Cyber drone-jacking: Emerging threats to Unmanned Aerial Vehicles
The introduction of military Unmanned Aerial Vehicles (UAVs) by the Central Intelligence Agency in the skies over Afghanistan during 2000 represented a fundamental shift in intelligence gathering capabilities. Today, UAVs are used for a wide range of military missions such as border surveillance, reconnaissance, transportation and armed attacks. Following their successful deployment in military and intelligence applications, drones have seen rapid adoption in both public and private sectors, acting as a supplement or substitute for traditional modes of delivery.
UAVs are presumed to be reliable, automated and autonomous machines, providing their services at any time. Based on these presumptions, government, military and emergency service leaders hope that UAVs will improve national security and public safety while business leaders expect to see positive returns on their investment to improve their services. But from a purely technical perspective, UAVs are highly exposed, multi-linked complex pieces of hardware.
To fulfil their missions, UAVs need to collect and process data. Contemporary UAVs may contain information about troop movements to environmental information and commercially sensitive business operations. The volume of information contained within, and communicated to and from drones, has already made them a high value target for espionage, endangering UAVs to manipulation through cyber-attack.
Game of drones
By 2012 the U.S. military had increased its investment in research and production of UAVs from $2.3 billion in 2008 to $4.2 billion. Despite this rapid increase in investment it could not prevent Predator drones from being hacked during 2009 by Iraqi insurgents who reportedly intercepted live video feeds from the military drones using a $25.95 Windows application that allowed them to track the pilotless aircraft undetected. Senior defence and intelligence officials said Iranian-backed insurgents intercepted the video feeds by taking advantage of an unprotected communications link. Hackers working with Iraqi militants were able to determine which areas of the country were under surveillance by the U.S. military.
The inexpensive software, created by a Russian company called SkyGrabber, was downloadable from the Internet which intercepted data received from a satellite dish. The software developer Andrew Solonikov, has insisted the SkyGrabber was not developed for the use of hacking military drones stating that: “Somebody has invented a way to use this program outside of its intended purpose but generally speaking, this points to a large security gap that the American military has missed.” The incident not only potentially compromised sensitive operations but sparked serious concern amongst government security and defence experts in the cyber security of UAVs.
As digital circuitry and wireless technology become an integral part of increasing numbers of consumer and industrial goods, the opportunities available for cyber-criminals to compromise or exploit these items grows. UAVs are now an emerging security concern – both as targets for cyber-attack, and as potential attack vectors for malicious actors. Drones use the most advanced technological equipment and research into these vehicles is providing continuous improvements, resulting in a new generation of UAVs characterized by high performance, high autonomy and extreme versatility which makes their use suitable for many applications.
Despite the new generation of drones being packed with the latest technical tools, a team of researchers at Netherlands’ University of Twente have demonstrated how high-end drones commonly deployed by government agencies and police forces can be remotely exploited by rogue hackers. The research team found security flaws in drone’s radio connections providing an opportunity to attack the vehicle with only a laptop and a cheap USB-connected chip. The researchers’ found that they could easily exploit the lack of encryption between the drone and its controller module. Furthermore, the team warned that any sophisticated hacker who is able to reverse engineer the drone device’s software would be able to send navigational controls, block all commands from the real operator, or even crash it to the ground. The research at the University of Twente is just one of a growing number of independent tests which are discovering a worrying array of UAV security design flaws in what is a rapidly expanding market place.
The latest UAV research suggests that annual revenues from commercial drone sales are expected to reach $500 million this year, up by 84% on last year’s figure of $261 million. Research focusing upon the consumer and commercial applications, regulations and opportunities for 2015-2020, found that a low price point had significantly reduced the barrier to entry in many sectors, with high performance models now available for less than $3,000. The cost-effectiveness of commercial UAVs has seen their successful deployment as crucial links in supply chain logistics for the pharmaceutical industry, enabling delivery of fresh blood plasma and essential drugs to remote regions inaccessible to other forms of transport.
UAVs have also proven their value as reconnaissance and delivery agents in the health care and emergency services sectors, supporting fire and rescue operations. In agriculture, drones are being used to chart patterns and success rates for irrigation, and to monitor the health of growing crops via infrared and other technologies. Video and still cameras mounted on UAVs provide promotional imagery for the real estate market and innovative angles for documenting sporting events and other public gatherings. A small number of innovative retail outlets, food chains and restaurants are now routinely using drones to fulfil customer demands for a high-speed service, amplifying growth in a new commercial market for UAV capabilities.
Reducing the risk
The rapid proliferation of UAVs is, however, having a real impact for authorities who are seeking ways in which to effectively manage and safeguard the use of drones. By 2020, the Federal Aviation Administration (FAA) expects to have as many as 30,000 drones flying over the U. S. Unfortunately, “widespread” doesn’t necessarily equate to “safe to use”. Many UAVs have inherent and potentially serious design flaws. Given their manoeuvrability, small size, and the fact that their combination of on-board processing power, photographic equipment, and connectivity makes them the equivalent of flying laptops, it is no wonder that drones are now perceived as viable threats to information security. Poorly secured or unsecured wireless networks are seen as particularly vulnerable, with attack scenarios envisaged where compromised or purpose-bought UAVs could be flown or discreetly landed in the vicinity of a hot spot, and used to stage Man in the Middle (MitM), data injection, and similar attacks over guest and short-range WiFi, Bluetooth, and other wireless connections.
The jacking of drones presents a new and emerging danger within the ever expanding attack vectors of the contemporary cyber-criminal. As the technology evolves and new opportunities for cyber-attackers present themselves, security professionals will need access to a range of measures to combat a growing threat. To reduce the risk, in-depth research into cyber-attack threats and vulnerability identification of UAV systems is needed. This research should include the study of more sophisticated attack scenarios together with the development of metrics for UAV cyber-attacks. According to research conducted at Purdue University, so far, a metric for measuring either a likelihood (or probability) or a damage potential of cyber- attacks on a UAV does not exist. Conducting rigorous programmes of UAV cyber security research will serve to strengthen the safe use of drones and reduce their vulnerability to attack from contemporary cyber criminals.
Asia & the Pacific
Cities across Europe remain under siege from recent terrorist events fuelled by the extremist ideology espoused by Daesh. The UK has witnessed four terror attacks in as many months, three of them occurring in London, including incidents outside the Finsbury Park Mosque, on Westminster Bridge and London Bridge. The...
A study by Non-Resident Fellow, Andrew Staniforth on the available strategic responses to terrorist activities; endorsed by Lord Carlile of Berriew, former UK Independent Reviewer of Terrorism.
Asia & the Pacific
The unrelenting pace of technological change epitomises the domain of cybercrime and cybersecurity with criminals constantly developing new and transformed attacks. These innovations in cybercrime include those within the Dark Web – the collection of websites that exist on an encrypted network that cannot be found by using traditional...