Viewpoints

Sky-high concerns: Understanding the security threat posed by drones

Kevin Townsend, 26 September 2019

They are susceptible to all the cyber threats that face the Internet of Things, and can be hijacked for unintended purposes

Drones, the popular name for unmanned aerial vehicles (UAVs), are a new toy for hobbyists, a tool for commerce, and a multi-purpose device for the military. 

At one end of the scale they are just a few feet in diameter and able to carry payloads like a camera or small Raspberry Pi computer; at the other end they have a wingspan of 20 meters and can carry 500-pound laser-guided bombs or Hellfire missiles.

In most cases, they are ultimately free-ranging IoT devices, housed in a flying machine smaller than a lawnmower, with wireless communications. As wireless IoT devices, they are susceptible to all the cyber threats that face the Internet of Things, and can be hijacked for unintended purposes.

Drones: hobby, commercial and military

When hobby drones first appeared, they were little more than a toy for the affluent or a hobby for the enthusiast. But the market has expanded, the technology has improved with greater maneuverability and built-in cameras – and the price has dropped. It is a booming market. The FAA predicts there will be between 1.3 million and 1.7 million hobby drones in the U.S. by 2023. 

The fastest-growing market, although smaller than the hobby market, is for commercial drones, which many companies are experimenting with. The best-known examples include carrying cargo for deliveries which has been explored by Amazon and Domino’s Pizza. This application has been delayed by regulations, since drones are seen by many as a danger and a noise nuisance; but those regulations may be relaxed over the next few years. A U.S. Department of Transportation proposal earlier this year would allow drones to be flown over people and at night without needing special permissions or waivers, which could open up drone delivery services in the future.

There are fewer military drones, but this is also an expanding market. Military drones allow an attacker to reach almost any target in any location without risk to personnel. Their use cases are expanding. According to Steve Durbin, the managing director at the Information Security Forum, drone technology is being developed that could expand military use from straightforward weapons into sophisticated espionage tools. Various third-party organizations are developing drones that can tap or interfere with communications systems, intercept data and self-destruct if captured. Weapons-carrying military drones are manufactured by the U.S., Israel, China, Russia, and Iran, among other countries.

Drones also have lesser known but more specific applications that are neither hobby, commercial nor military. Camera-mounted drones can be used to monitor infrastructure, hard to reach parts of ancient monuments, wildfires or livestock, while specialized sensors can be used for geological surveying. 

All these categories of drone carry security risk. Only the military drone can be considered relatively  secure – the rest are subject to hijacking and misuse for bad purposes like any other IoT device. Those bad purposes include threats to our privacy, to cybersecurity, and even to our physical safety.

Threats to drones

There are two primary cyber threats to drones: hijacking and supply chains.

Hijacking

Non-military drones can be hijacked relatively easily. In 2017, security expert Jonathan Andersson made a device (he called it Icarus) that enabled him to tune into the drone's communication frequency. Even though the communication channel hopped every 11 milliseconds, Icarus waited on one channel, and in the available 11 milliseconds hacked the drone's encryption and hijacked the device.

Supply chain

The supply chain threat exists because the drones are largely manufactured abroad (such as in China), or assembled from components manufactured abroad. With contemporary geo-political tensions, there is always a concern that such devices might contain a hidden backdoor for overseas governments.

An associated concern is that today's hobby drones almost invariably come with a video camera. Hackers could obtain recorded data by hijacking the device and stealing the data. But many drones automatically upload recorded data in real-time for storage in the cloud. 

This raises concerns for even innocently obtained images – if a drone pilot accidentally records something sensitive, that data is immediately online and vulnerable to theft if the storage service is improperly secured. The U.S. government is so concerned over the storage of drone data that earlier this year, the US Department of Homeland Security issued an alert that Chinese-made drones may be a “potential risk to an organization’s information,” and could be sending flight data back to their manufacturers.

Threats from drones

There are three primary threats from non-military drones: to our privacy, to our cybersecurity, and to our physical safety.

