In 2016, drone technology entered the mainstream and can now be used for aerial photography, media filming, law enforcement surveillance and – if the promises from pioneering digital giants like Amazon come to fruition – home deliveries.
Yet as more of these small flying devices take to the skies, cybersecurity experts are warning that they will inevitably become an open target for hackers. In what is being dubbed as “dronejacking”, experts say cybercriminals are likely already looking at ways to exploit these devices.
“What makes drones potentially easier to hack is they are designed to have a quick and easy setup, often using unencrypted communication and many open ports,” said Bruce Snell, cybersecurity and privacy director at Intel Security.
“As we have seen with other IoT technology, once a device is connected to a network, people quickly start looking for ways to hack it. This effort is made easier by the general rush to market for IoT devices, including drones, which have little or no security.”
Indeed, there have already been examples of hackers actively exploiting drones to test how they can be manipulated. In 2015, at the Defcon security conference, a former US Department of Defense (DoD) expert showed how drones could be forced to crash to the ground using pulsing GPS signals.
Additionally, in March this year at the RSA conference, a researcher called Nils Rodday demonstrated how alleged vulnerabilities in high-end drones routinely used by police and government could be remotely exploited by hackers using only a laptop and cheap USB device.
“Researchers have found many consumer drones shipping with open ports and weak authentication methods, allowing a person with the right equipment to send commands to the victim’s drone,” said Snell in an Intel McAfee Threat Predictions report looking ahead to the future.
He continued: “So far, this has been a fairly manual process but, as we’ve seen in the past, new exploits typically appear sooner or later in easily reproducible format.
“The majority of the vulnerabilities discovered on commercial drones can be easily fixed with a software update. While high-end drones will most likely be patched quickly, cheap drones will most likely fly a long time before a patch is available.”
Snell said the exploits used to take advantage of drone-based security flaws would – like more traditional forms of hacking tools – inevitably soon be traded on the Dark Web. Often, hackers can use cryptocurrencies like Bitcoin to purchase these tools with ease.
“We predict in 2017 that drone exploit toolkits will find their ways to the dark corners of the internet,” he said. “Once these toolkits start making the rounds, it is just a matter of time before we see stories of hijacked drones showing up in the evening news.”
For his other predictions, the Intel Security expert said drones will also increasingly be used by police and government agencies to monitor crowds and protests, much like those recently deployed in the US during demonstrations by Black Lives Matter. These may also soon be targeted, he added.
“More and more law enforcement agencies are turning to drones to assist in surveillance and crowd control. In a highly charged situation like a protest or active shooter situation, a police drone would be a tempting target for someone looking to remain unseen by law enforcement,” Snell explained.
“Now, instead of wall-mounted security cameras, we have cameras attached to drones. As protestors and hacktivists start to mix more, the odds of a protester with the technology to knock out surveillance drones dramatically increases.”
For home deliveries – much like Amazon’s Prime Air service which aims to “safely get packages to customers in 30 minutes or less using small unmanned aerial vehicles” – Snell said these drones will also inevitably become the targets while in-the-wild.
“Someone looking to ‘dronejack’ deliveries could find a location with regular drone traffic and wait for the targets to appear. Once a package delivery drone is overhead, the drone could be sent to the ground, allowing the criminal to steal the package,” he said.
“This creates a realistic target for a criminal looking to make a quick buck. To be fair, such thefts would be hit or miss as there would not be an easy way to know what is in the package, but it could turn out to be lucrative.”