Hacking Over the Internet, Wirelessly, and From the Air
Hacking is achieved in many forms. One might think of hackers breaking into computer networks remotely over the internet to shut down critical infrastructure. This has been proven out with the Stuxnet hacking of Iran’s nuclear reactor where it suffered a major blow when the U.S. and Israel teamed up in order to stall Iran’s nuclear development program.
While Stuxnet was most likely introduced via an infected USB flash drive, wireless threats typically go unrealized and overlooked. This may be due to greater familiarity with wired networks rather than their wireless counterparts. With the proliferation of smart phones, Bluetooth, NFC, and Wi-Fi hotspots, hackers have numerous attack points to compromise networks. Hackers are taking to the sky with a hybrid approach using drones to hack with their eye on critical infrastructure.
First the Good News
Drones have begun delivering everything from packages to pizza. And of course where there is pizza, there is usually also beer. Drones are being used by farmers to verify their irrigation systems are working and track crops that appear sick with infrared technology. The real estate market has welcomed drones for their dramatic aerial photography of lavish estates so wealthy buyers can get a ‘birds eye view’. Fast paced outdoor sports such as skiing, car racing and football offer some amazing angles from above. Firefighters have even embraced drones as an effective tool for scouting blazes to save fuel costs, deployment of resources and of course save lives. With all the advances in drone technology what could possibly go wrong?
Now For the Bad News
On Jan. 27, 2015, a civilian drone breached restricted airspace, crashing on the White House lawn. This caused reasonable panic as security officials had no way of knowing where it came from or if it was a credible threat. The operator turned himself into authorities the next morning. While it ended up being a harmless accident, the White House and Secret Service were briefly on full alert. The costs associated with national security are unsurprisingly high, but what about the worst-case scenarios? What if this was a terrorist drone dispensing a biological or chemical agent or strapped with C4 explosives?
The GPS navigation systems in modern drones are incredibly accurate and can be auto-piloted using pre-programmed waypoints. There are vulnerabilities present within all navigation systems that would allow a cyber hacker access to the drone’s data stream or telemetry link connection, or they could even spoof the connection to the pilot’s ground station, allowing complete control of the interface. Either scenario is cause for concern and a credible threat. Drones can be dangerous when carelessly piloted by anyone but even more deadly by terrorists using a little skill.
In June of 2015, I testified alongside members of the AMA (Academy of Model Aeronautics) before the Assembly Homeland Security and State Preparedness Committee of New Jersey State Legislature in Trenton on credible threats that drones pose to critical infrastructure. The committee was preparing to vote on proposed legislature that “Establishes fourth degree crime of conducting surveillance of critical infrastructures using drones and requires certain drones to be registered and insured.”
I shared my wireless expertise and posed a credible terrorist scenario involving multiple drones equipped with explosives flown below radar near a nuclear facility. There are multiple critical infrastructure weak points in any nuclear facility, but the ones I highlighted could be taken out easily with drones and even lead to full meltdown if not secured immediately.
Future of Drones Good and Bad
Of course, we don’t need a doomsday scenario in order to legislate, educate and regulate the public on drones. As I’ve detailed in past blogs on drone hacking, hackers could modify a drone with special software that can search for a nearby Wi-Fi client looking for a Wi-Fi network to join. This drone would then intercept the transmitted signal, fooling the mobile phone into believing it is a trusted wireless network. Once connected to a “trusted” network, the hacker could intercept your mobile phone’s private data, passwords and contacts. These man-in-the-middle attacks have been going on since computers were first networked, but the drone gives the hacker the ability to perform these attacks wirelessly and on-the-go, following victims anywhere in the world. The lack of stringent security measures built into drone operating systems has yet to be addressed by any consumer drone maker and until it is, drones, their pilots and their targets will remain as vulnerable as the IoT industry and any other industries that do not prioritize security.
This post is sponsored by HPE’s Business Value Exchange
- Stalking has never been easier so let’s change that - 02/08/2023
- This is why nobody is allowed a cell phone in classified debriefings - 11/18/2022
- Death of the VPN: A Security Eulogy - 08/24/2022