Privacy

The privacy issue is self-evident. Drones can carry a camera and can record images – and voice – from places inaccessible to a human eavesdropper. Variants used by law enforcement could link to facial recognition systems and silently monitor crowds, open-air meetings and pedestrians. Militant activists could use them to map out establishments they wish to target. And voyeurs could have a heyday.

Used by the police, they offer a new level of civil control. Used by civilians, they are almost impossible to police. The civilian data will likely be stored in the cloud, possibly with or without the users’ knowledge, and with or without adequate security.

Cybersecurity

Even hobby drones can carry small Raspberry Pi computers. These can be programmed to sniff Wi-Fi signals. They have been used by white hat researchers to test the security of remote critical infrastructure establishments – such as power stations – that cannot be accessed directly from the internet.

They are used legitimately by penetration testers – who conduct controlled attack simulations – in similar circumstances. In one test, a research company was asked to test the cybersecurity of an offshore oil rig. This was difficult with no physical access to the rig. So, a small boat was hired and “moored” some distance from the rig. Then the Raspberry Pi was programmed to sniff Wi-Fi signals, flown over the oil rig, and the researchers were able to listen in to the rig’s communications.

If researchers are doing this, you can guarantee that hackers and perhaps nation-states are doing the same. The targets do not have to be remote, isolated installations – similar attacks could be targeted at any building anywhere. And as hobby drones grow in popularity, the sight of one close to offices will probably not raise concerns.

Physical safety

The drone threat to our physical safety ranges from accidental harm through miscalculations to targeted attacks.

Accidental harm comes from a drone that is out of control. The cause could be the legitimate owner losing control, a hacker losing control, or a hardware or software malfunction within the device. Whatever the cause, a drone crashing out of the sky and hitting a human being will cause damage – and the bigger the drone, the greater the damage.

Harm from miscalculation could occur when the flight of a drone proves more dangerous than considered. In the UK, environmental activist group Extinction Rebellion has been campaigning against the building of a third runway at Heathrow airport. One of their tools of protest has been to fly drones within Heathrow’s 3-mile exclusion zone in order to disrupt flights. Extinction Rebellion does not wish to harm anyone – but a simple miscalculation could be catastrophic.

Targeted attacks are likely to increase over the next few years. The intent will be to harm humans, and could result from any of the existing drivers to cause human harm, whether personal or ideological. So far, actual harm to humans from hobby drones has been largely accidental and not too serious. We have not yet experienced a hobby drone or hijacked commercial drone being purposely aimed at a specific person.

Recent events in Saudi Arabia place a different emphasis on things. Here, a fleet of “military” drones was successfully targeted at Saudi Arabian oil production. Yemeni Houthi rebels claimed responsibility, but most people think it could not have been achieved without the aid of Iran. The drones themselves were almost certainly of Iranian origin. Iran is known to sell its military drones to allies and sympathetic countries. China will sell its military drones to almost any buyer.

Military drones are increasingly available. Matt Rahman, the chief operating officer at security firm IOActive, follows the drone situation closely. “The intent to use drones as kamikaze agents with attached warheads is nothing new,” he told this blog; “but seeing it executed in Iran was something we didn’t think would happen so soon.”

The future

We are still in the early days of drone development. Their capabilities will expand over the next few years; and society and law enforcement needs to be aware of the threats this could deliver. Devices developed for good reasons can be misappropriated for bad purposes.

As an example, consider the latest developments to come from China – a solar powered drone that will soon be capable of permanent flight. Add to this modern high-powered camera-technology and facial recognition, and the result is a drone that can fly around indefinitely until it recognizes a pre-programmed target. With a small warhead, that wouldn’t require a military-quality drone, the specific target could be located and automatically eliminated. It may sound like science fiction, but it is possible today.

The biggest single problem is that drones are not sufficiently regulated. No single agency has yet claimed overall authority to deliver the regulation necessary to prevent drones from becoming a serious threat within society.