Security and drones — what you need to know
The drone security threat
Drones can bring huge benefits - for instance, your realtor can take aerial shots of your property. Or emergency medical supplies can be delivered by drone. But drones also raise privacy concerns.
Though a drone flying over your house and taking photos might be annoying, the privacy of your back yard is not always the biggest concern: drone security issues go much further than that. Drones can be hacked or used to hack other electronic devices. A hacker doesn't even need their own drone - they could hack yours in several ways to make it serve their own purposes. The cyber-security issues will only get more pressing as the population of drones in our skies increases and hackers get smarter at spotting any weaknesses in drone security.
How drones can be hacked
There are several different ways a drone can be hacked. Once the drone has been located, a hacker can potentially take control of the drone, or downlink video or other images which the drone is broadcasting to its base station. Hacking a drone isn't technically very difficult, and many drone operators leave their drones wide open to attack.
GPS spoofing for example, feeds the drone false GPS coordinates. The drone thinks it is following its original flight pattern but in fact is being led to a different location. A hacker out for fun might simply want to crash a drone deliberately, but a drone could also be used to crash into a car, a person, or even another drone. It could also be instructed to land near the hacker so that it can be stolen, together with its payload - which might, for instance, include a drone-mounted camera and the images stored on its memory card.
Drones can be hacked from as much as a mile away. Hijacking the command and control signal between the operator and the drone can deliver full control of the drone and its systems to the hacker. The radio signal is often unencrypted, making it easy to decode with a packet analyzer (or 'sniffer'), so hacking a drone signal isn't technically demanding. The signal might also simply be jammed, leaving the drone with no way to navigate itself.
Security researcher Samy Kamkar's Skyjack experiment in drone hacking went further, using a hijacked drone with a Raspberry Pi payload to hijack multiple other drones, creating a swarm under the hacker's control. Hacking a drone with another drone vastly expands the potential of the threat - it could be compared to the way botnets operate to perform DDOS attacks — taking over vast numbers of individual computers and devices.
Downlink threats allow a hacker to intercept data being transmitted from the drone to a base station. If video, for instance, is being broadcast from the drone to the controller, as is the case with First Person View (FPV) systems, it's vulnerable. That's particularly the case if the data is unencrypted (which is often the case with consumer systems).
Drone security tips
If you're worried about your own drone's security, you are not alone. Fortunately, there are many ways to make any drone more secure against the threat of drone hacking. These drone security tips should help secure your drone:
- Update the drone's firmware regularly. The major drone manufacturers issue patches when new security threats emerge, so regular updating should help keep your drone ahead of the hackers. (DJI issued a security patch after hackers accessed the manufacturer's website, allowing them to access flight logs, videos, photos and map views from drone users in real time. Yet, some clients refused to install it - giving hackers potential access to all their data.)
- Use a strong password for your base station app. Using a mix of letters, numbers and special characters to create a strong password will deter hackers; most will give up and go after easier prey. This should help avoid a malefactor hacking the drone signal.
- If you're using a smartphone or laptop as your controller, keep it secure and don't let it get infected by malware. (In 2012, several US Army drones were reported to have been infected by malware after an operator used a drone's computer to download and play a videogame.) Use anti-virus software, and don't download dodgy programs or apps.
- Subscribe to a Virtual Private Network (VPN) to stop hackers from accessing your communications when you're connected to the internet. A VPN acts as a secure gateway to the internet and encrypts your connection, so a hacker can't get in.
- Set a limit of one for the number of devices that can connect to your base station. That will prevent a hacker hijacking your signal to control other devices.
- Ensure your drone has a "Return to Home" (RTH) mode. Once you have set the home point, this will enable the drone to return if it loses signal, if your signal is jammed, or if the battery becomes depleted. This will enable you to recover your drone from a hijack situation. However, because RTH depends on GPS to work, it's not immune to GPS spoofing.
How hackers steal data with drones
Traditionally, computer systems have been protected around the perimeter, both in terms of the computer network and physically. However, data has become more mobile as Wi-Fi and the Cloud make it possible to access data from anywhere. Plus, the Internet of Things, together with RFID, enable data flows between smaller devices, such as security cameras, pallet labels, and goods tags in retail stores.
