How easy is it to buy a drone? As simple as swiping your card or putting in your details to make that purchase. Ta-da, you are now a proud owner of a drone.
However, drones pose several risks that the makers may not have anticipated. Or maybe it was!
In recent years, drones have been considered an alternative for various purposes across industries, including using unmanned aircraft in disaster relief, rescue operations, media, military, and logistics.
So, yes… in the near future, you may have a flying vehicle delivering your Amazon package. So, what’s the downside, you may ask… That’s where things get dark.
Anyone can buy a drone. This means anyone, including criminals, can exploit the very technology created for the benefit of humankind.
But that isn’t something new, right? For years, technology has been abused by law-breakers and wrongdoers who know how to manipulate it for their own benefit.
Just like a sly malware, unmanned aerial vehicles (UAVs), in the hands of a miscreant, have the ability to breach privacy without detection. Drones can discreetly gather data and capture images without attracting undue attention.
You may not even be aware of a drone flying over your backyard, mapping and scanning the very area you feel secure in. However, privacy is not the only concern.
In recent years, hackers have played around with the technology to orchestrate attacks, indicating how severe the situation could be.
In October 2022, hackers were able to target and compromise the systems of a US financial services company using DJI drones.
By safely landing the drones on the company’s roof, the cybercriminals deployed the modified Wi-Fi Pineapple devices to capture network credentials. By using stolen credentials, the hackers could access the internal networks and steal sensitive data. The attack reportedly significantly impacted the company’s operations.
While the company’s name was never disclosed, security researcher Greg Linares detailed how the hackers could conduct the security breach using drones in a series of tweets.
“An east coast company specializing in private investments detected unusual activity on their internal confluence page originating on their own network. During the incident response, they discovered that the user whose MAC address was used to gain partial access to their WIFI was also logged in from their home several miles away. The team deployed embedded WIFI signal tracing and a Fluke system to identify the WIFI device,” the post began.
“This led the team to the roof, where a ‘modified DJI Matrice 600’ and a ‘modified DJI Phantom’ series were discovered. The Phantom was carrying a ‘modified Wifi Pineapple Device’,” the tweet continued.
Linares further explained that the Matrice was found to be carrying a case containing Raspberry Pi, several batteries, a GPD mini laptop, a 4G modem, and another Wi-Fi device.
Moreover, the DJI Phantom drone had originally been used a few days prior to intercept a worker’s credentials and WIFI. This data was then hard-coded into the tools that were deployed with the Matrice.
“These tools were used to directly target the internal confluence page in order to target other internal devices from credentials stored there,” Linares stated.
In an interview with The Register, Linares noted that drone technology had come a long way. “This paired with drone payload options getting smaller and more capable – e.g., Flipper Zero kit – … make viable attack packages that are reasonable to deploy,” Linares said.
In his post, Linares called this incident to be the third “real-world drone-based attack” he encountered in the past two years.
And there are more to come.
If cybercrime were to be measured as a country, then it would be the world’s third-largest economy after the U.S. and China, noted a report by Cybersecurity Ventures published in October 2022.
The global cybercrime damage cost is predicted to grow by 15% per year over the next three years, reaching $10.5 trillion USD annually by 2025, up from $3 trillion USD in 2015, the report stated.
Simultaneously, the drone industry has experienced a significant surge in growth.
According to the latest report by Fortune Business Insights, the global commercial drone market growth was valued at $8.77 billion in 2022 and is projected to grow from $10.98 billion in 2023 to $54.81 billion by 2030.
The report highlights how drone services are displacing traditional legacy services in the commercial sector.
Many renowned organizations are investing in designing and developing lightweight commercial drones tailored for a wide range of applications. These include medical emergency transportation, inspection and maintenance, filming and photography, mapping, surveying, and surveillance, among others.
Moreover, with the integration of AI-powered technology, drones now possess advanced computer vision systems, including cameras and sensors, that can accurately understand and interpret the environment.
Interestingly, a surge has also been noted in the number of registered drones with the Federal Aviation Authority (FAA) for commercial use.
