How drones affect your threat model

Most security leaders are unlikely to have drones on the list of threats they need to defend against on the cyber or physical security front. Drones can, however, introduce new risks that organizations need to recognize and address proactively, say security experts, even if an organization isn’t using them.

A growing number of organizations have recently been deploying drones—or unmanned aerial vehicles (UAVs) or unmanned aircraft systems (UAS)—for a variety of applications. Examples include crop monitoring, surveying sites and terrain, inspecting utility infrastructure, delivering goods, and checking warehouse inventory.

Amazon has received a lot of attention for its planned Prime Air drone delivery service, but others have been quietly forging ahead with their own drone projects. Energy firm Southern Company, for instance, has been using drones for infrastructure inspections, assessing storm damage, and vegetation management. Allstate Insurance is using drones to assess property damage in multiple states. Shell conducts surveillance of its shale assets globally with drones, CVS and UPS have teamed up to offer a fast prescription medicine delivery service via drones.

Analyst firm Gartner has predicted that the productivity gains that drones enable will drive enterprise demand for the technology and push the installed base from 324,000 last year to over nine million worldwide by 2028.

With drone use beginning to gather broad momentum, organizations need to be cognizant about the new risks they introduce, says James Acevedo, president at Star River, Inc., a Toronto-based drone security consultancy. “A drone is a tool that can be used in almost any situation,” Acevedo says. “If I want to take a photo, I can put a camera on it. If I want to listen to somebody’s conversation, I can put a listening device. If I wanted to spoof a WiFi network, I can put a Wi-Fi cracking tool on it. You can swing almost any kind of technology under a drone and put it airborne,” he says.

Here are some of the security issues organizations need to consider in their threat models, whether they use drones or not.

Physical surveillance and physical attacks

A drone’s ability to penetrate traditional ground defenses and to keep the operator remote from the attack site makes it a potent weapon in the hands of an adversary says Max Klein, chief technology officer at aircraft part and equipment manufacturer SCI Technology, Inc. The military has long taken advantage of these capabilities to conduct intelligence, surveillance and reconnaissance, he says.

“Traditional physical security measures protect against things that swim, crawl, walk or run,” Klein says. “However, there is very little in most commercial environments to protect against airborne threats.”

Razor wire fences and perimeter intrusion detection systems, such as Passive Infrared (PIR) sensors, laser or electro-optical trip lines, buried vibration detection equipment, or even CCTV video analytics have a near-zero probability of detecting a small UAS, Klein says. Even if an effective UAS countermeasure can be employed, the wireless or even pre-programmed remote operation nature of the UAS typically shields the operator from being easily identified, located and detained.

“From only several hundred feet away, many drones are nearly invisible in the sky and cannot be heard above normal background noises on the ground, yet at these distances many cameras can easily not just detect but identify individual people,” says Klein. As a result drones can enable much more up-close, persistent and often totally undetectable surveillance of sensitive facilities than other technologies. This surveillance capability is not limited to optical surveillance.

“Simple hardware, such as the popular Raspberry Pi with USB radio dongles, can be combined with penetration testing software to attempt to gain access to unsecured wireless devices well within the physical confines of a ‘secure’ facility,” Klein says. “Without comprehensive network security on the inside, a single vulnerable point, such as a WAP with outdated firmware or a wired printer with wireless capabilities left at factory defaults, can provide the jumping off point for a larger internal attack.”

Drone detection technologies are currently available that allow organizations to identify and track drones hovering over or near their facilities. Tools are available that can jam a drone’s signal and cause it to fall from the sky.

However, in the US at least, there’s little that organizations in most sectors can proactively do to interfere with a drone’s operation besides contacting law enforcement, says Mark Schreiber, principal consultant at Safeguards Consulting, a professional physical security services consulting firm.

“Drones in the general case are treated like any other aircraft,” Schreiber says. “It is against the law to interfere with someone flying a drone near your facility.” So it’s important to do a risk assessment of drones being used by an adversary, the likelihood of that happening and knowing what the proper response should be, he says.

Drone takeover

Drones can be hacked and hijacked. In a widely publicized December 2011 incident, the government of Iran claimed its cyberwar unit had successfully jammed a US spy drone’s communications links and reconfigured the unit’s GPS coordinates to force the UAV to land in Iran instead of its base in Afghanistan. A couple of years earlier, engineers from the country claimed they had been able to intercept and download live video feeds from US Predator drones.

While some have challenged the validity of these claims, organizations need to be aware of the possibility their drones can be similarly taken over and hacked. So far, there have been few publicly known instances of an adversary taking control of a commercial drone. Plenty of research exists showing it is technically feasible.

