Drones - Another threat to security

by [Published on 5 Oct. 2016 / Last Updated on 5 Oct. 2016]

The IoT is happening all around us. One such notable elaboration in this area is drones. Drones, also referred to as unmanned aircraft systems, are quickly finding their way into IoT applications. It is estimated that the drone market may exceed $80billion by 2025. The possibilities for this technology are great however the security concerns (both cybersecurity and physical) must be addressed. Above all, the software utilised must be certified for safety.

Introduction

The enhancement in technologies for improved performance and convenience continues to generate new and very different attack vectors. Drones is one of these technologies. Drones that were once created for military purpose are now utilised as a toy or built and used by avid drone hobbyists. Moreover, they play a role in many a rescue mission and companies (Amazon is one) are developing them for commercial and logistics purposes. They are useful in a range of applications including mining, agriculture and power industries (to name a few). Due to the versatility of drones they are used in almost every sector. The wide reach of this technology increases the risk for cybersecurity attack but also the potential for greater impact too.

Although drones range in levels of complexity - some are highly complex systems - yet others are being mass produced and are easily controlled on mobile devices by any ordinary person. We are noticing Drones which fall somewhere in-between these levels of complexity too and are being used commercially in a wide range of capacities.

The cybersecurity risk is further enhanced as anyone can purchase a drone and the drone industry targeting the masses are not built with security in mind. Consumer drones mostly lack built in rigorous security measures consequently the individuals who use them as well as their targets remain exposed.

Drones and IoT implementations

A typical IoT application comprises of a sensor (something capable of gathering input), a connection (internet connection between the sensor and the back-end infrastructure enabling communication), and a back-end data collector (often cloud based).

Drones, all functioning in a very similar way, are in a nutshell - flying sensors that are communicating via the internet, capturing and transmitting data while being controlled and accessed remotely. Thus they have a sensor, an internet connection and a means to capture and transmit data usually to the cloud. Hence illustrating a connection to the IoT and a means of infiltrating IoT implementations.

The sensor component is easily adaptable and changeable. These could be sniffers, thermal imaging, cameras and microphones and therefore their function is easily transformed.

There is no doubt that drones, like other IoT applications, are extremely useful and show great benefits however the potential risk to security is also enhanced and should be cautiously deliberated. It’s concerning that drones have the potential to further weaken our cybersecurity.

Security concerns at a glance

Drones attributes including: being deployable to different locations, capable of carrying flexible loads, being reprogrammable in operation, able to measure practically anything and being remotely accessible and controlled (to name a few) all contribute to the potential security risk. It is not surprising that drones are introducing a host of significant security concerns.

Presently there is not a high enough level of confidence in IoT security and this is something that must be resolved. All drones should be properly secured so that they are not susceptible to hacks. Something needs to be done to combat the risks and challenges that drones are generating. The safely and privacy of individuals is fundamental and must be assured.

With improved and readily available tools obtainable by hackers, less-skilled hackers are capable of performing attacks that the most skilled would only have be capable of accomplishing before.

Hackers have claimed the ability to take control of drones, albeit partially. Although drone technology holds the capacity for enhanced speed and efficiency for various institutes and businesses they also have the potential to be used as a tool that can invade privacy, undertake corporate espionage and carry out criminal acts and acts of terrorism. Furthermore, system vulnerabilities can be used by a hacker to infiltrate the drone, gain access to data, or gain control of the interface.

Drones can be attacked either by capturing, modifying and injecting a data stream into a telemetry connection over a serial port or it is possible for the attacker to spoof the connection thereby achieving complete control of the interface.

Some notable concerns include (particularly related to consumer drones):

  • Drones with sight

It is commonplace for drones to have the ability to see and capture data in the form of images and video. Drones often have one or other form of camera built in or built on. Privacy can be a concern. Just like individuals have the right to privacy online and the privacy of their communications and data so do they have the right to not be spied on by a drone. The users of such drones, fitted with cameras, can easily capture footage (a livestream or a recording) of an individual or place without consent. Although this technology can be used for good it is also a means for criminals to observe their potential targets.

