Here Come the Drones—And Their Security Holes

Dmitry Kalinovsky/

With great convenience will come great security responsibilities, experts say.

Within the next half decade, commercial drones will likely be delivering us pizzas, burritos and probably a few nonedible items too, experts predict.

But with that convenience will also come a new slate of digital dangers, from remotely disabled drones crashing through our windows to malicious payloads hacking into office Wi-Fi networks.

The danger right now is limited by strict Federal Aviation Administration regulations that prohibit civilian drones from flying over people except in limited situations, flying above 400 feet or flying outside the range of an operator’s line of vision.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

Those drones are mostly used by hobbyists or by industry, university and nonprofit groups for limited purposes such as aerial photography or limited data gathering.

The future is coming soon, though. Amazon has begun more ambitious drone delivery trials in England and is eager to move to the U.S. market.

“Up to now, people haven’t been paying a lot of attention because there’s not a lot of risk there yet,” said Matt Scassero, director of the University of Maryland’s Unmanned Aircraft Systems Test Site. “There’s not a lot of valuable cargo and no operations over people. There’s no there there for hackers to go after other than just to say they did it.”

That will all change when commercial drone delivery ramps up in the coming years, Scassero said, and it’s important researchers and regulators get a jump on it.

McAfee predicted in its 2017 threat report that drone hacking toolkits will soon begin appearing on the dark web. As police use of surveillance drones increases, protesters are also likely to turn to hacking to disable them, the cybersecurity firm predicted.

The Islamic State has used commercial drones to attack Iraqi and Kurdish forces in Iraq and Syria. It could be only a matter of time before the group or one of its self-radicalized adherents uses such drones to launch physical attacks in the West, the threat research group Stratfor predicted this month.

The current prohibitions also haven’t halted some criminal groups.

The San Francisco company Dedrone, which alerts customers to unexpected drones flying in their vicinities, has caught drones flying near office buildings where they could hack into Wi-Fi networks to steal proprietary information, near data centers where they could destroy massive amounts of data by disrupting cooling systems, and near prisons, presumably to deliver drugs or contraband to prisoners, CEO Jeorg Lamprecht told Nextgov.

For Wi-Fi-based cyber snooping, in particular, drones can be very useful, Lamprecht said, because they can reach a network that wouldn’t be accessible to an earthbound hacker—for example, on the 30th floor of a high-rise building or in a building with a gated perimeter.

“You could emulate that you’re the printer so documents would be sent to the drone rather than the printer,” Lamprecht said.

While Dedrone’s customers don’t typically advertise attempted intrusions, the company observes roughly 10 drone-based incidents of all types per day, Lamprecht said.

There’s also a danger of drones themselves being hacked.

University of Texas Aerospace and Engineering Prof. Todd Humphreys demonstrated in 2012 how to hack a small drone by spoofing the GPS signal the drone uses to navigate and forcing it to land. The demo prompted a hearing of the House Homeland Security Committee.

Despite some patches and improvements since that demo, commercial drones “remain very hackable,” Humphreys told Nextgov. In addition to GPS spoofing, drones are highly vulnerable to two other hacking routes, Humphreys said.

The first is the command and control link between the drone and its operator, which is not always encrypted and could be either jammed or hijacked by a skilled hacker. The second is the ADS-B system drones and other aircraft use to communicate with each other and avoid collisions, which is also vulnerable to spoofing, he said.

Drones themselves could also be used to spread false ADS-B messages, he warned.

“Think of the confusion that could result by somebody flying around near an airport and broadcasting false ADS-B messages to ground control and incoming aircraft,” he said. “Maybe that confusion would just be an annoyance and maybe it could lead to a collision or near collision.”

Drones, of course, are just one of the many connected devices that will be entering our lives over the next decade as part of the nascent internet of things posing myriad cybersecurity dangers. Security researchers demonstrated how to remotely disable a Jeep Cherokee in 2015. The 2016 Mirai botnet wreaked havoc on the web by hijacking the computing power of web cameras, baby monitors and other connected devices.

Commercial drones represent a peculiar danger, however, because they’re effectively multiple devices in one. There’s the drone itself and then there’s the payload it’s carrying, which could be a camera, a sensor or another device vulnerable to hacking.

That compounds the damage drones could cause to both security and privacy, especially if regulations the government places on commercial drones don’t apply or apply less stringently to the cybersecurity of their cargo.

Commercial drones do have a number of things going for them when it comes to security, however. To begin with, there’s the Defense Department, which has years of experience securing military drones, some of which can be shared with the private sector.

Some of the largest customers of commercial drones are also likely to be Amazon, Google and other tech firms that are cyber savvy and wary of allowing in any vulnerabilities that will damage their reputations when it comes to security and privacy.

Finally, the drone market so far has developed rapidly and been comparatively amenable to patching known vulnerabilities, Humphreys said.

“I am much more worried about being annoyed by the sound of drones overhead than being annoyed by them crashing into my backyard or making it dangerous to land at an airport,” Humphreys said. “I’m looking forward to a time when I can purchase something and have it delivered in 15 minutes.”

NEXT STORY: The first brick in the wall