Government agencies have slowly begun to address the security risks involving drones. For example, an Oregon bill would make it a misdemeanor to operate a weaponized drone. Congress and the FAA are looking into concerns about the risks that drones pose to commercial airplanes.
However, little has been done to address drones and malware. Like any emerging technology, malware tends to come later, after the technology is used by enough of the population to make it financially feasible to cybercriminals. As Jones explained, the majority of drones used for public use aren’t communicating with anything outside of the controller, which is usually a tablet or smartphone.
Still, some malware developers see the potential in hacking drones and are actively looking at ways to take advantage of any vulnerabilities. In one case, malware developers used smartphone and tablet controls to take advantage of a vulnerability in the AR quadcopter helicopter drone through a piece of malware known as Maldrone. According to ZDNet:
Maldrone can be used to remotely hijack drones via entry through the backdoor. Developed for the AR drone's ARM Linux system, the malicious code is able to kill a drone's autopilot and take control remotely.
Also, a PC Magazine article presented the idea that drones could be the instrument delivering malware – or spyware – computers:
An Insitu engineer reportedly wrote to Hacking Team this April about the idea, stating: "We see potential in integrating your Wi-Fi hacking capability into an airborne system and would be interested in starting a conversation with one of your engineers to go over, in more depth, the payload capabilities including the detailed size, weight, and power specs of your Galileo System."
Finally, Wired reported on a security researcher who demonstrated how easy it is to take advantage of flaws in law enforcement drones:
By exploiting a lack of encryption between the drone and its controller module known as a “telemetry box,” any hacker who’s able to reverse engineer the drone’s flight software can impersonate that controller to send navigation commands, meanwhile blocking all commands from the drone’s legitimate operator.
These examples don’t include the malware and hack attempts targeting military drones. As Jones explained, there was at least one incident of a keylogger malware/virus infecting a UAV fleet at Creech Air Force Base in Nevada, when supposedly an operator used the control PC of a drone to play a video game.
Drone security is complicated because it covers so many different types of threats. This is just the beginning.
“Drones are basically flying computers,” said Jones, “so the potential for flaws and concerns is still limitless.”
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba