Most security decision-makers are not aware that drones are one of the threats to IT security that they should definitely arm themselves against – even if they do not use them themselves.
Unmanned Aerial Vehicles (UAVs) or Unmanned Aerial Systems (UAS), better known as drones, are used for a variety of applications. Amazon has caused a sensation in the past with its planned Prime Air delivery service – others have preferred to quietly advance their own drone projects. The energy supplier Southern Company, for example, uses it to inspect infrastructure, the insurer Allstate Insurance uses UAVs to record property damage and Shell uses the technology to monitor its shale gas stocks around the world. The logistics service providers CVS and UPS have joined forces to set up a drone-based delivery service for medicines.
The analyst firm Gartner assumes that the productivity gains achieved with drones in the enterprise environment will lead to a further increase in demand: by 2028, the installed base in this area is expected to climb from 324,000 (2019) to around nine million.
So it is high time to become aware of the new security dangers that the use of drones brings with it, as James Acevedo from the security consultancy Star River knows: “A drone is a tool that can be used in almost any situation . Photos for espionage purposes are just as possible as eavesdropping or WiFi hacks – you can bring any technology into the air. “
- The flying eye
In the test, objects placed under water are to be found and identified using the camera attached to the drone.
Marc Schwarzbach (middle) and Dennis Häfner (left) from Autel Europe during the technical preparations for the first test flights. You will also discuss the test procedure with Markus Schmirler from the Munich-Riem water rescue service.
- Place of use
A bank that is heavily frequented and where the danger in the lake due to a steep slope is particularly high was chosen as the location for the first test.
- Warm flying
Dennis Häfner lets the quadrocopter into the air.
- The equipment
A diver sinks a child’s dummy and a light yellow towel a few meters below the surface. The drone’s camera should find the objects.
- Ready to dive
Marc Schwarzbach will fix the objects under water.
- Not enough ballast
The dummy child does not want to be brought under water yet.
- The first flight
The quadrocopter takes off for the first lap across the lake.
- What to see
The drone camera provides films on which those involved in the project try to recognize the doll and the yellow towel.
- Attentive bathers
Of course, a drone that flies over the lake also attracts the attention of bathers. Questions are allowed.
- In shallow water
At a shallow depth, the doll and the towel are of course clearly visible. Also because the water is still clear there.
- First round is complete
The testers of the first hour (from left): Bernhard Rück (Wasserwacht), Marc Schwarzbach (Autel), Dennis Häfner (Autel), Markus Schmirler (Wasserwacht) and in the foreground the quadrocopter.
- What do the films show?
Uwe Wagner (left), technical director of the Munich Riem water rescue service, watches the films on a laptop screen together with Autel employees.
- The second test run
Later that afternoon and at a different location, the water watch puts another doll under the water. In the background, the drone is already tracking the lifeboat.
- The doll refuses
In the second run, too, the doll immediately refused to go under water.
- Ready to go
The search and the film recordings can now be started. The project participants will evaluate the film material in the coming weeks.
- Support Munich universities
The second project meeting takes place at the Technical University of Munich. Florian Holzapfel, professor at the chair for flight system dynamics there, and Alfred Schöttl, head of the faculty of electrical engineering and information technology at the University of Applied Sciences in Munich find the project interesting and want to support it. (from left Markus Schmirler, Alfred Schöttl, Marc Schwarzbach and Florian Holzapfel)
As Max Klein, Chief Technology Officer at the aviation specialist SCI Technology, explains, the way it works makes the drone a potent weapon in the wrong hands: it overcomes traditional, physical defensive measures with ease, while the attacker does not even have to be on site. This is precisely why the military, for example, has been relying on the properties of UAVs and UAS for a long time – for monitoring purposes and to obtain information.
“Traditional physical security measures can protect against threats that swim, crawl, walk, or run – but in most commercial environments there are no protective measures against aerial threats,” Klein said. The CTO added that the chance that unmanned aerial systems will be detected by perimeter intrusion detection systems is zero. Even if effective countermeasures against UAS were established, be it because of the wireless or even preprogrammed remote operation, it would be very difficult to track down the operator of the aircraft.
Drones are particularly suitable for surveillance purposes, says Klein. From a distance of a few hundred meters they can hardly be heard – neither optically nor acoustically. The built-in cameras, on the other hand, are very well able to precisely identify individuals from this distance. UAVs are thus practically perfect espionage tools, because their capabilities are not limited to optical espionage: “With the help of simple hardware such as a Raspberry PI, they can also be combined with pentesting software to identify and identify unsecured wireless devices within the physical limits of” secured “environments compromise. Without sustainable network security, a single vulnerability is sufficient as a starting point for a large-scale hacker attack. “
Technologies for defense against drones are now widely available. However, you should always observe the applicable legal regulations.
If UAVs are already in use on the factory premises, there is a risk that they will be hacked or misappropriated. In December 2011, for example, the Iranian government claimed that its cyber unit had successfully crippled a US spy drone and configured it to land in Iran instead of its base in Afghanistan. A few years earlier, Iran had claimed to have intercepted live video feeds from US drones. Even if experts still disagree about how much of the information is actually there, companies should be aware that their drones can be manipulated or hacked in a si
milar way. So far there are hardly any known cases in which attackers have “taken over” a commercial drone. However, there are numerous studies that show that this is technically feasible. As early as 2013, a security expert demonstrated, for example, how an attacker can configure a drone in such a way that it uses the WiFi signal to track down other UAVs in its vicinity, compromise them and control them externally.
Both the communication between the remote controller and the UAV as well as the electronic flight control systems are vulnerable. It is particularly worrying that a high percentage of commercial drones are based on open source technology that has not been adequately checked for security vulnerabilities, as security specialist Acevedo knows: “Out-of-the-box, these devices are anything but secure . “
A security analysis of drones from May 2020 revealed numerous different threats and security gaps in UAVs. These included GPS spoofing, malware infections, the interception of data and malicious manipulation. The video and data streaming is not encrypted in many drone models, which makes communication vulnerable. Accordingly, the research paper also comes to the conclusion: “Many UAVs have serious design flaws and most models have no wireless protection measures on board.”
Companies that use drones – for whatever purpose – need both a strategy and processes to protect the data that these systems aggregate. You should ask yourself the following questions:
Who collects the data and for what purpose?
Who manages and controls the data?
Who has access to the data?
Which measures are used to protect the data?
At this point you might be thinking that the data from a drone is of no value to competitors or attackers anyway. However, geospatial data already routinely collected or related to infrastructure can be useful to rivals.
For example, to minimize the risk of data leakage or data theft, many UAVs can be configured so that they do not connect to wireless networks while in operation. Once the drone has landed on solid ground again, a process for data extraction needs to be set up. If possible, this should also take place without a network connection – for example with the help of a separate USB drive. Once the extraction is complete, the data on the UAV should be deleted.
The ever worsening trade war between China and the USA does not stop at drones: The Pentagon announced some time ago that it would no longer use drones from the market-leading Chinese manufacturer DJI. A resolution passed by Congress stipulated that US authorities and institutions are no longer allowed to use UAVs from foreign manufacturers.
Whether these decisions are politically motivated or not remains to be seen – yet these developments bring another crucial point into the limelight: Companies should be aware of where and by whom their UAVs are manufactured. After all, many drones can “call home” for updates. A common concern is that other data will also be transferred in the process. Since the remote control software and the communication between these systems are extremely complex, they are not so easy to analyze in terms of security either.
Companies should conduct due diligence to research the manufacturer to find out where the code was written and which components the device consists of. (fm)
This article is based on an article from our US sister publication Network World.