  • Attackers gaining access to the Drones data

The footage collected by drones inflight is likely to be transmitted back to the user or the cloud. The connection used is not always a secure one. This makes accessing the data quite simple. A hacker has the potential to intercept and steal the data.

  • Drones with weapons

It is no secret that drones have been used within the military for combat purposes. What happens when domestic drones are customised with similar reasons in mind? A toy quickly becomes a security concern and a danger to public welfare.

  • Drones that have been hacked or remotely taken over

A problem we are facing is that as with other IoT technologies, the systems are wireless and remotely controlled and the security is often not as secure as it should be. Drones are typically controlled by connecting back to a remotely controlled device (smartphone or tablet) via Wi-Fi or Bluetooth and this connection is mostly not secure. If the Wi-Fi connection is open anyone can connect to or attack the drone. Drones are consequently extremely hackable. It is critical that these technologies have tight security as the associated security risk can be pronounced.

If a drone is hacked, there is nothing the user can do to gain back control of it. Not only can this lead to theft of the drone or whatever it may be delivering but a greater concern is the potential risk to public safety. Drones can be accessed while in operation, diverted or even commanded to perform a different function and this can be achieved remotely.

  • Drones controlled by adversaries

Not only have Drones become useful for doing good, criminals are finding them useful for the opposite reasons too. Live camera feeds give real time information to criminals and Drones are increasingly being used to target and watch people and places.

  • Protocols are insecure

The protocols implemented are not as secure as they should be and enable attackers to install malicious software onto the systems. Often systems are also vulnerable when the device is not in operation as it is still connected to the internet to upload captured data or update software and if the connection is not properly secured this is an opportunity for malicious code to be introduced.

  • New attacks vectors

Drones can be used to attack Wi-Fi, Bluetooth and other wireless connections and devices. Making it simple to intercept data remotely and from anywhere. Man-in-the-middle attacks can occur wirelessly and on-the-move.

What can be done to improve security?

If hacked and misused by adversaries, drones possess a high threat. As with all network-connected devices, drones are susceptible to cybersecurity threats. The problem we are facing is that domestic drones are now encumbering privacy and security. Drones must be developed in such a way to prevent cybercriminals from manipulating the software. Backdoor malware for drones can infiltrate target computers and take control.

The probability that the software can be compromised is high and safety layers should be built into block this. Security should be considered at build stage to accommodate the engineering of the system as well as the cyber security aspect for the best comprehensive solution.

  1. Secure the device
  2. Secure the connections
  3. Secure the data

To better control the security risks, communication links should be properly secured. Encryption and authentication procedures can aid in this aspect. While not in operation, the security risk does not dissipate as the devices are usually still connected to the internet and to various networks for various reasons (to update software and upload captured data) so these vulnerabilities when the device is not in operation should also be considered.

The data being captured should be secured through encryption so that if the device is hacked and data stolen the date will not be decipherable.

Final thought

Drones can enrich processes but with the innovation, accessibility and connectivity we are breeding a new level of exposure and area of security risk. Just as we are able to adapt and utilise this technology so can adversaries.

It is fundamental that we are aware of the potential associated threats associated, particularly since drones are now easily acquired and used by the masses. There is a physical risk as many individuals operating them do so with very little or no experience and loss of control could cause physical harm. Moreover, individuals are not always aware of the cybersecurity threats, which is concerning.

We must assume security breaches via this route and it is best to prepare for it. It is critical that the safety of such systems is upheld as this technology is quickly becoming a part of our everyday lives with the potential to place public safety at risk.

See Also


The Author — Ricky M. & Monique L. Magalhaes

Ricky M. & Monique L. Magalhaes avatar

Ricky M Magalhaes is an International Information Security architect, working with a myriad of high profile organizations. Monique is an international security researcher, she holds a BSc Degree (Cum Laude). Previously she has focussed on research and development at leading enterprises in the Southern hemisphere.