As the global market for drones increases, with current predictions showing annual growth of 36% between 2018 and 2022 according to analysts, cybersecurity expert, IOActive, has expressed concerned at the threat potentially weaponised drones could pose to public safety. As the range and functionality of drones improve, and their cost reduces, weaponisation could become common, as poor cybersecurity could allow commercial drones to be hijacked by attackers.
IOActive says the following risks have yet to be considered:
- Cybersecurity: Poor cybersecurity controls will enable commercial drones to be hijacked with ease. Malicious actors could programme drones to fly to specific GPS coordinates to launch cyber-attacks on WiFi networks, or other types of wireless networks, while the attacker is miles away, as IOActive’s previous research shows. They could also be used to perform man-in-the-middle attacks, disseminate malware, or for GPS spoofing attacks, and as with webcams, they could also be used to spy on owners or steal data.
- Disruption and public safety: Already we have seen widespread disruption in airports due to drones being flown illegally into airport airspace. The drone activity that disrupted pre-Christmas flights in and out of London’s Gatwick airport cost airlines an estimated £50 million ($64.5 million). This is likely to continue, but with the added risk that this method of disruption could be used with malicious intent, with hacked drones being used to prevent air travel or even put passenger wellbeing at risk. Hacked drones could even be used to ‘divebomb’ pedestrians or to cause chaos at traffic intersections, putting human life at risk.
- Privacy: The capabilities of drones to take photos, and record audio and video in otherwise impossible to reach areas, raises several privacy issues. Drones can easily take high resolution pictures and movies through building windows, which could result in blackmail or other unwanted surveillance. In addition, the ‘follow me’ functionality could help people to turn drones into spying devices.
“With enough determination anything can be hacked, but the commercialisation of the drone market is making it all too easy – and many of the consequences for security, safety and privacy have simply not been thought through,” comments Cesar Cerrudo, CTO at IOActive. “The range of drones is of particular concern as it opens up new areas of vulnerability that many will not have considered. For example, off-shore oil rigs have previously been protected from many short-range cyber-attacks by their distance from land, but in the age of weaponised drones they could be fair game. We also see companies like Amazon trialling the use of drone deliveries, which also throws up problems – what if those drones are intercepted so that people can steal packages? Individual industries need to look at their own risk posture to determine if they need to make any changes in light of our new hovering frenemies.”
Cerrudo says manufacturers need to shoulder their share of the responsibility for the products they are bringing to market to ensure they are as secure as possible, saying:
“The relative speed at which these devices are taking to the sky raises several issues. While the use of drones within the military has been common for many years, those drones have been rigorously tested and built with security in mind – commercial manufacturers do not have the same concerns, they are more focused on getting their product to market than ensuring cybersecurity. This attitude needs to change. Security should be a fundamental part of the core deign, so that it is baked in from the ground up, rather than retrofitted as an afterthought. At the moment, drones are just sitting ducks.”
Lack of accountability and responsibility are also areas that needs consideration, concludes Cerrudo,
“The airline industry, governments, and manufacturers of these products all need to be vigilant and aware of the potential risks – there needs to be far greater accountability for safety and security. The issue just isn’t being given the seriousness it deserves and it’s better for all if action is taken before there’s a major incident that forces change to happen.”