Drones and security have an interesting relationship. Drones can be used to assist in physical security, such as providing aerial video footage, and in national security efforts. But drones have been a threat to security, as well. For instance, a drone crashed into a plane at Heathrow Airport recently; in response, London put a security restriction on drones during President Obama’s visit to the United Kingdom. Finally, drones themselves can be vulnerable to security threats like malware.
Drones: Unique Risks to General Public
Small Unmanned Aerial Systems (UAS) – a.k.a. drones -- are first and foremost data collection platforms, Richard M. Lusk, director, UAS Research Center at the Oak Ridge National Laboratory, explained.
“The unique capabilities offered for sensing and monitoring our environment and extending our awareness of the world around us can be leveraged to great effect for the betterment of humankind,” Lusk continued. “Small UAS can be used for agricultural, infrastructure and environmental monitoring, and response and recovery in times of disaster. We haven't fully integrated the technologies to make all these things possible, yet. But we are working on it.”
However, he added, as with all new technology, there will be those who want to use it for nefarious ends, and that’s where the concern about security risks comes in. Right now, the biggest security risk is to the general public.
“You have mostly untrained novice ‘pilots’ flying vehicles that have cameras and high-speed moving parts,” said Ryan Jones, partner at Coalfire Labs. “There is obvious risk of personal injury if one crashes into a crowd or otherwise hits a person from the moving blades that keep it aloft or from just the pure physical design and weight of an object falling out of the sky.”
Concern is also rising about drone operators who are heavily modifying their drones into weapons to carry everything from handguns to rifles to chainsaws. These modifications, Jones pointed out, introduce a whole new level of risk, as you now have a privately owned “weaponized” drone.
Drones and Privacy
Next comes the privacy issue. The Columbia Journalism Review asked a pointed question: Just because drones have the ability to photograph anything, should they be able to do so? The answer is no, we need respect for privacy:
The goal is to come up with guidelines for commercial and private drone operators that would allow the budding unmanned aerial vehicle industry to develop while also preserving the right to privacy—something like what the humanitarian community has already done, but for all non-governmental drone users.
Next page: Tackling Drone Vulnerabilities
Tackling Drone Vulnerabilities
Government agencies have slowly begun to address the security risks involving drones. For example, an Oregon bill would make it a misdemeanor to operate a weaponized drone. Congress and the FAA are looking into concerns about the risks that drones pose to commercial airplanes.
However, little has been done to address drones and malware. Like any emerging technology, malware tends to come later, after the technology is used by enough of the population to make it financially feasible to cybercriminals. As Jones explained, the majority of drones used for public use aren’t communicating with anything outside of the controller, which is usually a tablet or smartphone.
Still, some malware developers see the potential in hacking drones and are actively looking at ways to take advantage of any vulnerabilities. In one case, malware developers used smartphone and tablet controls to take advantage of a vulnerability in the AR quadcopter helicopter drone through a piece of malware known as Maldrone. According to ZDNet:
Maldrone can be used to remotely hijack drones via entry through the backdoor. Developed for the AR drone's ARM Linux system, the malicious code is able to kill a drone's autopilot and take control remotely.
Also, a PC Magazine article presented the idea that drones could be the instrument delivering malware – or spyware – computers:
An Insitu engineer reportedly wrote to Hacking Team this April about the idea, stating: "We see potential in integrating your Wi-Fi hacking capability into an airborne system and would be interested in starting a conversation with one of your engineers to go over, in more depth, the payload capabilities including the detailed size, weight, and power specs of your Galileo System."
Finally, Wired reported on a security researcher who demonstrated how easy it is to take advantage of flaws in law enforcement drones:
By exploiting a lack of encryption between the drone and its controller module known as a “telemetry box,” any hacker who’s able to reverse engineer the drone’s flight software can impersonate that controller to send navigation commands, meanwhile blocking all commands from the drone’s legitimate operator.
These examples don’t include the malware and hack attempts targeting military drones. As Jones explained, there was at least one incident of a keylogger malware/virus infecting a UAV fleet at Creech Air Force Base in Nevada, when supposedly an operator used the control PC of a drone to play a video game.
Drone security is complicated because it covers so many different types of threats. This is just the beginning.
“Drones are basically flying computers,” said Jones, “so the potential for flaws and concerns is still limitless.”
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba