Drones Aren't Just Hackers' Targets - They're Hackers' Weapons

Privacy & Cybersecurity Newsletter
Summer 2020

In past discussions of the cyber risks and vulnerabilities attendant to Unmanned Aerial Systems (“UAS”, or drones), we have primarily described the proliferation of certain drone platforms with reported insecurities, specifically the ubiquitous DJI models that the U.S. Government ultimately removed from its service. But, such risks are not merely platform dependent as a recent comprehensive report from the RAND Corporation explores in detail.

We would encourage readers to review the report in its entirety, but take the opportunity here to highlight several key take-aways. In particular, there is a helpful summary of 26 specific instances of the exploitation of drones. In one instance, a hacker took control of a drone using an inexpensive Raspberry Pi computer intended to teach basic computing. Such a circumstance shows that a successful hacker need not have particularly sophisticated equipment to take over a drone. That said, the report confirms successful attacks of far more sophistication and also notes that successful hacks are appearing on YouTube and various blogs. Even more concerning, the code used to accomplish drone hacks is often ending up on sites such as GitHub.

Rand used a STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege) classification scheme, and determined that the most common cyberattacks reviewed were Denial of Service or Spoofing at-tacks against an active drone. A prime example would be GPS spoofing in which a delivery drone is fooled into following false GPS coordinates or is otherwise crashed by the bad actor. But, cyber risks associated with drones are not only directed at the drone or upstream from the drone, but also in using the drone as a cyber weapon itself.

Two examples of particular interest were identified by Rand. The first uses a drone to fly over a specific area, such as a dense urban environment, surveying and collecting information on the WiFi networks in the area. With this network information, the drone is then used to access the vulnerable networks, join the networks and connect local hosts to a botnet full of malware compromised devices. Such an infiltration can lead to distributed-denial-of-service (DDOS) attacks, stolen data, and hijacked devices. The second example used a drone flying near a building to inject a malicious code that modified the software of smart lightbulbs. The hack exploited a flaw in the communications protocol used to connect the smart bulbs, and injected software that revised the smart bulbs’ firmware so that they blinked “SOS” in Morse code.

While some of these hacks are done in research settings, the risk to the broader commercial world and critical infrastructure is clear. For example, considering that in the COVID-19 environment it became clear that many local government systems were still running on the early programming language, COBOL, it is likely the curious hacker using a drone could find ample flaws to infiltrate such domains. Further, the continuing advancement in drone technology means that new risks are on the horizon. For example, Rand’s report notes the improvement in autonomous flight capabilities increases the chances for unexpected system behaviors to go unnoticed by the operator. The eventual deployment of UAS traffic management systems also creates new risks for cyber intrusions, as does “swarming” (multiple drones working together autonomously).

Circling back to where this article began, of note is the source of these technology advancements. The Rand report cites a Clarivate Analytics source that indicates as of 2019, there were 3,935 drone technology related patents issued, 64% of which are held by Chinese companies or directly by the Chinese government. U.S. companies, the next biggest player, only hold about 27% of these patents. While the number of patents do not equate with quality, to the extent the U.S. Government remains skeptical of the data collection interests of Chinese entities, this disparity is unlikely to assist in persuading policymakers to ease current restrictions.

Owners and operators of drones should know by now that they must be diligent in protecting their systems and data. But, this needs to also be appreciated by a much wider audience. Indeed, from prime infrastructure operators to individuals connecting smart devices, it should be recognized that the hackers of today and tomorrow will have drones in their toolboxes.