If the commercial market for drones is left unchecked, we could start to see drones being weaponised, presenting potential hazards to public safety; so warns a cyber security and ethical hacking company. As the range and functionality of drones improve, and their cost reduces, weaponisation could become common, as poor cyber-security could allow commercial drones to be hijacked by attackers. This presents several risks not yet considered, says IOActive.
Poor cybersecurity controls will enable commercial drones to be hijacked with ease, the firm claims. Malicious actors could programme drones to fly to specific GPS coordinates to launch cyber-attacks on WiFi networks, or other types of wireless networks, while an attacker is miles away. They could also be used to perform man-in-the-middle attacks, disseminate malware, or for GPS spoofing attacks, and as with webcams, they could also be used to spy on owners or steal data.
The drone activity that disrupted pre-Christmas flights in and out of Gatwick Airport and cost airlines millions is likely to continue, the cyber firm says, with the added risk that this method of disruption could be used with malicious intent, with hacked drones being used to prevent air travel or even put passenger well-being at risk. Hacked drones could even be used to ‘dive-bomb’ pedestrians or to cause chaos at traffic intersections, putting human life at risk. And as for privacy issues, drones can easily take high resolution pictures and movies through building windows, which could result in blackmail or other unwanted surveillance. A ‘follow me’ functionality could help people to turn drones into spying devices.
Cesar Cerrudo, CTO at IOActive says: “With enough determination anything can be hacked, but the commercialisation of the drone market is making it all too easy – and many of the consequences for security, safety and privacy have simply not been thought through. The range of drones is of particular concern as it opens up new areas of vulnerability that many will not have considered. For example, off-shore oil rigs have previously been protected from many short-range cyber-attacks by their distance from land, but in the age of weaponised drones they could be fair game. We also see companies like Amazon trialling the use of drone deliveries, which also throws up problems – what if those drones are intercepted so that people can steal packages? Individual industries need to look at their own risk posture to determine if they need to make any changes in light of our new hovering frenemies.”
Cerrudo says manufacturers need to shoulder their share of the responsibility for the products they are bringing to market to ensure they are as secure as possible. He adds: “The relative speed at which these devices are taking to the sky raises several issues. While the use of drones within the military has been common for many years, those drones have been rigorously tested and built with security in mind – commercial manufacturers do not have the same concerns, they are more focused on getting their product to market than ensuring cybersecurity. This attitude needs to change. Security should be a fundamental part of the core deign, so that it is baked in from the ground up, rather than retrofitted as an afterthought. At the moment, drones are just sitting ducks.”
Lack of accountability and responsibility are also areas that needs consideration, Cerrudo says. “The airline industry, governments, and manufacturers of these products all need to be vigilant and aware of the potential risks – there needs to be far greater accountability for safety and security. The issue just isn’t being given the seriousness it deserves and it’s better for all if action is taken before there’s a major incident that forces change to happen.”
Picture by Mark Rowe; drone (and pigeon) over City of Bristol College on Saturday, during the cricket World Cup, Australia versus Afghanistan, match at the nearby County Ground, Bristol.