Technologies such as Wi-Fi, Bluetooth and RFID generally work only within a limited area, so physical access restrictions can often prevent hacking. But drones give hackers more mobility.
For instance, a small computer, such as a Raspberry Pi or ASUS Tinker Board, could be loaded onto a drone and dropped on the roof of an office building. It could then be used to carry out cyberattacks exploiting Wi-Fi, RFID or Bluetooth vulnerabilities. It could mimic a Wi-Fi network in order to steal data from tablets and smartphones, or hijack Bluetooth peripherals, such as mice and keyboards. Keylogging would enable a drone-mounted computer to steal passwords from users.
How to detect and stop malicious drones
Drones come under the remit of the Federal Aviation Administration (FAA) as Unmanned Aircraft (UAs) or Unmanned Aerial Vehicles (UAVs). That protects them in two important ways:
- you cannot shoot them down or interfere with them physically
- you must not interfere with signals between the controller and the drone.
So, any defense measures you take must focus on protecting your space and your data.
Geofencing is one way of dealing with the drone menace. Using GPS or RFID based software, geofencing creates a virtual border around a specified location. It will generate a response whenever an unauthorized drone enters the area, and controls wired into commercially available drones prevent them flying into (or taking off in) geofenced areas. Big drone makers like DJI and Parrot have installed geofencing for vulnerable sites, such as airports, prisons, and power stations in their drones.
However, some hackers have found ways to remove the geofencing software that prevents regular drones flying into restricted areas. Hacks for drones are easy to find on the internet; meanwhile, the simplest way to block geofencing is simply to fold tinfoil around the drone, blocking the GPS signal.
Geofencing is also not available to most consumers, despite an attempt in 2015 to start a No-Fly Zone registry.
If you can't block drones, can you detect them? There are a few ways to find out if a drone is coming your way, but all of them have flaws. So far, there's no 100% reliable way to catch a drone.
Radar is one method of drone detection, but it's not particularly reliable; for instance, it can mistake birds for drones. Acoustic sensors may be a better way to detect unwanted drones, since they can be programmed to recognize the sound signatures of particular drone types.
RF scanners can catch drones by checking the electromagnetic spectrum; they recognize drone transmissions. But drones that rely on GPS and don't use radio signals to navigate will not be caught this way.
Finally, thermal imaging detects the heat emitted by objects. This enables drones to be traced by their thermal footprint. However, there's a high rate of false positives.
Detecting and stopping drones is difficult. So rather than trying to spot malicious drones, most users are better served by stepping up their basic home and wireless security.
How to secure your networks and airspace against drone attacks
If you’re worried about drones invading your airspace, then a solution like Kaspersky Antidrone will help you regain that peace of mind. But if you're worried about drones stealing your data, the best way to protect your data is by ensuring you've locked down your data security.
- Use a VPN if you're working on Wi-Fi, to ensure your internet communications can't be hacked. Kaspersky provides a VPN Secure Connection that can protect you at home or when you're using public Wi-Fi hotspots.
- Secure all IoT devices in your home and confine them to a guest network, so a hacker can't get into your main network through a smart device.
- Don't leave your Wi-Fi router with the default username and password. Change the username, so hackers can't guess the type of router or the network you're using and have a strong password for access.
- Don't use identical passwords for different networks or devices - that makes it much easier for a hacker to gain access to your entire digital life once they've got a drone carrying a camera
The future of drones
The FAA believes that the big opportunity for drones isn't the hobby market, but the market for commercial drones. Drones could make deliveries, support surveying and mapping services, monitor crops, and be used for building safety inspections where it's dangerous for an inspector to go.
Given the possibilities, there will certainly be more drones around and that will create a bigger drone security threat.
It may not yet be clear how drones can improve their security, but businesses will have to do so before commercial drone use becomes widespread. So, it's important that drone security issues are properly addressed by drone manufacturers, as well as commercial users, and that you lock down your internet and home network to be safe from the menace of drone hacking.