Aerial Drones – A New Frontier for Hackers
Drones in the News
Drones have been a hot news topic for a number of years. Individuals and businesses alike are scrambling to leverage these digital devices for everything from aerial photography to package delivery. Their inexpensive cost makes them readily accessible, and the uses are virtually unlimited – even for the malicious actor.
Perhaps you saw in the news where a drone was used to get within range of a home and hack into the automation features to control the lights. While that stunt was simply annoying, it shines a spotlight (pun fully intended) on the bigger issue security professionals face when seeking to implement this new technology securely.
Recently Raxis conducted a security assessment where we employed a drone to intercept aerial signals in transit between two locations. The drone was positioned in the line of sight of the transmission and intercepted the signal as it flew by.
The drone relayed the data to our security engineer on the ground and the captured data was reviewed for exploitable content.
Similarly, drones can be used for proximity attacks where they can get close enough to a target to intercept the radio signal. This information can be saved onboard or relayed to a remote location for analysis and use.
Drones can be readily equipped to receive and transmit data across a myriad of transports. This creates an interesting array of attack vectors for the creative hacker.
What Can You Do?
Drones offer an entirely new attack vector for hackers. As a security engineer, you need a comprehensive plan that incorporates drone-related threat profiles:
- Establish a no-fly zone and prepare countermeasures for safely landing a rouge drone (where legally available).
- Maintain vigilant surveillance of critical areas.
- Ensure that all data is highly encrypted and that no plain text passwords or other information is being transmitted through the air.
- If a drone is spotted, consider ceasing all data traffic until the drone is no longer a threat.
Beyond intercepting data, drones are employed for general surveillance with increasing frequency. An attacker preparing to infiltrate your physical property can gain a substantial amount of information by reviewing aerial footage obtained during overhead flights.
Drones can be small, quiet, and hard to detect. It’s possible a drone could surveille your property without attracting undue attention. Even if the device is noticed, it’s likely that employees would simply assume its presence is recreational without considering the security implications regarding such a device in proximity to a given facility.
Training and attentiveness are critical to maintaining a robust security posture against these aerial attacks. The old slogan from US Homeland Security, “If you see something, say something” applies here. Encourage your employees to report drone sightings and develop a legal and safe plan for handling drone flights in your area.
Above all else, realize that drone-based attacks can pose a significant threat to your security posture and should be managed accordingly.