(Kevin Townsend / SecurityWeek) – UK environmental activists known as Extinction Rebellion (ER) are threatening to protest the development of a third runway at London’s Heathrow airport by flying drones right to the edge of the airport’s exclusion zone.
ER cofounder Gail Bradbrook announced 15 July 2019, “They’ve said, ok, there’s this exclusion zone around Heathrow where you can’t fly drones and we’ve gone, oh, that’s interesting because what we’re about is breaking the rules.”
That, in a nutshell, is the drone problem: an explosive (potentially literally) new market with virtually no governance beyond ‘exclusion zone’ rules — a situation that applies as much in the U.S. as it does in the UK. By 2024, the U.S. drone market alone is expected to be worth $150 billion, split between military, commercial and hobbyist use. In the words of Matt Rahman, COO at IOActive, talking to SecurityWeek, “Who owns the drone problem?” And the answer today is, effectively, no-one.
Military drones are not a domestic problem. They are well-controlled, heavily regulated, very secure and not used without planning. “Past attempts to breach a military drone requires the sophistication of a nation-state attacker,” says Rahman.
Commercial and hobby drones are a different matter. They have been described as flying lawnmowers with an IoT heart, directed wirelessly and carrying a payload. And like all new technological developments, they have been rushed to market with little regard for security — either by design or in operation. “There’s a lot of ways you can manipulate the drone by hijacking it or by jamming the signals or by using a Raspberry Pi attached to it to be able to hack into wireless networks,” says Rahman.
So, the lawnmower crashing into a human body is a danger. The IoT heart is vulnerable. The communications could be hijacked. And the payload (usually a camera but as easily a Raspberry Pi computer) can be used for video spying, privacy invasion or even WiFi sniffing above restricted locations. Controlled by a terrorist, that payload could equally be a hand grenade or nerve gas. And most drones are made in China.
Drones have also been an increasing threat to industrial sites, enabling various attacks (both cyber and physical) that historically were only possible in close proximity to a facility or device.
Some six years ago, Rahman had an assignment to test the security of an oil rig. His solution was to hire a small boat, sail close to the rig, and fly a drone fitted with a Raspberry Pi over the installation. He was able to listen into the oil rig’s network and communications and complete his assessment.
“The major problem with drones,” comments Joseph Carson, chief security scientist at Thycotic, “is that they are easily available in all different sizes. Most carry recording equipment that can get to places which most people cannot access. This makes drones the perfect spy device.”
This is already causing concern. In May 2019, the DHS issued an alert flagging Chinese-made drones as a “potential risk to an organization’s information”. It added, the U.S. government has “strong concerns about any technology product that takes American data into the territory of an authoritarian state that permits its intelligence services to have unfettered access to that data or otherwise abuses that access,” said the alert.
Drones do have legitimate valuable uses, like delivering defibrillators directly to where they are required. “But the problem we see,” says Rahman, “is where is the security and where is the privacy with commercial drones — and almost more importantly, where is the safety? For example, if you had a high-profile VIP, you could identify that person and crash the drone into his skull.”
The difficulty here is that when a hobbyist buys and flies a drone, how does he or she know they have full control. What is to prevent an attacker hijacking the controls, and, for example, flying the drone into the Heathrow exclusion zone and into the flight path of an aircraft?
“Over the next few years,” Steve Durbin, managing director of the Information Security Forum, told SecurityWeek, “technological breakthroughs in drone technologies, combined with advances in 5G, big data, the Internet of Things (IoT), and the lessening of aviation regulations, will mean that drones will become increasingly important to operating models. Organizations will depend on them for delivery, monitoring, imagery and law enforcement, whilst attackers will embrace drones as their new weapon of choice. Literally, the threat landscape will take to the skies.”
If the drone is a flying IoT device, then to some extent the security solution will be the same as for static IoT devices. “Like any smart device,” comments Chris Morales, head of security analytics at Vectra, “the manufacturer needs to provide a method for the owner to update the software for security patches as well as ensure they have strong device password authentication. Lastly, the device should use a form of remote encrypted communication that is reasonably strong and resistant from man in the middle attacks and device hijacking.”
This will require pressure applied to the manufacturer. Business should “lobby drone manufacturers or providers to ensure that drones have security features incorporated,” says Durbin, “and keep up-to-date with future legal and regulatory requirements, considering that they may differ or conflict across jurisdictional boundaries.”
Carson would like to see a form of kill-switch built into drones. “Drones should require a basic safety requirement, registration or automatic prevention from flying in certain areas that would require a code to unlock which is of course pre-registered.”
These are all good ideas, but for now no-one is forcing anything. “This is a whole new aviation industry,” says Rahman. “The problem is that it is just coming so fast with so many different uses that we’re simply not looking at security anywhere in the development lifecycle. We’re not even pushing the vendors to add security. The real problem is, who is owning this new problem? Is it NASA? Is it the FAA? Who vets the regulations? Who is forcing the manufacturers to do what they should? Who is forcing the testing? Who is managing the governance of drones and pushing regulations? Right now, no-one is telling the manufacturers they need to have these security components, they need to have a minimum set of requirements, and it needs to be tested.”
The problem is that drone technology and use is advancing much faster than any attempts at regulation. And it is likely to get worse. Two technologies currently being developed for military drones will inevitably migrate to commercial and hobbyist drones: artificial intelligence and self-power (such as solar power). “In a few years,” warns Rahman, “add autonomy and satellite communications, plus AI-based self-determination… and that becomes a bit scary.”
Imagine a hijacked or stolen or custom-made drone with that sort of capability, but armed with an IBM DeepLocker-style payload. That payload could be kept airborne indefinitely, doing nothing but fly around, until a precise target is located by facial recognition from a mile or more away. At that point the AI would trigger whatever the drone is programmed to do. It may sound like science fiction, but it is already possible. And so far, there is little regulatory control to prevent it.