupt drones.
“The main security risk from drones is still their ability to bypass traditional physical controls by breaching fences or accessing the top floor of an office,” said PA Consulting’s Dale.
Down to Earth
Unfortunately for the defenders, drones are hard to spot, and even harder to disrupt. Drone features that appeal to consumer and professional operators make them a difficult target: They are smaller and quiet, and designed to overcome radio frequency interference.
“Drones have low acoustic and thermal signatures, and low-power RF transmitters,” explained Reeves. “On a radar, they look like birds, and air traffic control radars are designed to ignore birds.”
Drones are also fast, and their transmission systems use a range of frequency-hopping techniques to maintain a good link to the controller. This makes the data link between the operator and drone user hard to detect, and even harder to disrupt.
For now, law-enforcement agencies and businesses are unable to take over and capture or land rogue drones. Jamming the signal is possible but illegal in much of the West, including the UK and the US, with a few exceptions for government and military agencies. (Palm Beach, Florida–based lawyer Jonathan Rupprecht has compiled a comprehensive study of US federal counterdrone lawU).
That leaves more forceful countermeasures.
Both manufacturers and law enforcement agencies have experimented with techniques involving drones or guns deploying nets, and even birds of prey. At the other end of the spectrum, German company Rheinmetall Defence has developed antidrone lasers that can be mounted on a truck or an armored vehicle.
But lasers, jamming or even lower-tech measures such as using a sniper to bring down a drone raise other issues, especially over populated areas and airports.
For now, the best defense against drones – for law enforcement and corporate security teams – remains to find and deter rogue drone operators.
“Organizations should conduct threat-modeling exercises to identify and understand the potential threats. They should consider ‘what-if’ scenarios involving drones such as a rogue access point being dropped on the roof, or the CFO’s laptop screen being filmed through the window. They then need to work out how to protect themselves from these events and how to react,” said PA Consulting’s Dale.
“As with the internet and cybersecurity, the positive and negative use of drones are two sides of the same coin and as such, you can’t have one without the other,” added Reeves. “What is certain though, is that security planning will by necessity have to include the dimension of altitude. That will have far-reaching effects.”