recommended reading

Here Come the Drones—And Their Security Holes

Dmitry Kalinovsky/

Within the next half decade, commercial drones will likely be delivering us pizzas, burritos and probably a few nonedible items too, experts predict.

But with that convenience will also come a new slate of digital dangers, from remotely disabled drones crashing through our windows to malicious payloads hacking into office Wi-Fi networks.

The danger right now is limited by strict Federal Aviation Administration regulations that prohibit civilian drones from flying over people except in limited situations, flying above 400 feet or flying outside the range of an operator’s line of vision.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

Those drones are mostly used by hobbyists or by industry, university and nonprofit groups for limited purposes such as aerial photography or limited data gathering.

The future is coming soon, though. Amazon has begun more ambitious drone delivery trials in England and is eager to move to the U.S. market.

“Up to now, people haven’t been paying a lot of attention because there’s not a lot of risk there yet,” said Matt Scassero, director of the University of Maryland’s Unmanned Aircraft Systems Test Site. “There’s not a lot of valuable cargo and no operations over people. There’s no there there for hackers to go after other than just to say they did it.”

That will all change when commercial drone delivery ramps up in the coming years, Scassero said, and it’s important researchers and regulators get a jump on it.

McAfee predicted in its 2017 threat report that drone hacking toolkits will soon begin appearing on the dark web. As police use of surveillance drones increases, protesters are also likely to turn to hacking to disable them, the cybersecurity firm predicted.

The Islamic State has used commercial drones to attack Iraqi and Kurdish forces in Iraq and Syria. It could be only a matter of time before the group or one of its self-radicalized adherents uses such drones to launch physical attacks in the West, the threat research group Stratfor predicted this month.

The current prohibitions also haven’t halted some criminal groups.

The San Francisco company Dedrone, which alerts customers to unexpected drones flying in their vicinities, has caught drones flying near office buildings where they could hack into Wi-Fi networks to steal proprietary information, near data centers where they could destroy massive amounts of data by disrupting cooling systems, and near prisons, presumably to deliver drugs or contraband to prisoners, CEO Jeorg Lamprecht told Nextgov.

For Wi-Fi-based cyber snooping, in particular, drones can be very useful, Lamprecht said, because they can reach a network that wouldn’t be accessible to an earthbound hacker—for example, on the 30th floor of a high-rise building or in a building with a gated perimeter.

“You could emulate that you’re the printer so documents would be sent to the drone rather than the printer,” Lamprecht said.

While Dedrone’s customers don’t typically advertise attempted intrusions, the company observes roughly 10 drone-based incidents of all types per day, Lamprecht said.

There’s also a danger of drones themselves being hacked.

University of Texas Aerospace and Engineering Prof. Todd Humphreys demonstrated in 2012 how to hack a small drone by spoofing the GPS signal the drone uses to navigate and forcing it to land. The demo prompted a hearing of the House Homeland Security Committee.

Despite some patches and improvements since that demo, commercial drones “remain very hackable,” Humphreys told Nextgov. In addition to GPS spoofing, drones are highly vulnerable to two other hacking routes, Humphreys said.

The first is the command and control link between the drone and its operator, which is not always encrypted and could be either jammed or hijacked by a skilled hacker. The second is the ADS-B system drones and other aircraft use to communicate with each other and avoid collisions, which is also vulnerable to spoofing, he said.

Drones themselves could also be used to spread false ADS-B messages, he warned.

“Think of the confusion that could result by somebody flying around near an airport and broadcasting false ADS-B messages to ground control and incoming aircraft,” he said. “Maybe that confusion would just be an annoyance and maybe it could lead to a collision or near collision.”

Drones, of course, are just one of the many connected devices that will be entering our lives over the next decade as part of the nascent internet of things posing myriad cybersecurity dangers. Security researchers demonstrated how to remotely disable a Jeep Cherokee in 2015. The 2016 Mirai botnet wreaked havoc on the web by hijacking the computing power of web cameras, baby monitors and other connected devices.

Commercial drones represent a peculiar danger, however, because they’re effectively multiple devices in one. There’s the drone itself and then there’s the payload it’s carrying, which could be a camera, a sensor or another device vulnerable to hacking.

That compounds the damage drones could cause to both security and privacy, especially if regulations the government places on commercial drones don’t apply or apply less stringently to the cybersecurity of their cargo.

Commercial drones do have a number of things going for them when it comes to security, however. To begin with, there’s the Defense Department, which has years of experience securing military drones, some of which can be shared with the private sector.

Some of the largest customers of commercial drones are also likely to be Amazon, Google and other tech firms that are cyber savvy and wary of allowing in any vulnerabilities that will damage their reputations when it comes to security and privacy.

Finally, the drone market so far has developed rapidly and been comparatively amenable to patching known vulnerabilities, Humphreys said.

“I am much more worried about being annoyed by the sound of drones overhead than being annoyed by them crashing into my backyard or making it dangerous to land at an airport,” Humphreys said. “I’m looking forward to a time when I can purchase something and have it delivered in 15 minutes.”

Threatwatch Alert

Stolen laptop

Wireless Heart Monitor Maker to Pay $2.5M Settlement to HHS After Laptop Stolen

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.


When you download a report, your information may be shared with the underwriters of that document.