“In many cases where a drone can be turned on the owner, the most common vector is the wireless communication that the drone platform provides,” Schreiber says. In fact, as far back as 2013, a security researcher demonstrated how an adversary could configure a drone to find other drones in the air within WiFi distance, hack into their wireless network, disconnect the original owner, and take control.

The reality is that the communication between a drone’s remote controller and the UAV, as well as the flight control electronics on the unit itself can be hacked into, just as it is possible with any connected system, analysts say.

Significantly, the on-board flight controller in a high-percentage of drones is based on open-source technology that has not been fully vetted for security issues, Acevedo says. “So, out-of-the box, they are not secure at all,” he says. “At some time, numerous people have had their fingers and toes in the code.” 

A security analysis of drones published in May 2020 on Elsevier’s ScienceDirect platform identified multiple threats and vulnerabilities in UAVs. Among them were GPS spoofing, malware infection, data interference and interception and malicious manipulation. For example, the links streaming video and other data to and from certain types of drones is not encrypted, making the information vulnerable to capture, modification and malicious code injection. “Many UAVs have serious design flaws, and most of them are designed without wireless security protection,” the paper noted. 

The increasing use of encrypted data links, including commodity WPA/WPA2/WPA3, should significantly reduce the probability of drone takeover in the next few years, Klein says. “[But] as unmanned systems continue to move away from purely remotely piloted line-of-sight operations towards beyond line-of-sight (BLOS) without direct operator oversight, the attack surface will increase for such takeovers.” Careful security planning for these airborne command and control systems will continue to be critical, as it has been for other SCADA and industrial IoT systems, he says.

Threats to drone data 

Organizations that use drones for any reason need to have a formal management plan and a process for protecting data the system collects. That includes knowing who is collecting the data and why, who is managing the data and controlling it, and what safeguards are in place to protect the data, says Acevedo. “When you bring your drone back to your place of business, where does the data go and who has access to it,” he says.

Sometimes there can be a tendency to think about the data collected by a drone to be of little value to an adversary. Routine geospatial or infrastructure-related data for one organization could mean insider data for a rival. The reality is that commercial drones can gather a lot of sensitive and potentially business impacting data that needs to be protected. Many come equipped with relatively large—and growing—on-board data storage capabilities.

One way to do minimize risk of data theft, for those willing to fly their drones essentially blind and dark, is to ensure your drone never connects to a Wi-Fi or other network while it’s operational, Acevedo says. Once on the ground, you need to have guidelines in place for extracting the data from the drone. Ideally, this should be done without connecting the drone to any network. “You pull the data off the drone, you isolate it on a separate drive, sanitize it and then flash the drive,” he says. Flashing the drive is a compromise because it sometimes can cause all data on it—including some that might be needed for operational purposes—to be erased.

Data on a drone is like data on any computing system that needs to be protected. “It just happens to be a moving platform,” Schreiber says. It’s important to understand what’s there on the platform and implement measures for protecting it. “Once you capture that data, extract it from a direct connection from the unit itself and wipe the unit clean before it reconnects to a network.”

Drone supply chain concerns

In January 2020, the US Department of the Interior temporarily grounded all its UAVs that were not being used for emergency purposes such as combating wildfires or assisting in search-and-rescue operations. The move stemmed from concerns that drones manufactured in other countries—specifically China—could be used for spying and collecting data from locations where they are being used. The Pentagon had already said it would stop using drones from China-based DJI, the world’s largest small drone manufacturer, citing vulnerabilities in the technology. The US National Defense Authorization Act for Fiscal Year 2020 currently bans federal use or procurement of foreign-made UAVs.

While DJI and the Chinese government have portrayed the decisions as being politically motivated, security experts say they do highlight an important point: Organizations need to pay attention to their drone supplier.

Many drones can “phone home” to receive updates from the manufacturer. The concern is the feature can be used to secretly siphon data from the UAV. “Both the systems on the drone itself as well as the remote control software, which typically operates on a cellular phone or tablet connected to a specialized controller are incredibly complex,” Klein says. The complexity of these systems and their communications makes it extremely challenging to analyze their security, even with techniques such as deep packet inspection within a corporate network, he says.

So, when a UAV transmits telemetry, it could simply be because the data is being used to improve the vendors’ products or the motive could be nefarious. A drone’s telemetry can provide information on how, where and when your drones are used, and even expose imagery and connected or nearby electronic device types and addresses, Klein says.

As part of their due diligence, organizations should research the drone maker to identify where the code was written and the provenance of all the components used in the unit. “The key thing I would reinforce is the need for a drone management program,” Schreiber says. “Drones should be incorporated into the risk management process,” for organizations considering UAVs. “It’s a new risk, but it should be assessed and managed.”