According to a Cybernews report, FAA-registered drones exceeded nearly 1 million compared to the United States, which issued approximately 300,000 commercial pilot licenses in 2022.
It is essential to note that these figures exclude drones operated by amateur pilots or hobbyists who don’t require professional licenses, highlighting how vast the current drone landscape is.
Additionally, drones operating below weight limitations (typically under 250 grams) may not require licensing or registration, although registration with local or federal authorities may still be necessary.
As drones continue to increase in accessibility, affordability, and popularity, it is crucial to recognize that regulations and privacy concerns persist as significant challenges for the drone industry.
How easily can a drone be hacked?
There is no denying the fact that drones, like all electronic devices, can be hacked. However, the question is… How easily can a drone be compromised? As the scope of drone-related security issues extends far beyond privacy.
A recent report by Kaspersky revealed that gaining unauthorized access to a drone through hacking is not necessarily a technically challenging task, as numerous drone operators inadvertently leave their drones vulnerable to attacks.
Another report stated that drones can be “hacked easily” due to their reliance on wireless communication between the remote control and the aircraft.
Moreover, threat actors employ multiple approaches when attempting to hack drones. These approaches encompass various techniques, strategies, and methodologies that are specifically designed to exploit vulnerabilities and weaknesses in drone systems.
What’s concerning is that these hackers may not even need to possess their own drones. Instead, they can leverage various exploitative methods to compromise and gain control over drones, manipulating them for their own malicious intentions.
Types of drones
Drones can be divided into four broad categories: commercial drones, military drones, Fixed Wing Drones, and Quadcopters.
- Commercial Drones: Designed for commercial use, these are utilized in various industries such as aerial photography and videography, delivery services, agriculture, inspection and surveying, and more.
- Military Drones: Also known as unmanned combat aerial vehicles (UCAVs) or unmanned aerial systems (UAS), armed forces use these for reconnaissance, surveillance, target acquisition, and even offensive operations. These drones vary in size and capabilities and can carry out airstrikes
- Fixed Wing Drones: Similar to traditional airplanes, fixed Wing Drones achieve flight through forward motion and rely on the lift generated by their wings. They can fly for long durations and at higher speeds compared to other drone types. They are often used for mapping, aerial surveying.
- Quadcopters: These multirotor drones are characterized by having four rotors. Widely popular due to their manoeuvrability, these achieve flight and stability by adjusting the rotational speeds of these four rotors. They are commonly used in aerial photography, recreational flying, and racing events.
How can a drone be hacked?
Threat actors exploit various methods to gain access to drones. However, these may vary based on the drone model, its security features, and vulnerabilities in its system.
- GPS Spoofing: It is a way to confuse the drone into following false navigation instructions. This is done by either sending a strong signal (Overt spoofing) to overwhelm the legitimate GPS signal or by sending a weaker signal (covert spoofing) similar to the legitimate GPS signal.
- Signal Interference: In this type of attack, hackers may try to disrupt the communication link between the drone and its controller by jamming or interfering with the radio frequency signals.
- Malware and Firmware Exploitation: Through this, hackers can exploit vulnerabilities in the drone’s software or firmware by injecting malicious code or exploiting software weaknesses. If successful, the hacker can gain unauthorized access to the drone’s functions and control.
- Wi-Fi Hacking: Often, commercial drones rely on open Wi-Fi connections, leaving them vulnerable to attacks. In this, hackers may attempt to exploit weaknesses in the Wi-Fi network to gain unauthorized access to the drone’s controls or intercept the transmitted data.
- Physical Access: In some cases, hackers may target the physical components of the drone. By gaining physical access to the drone, they can modify its hardware, firmware or even implant malicious devices to gain control or extract sensitive information.
While flying a drone may be on your checklist, it is essential to understand how these systems can be exploited if left vulnerable. The dual classification of drones as both aircraft and networked computing devices gives them a distinctive legal position, which can be easily exploited by threat actors.
The US laws and regulations surrounding drone access and usage strive to safeguard the public, yet hackers persistently seek opportunities to exploit any loopholes. This highlights the need to understand the factors that contribute to the threat of drone-related cyberattacks and take proactive measures to mitigate them.