April 29, 2016 By Kelly Ryver 5 min read

In spite of being relatively new technology, drones of varying types and sizes are readily available for consumer purchase. Where there was once one to two predator drones, now there are delivery drones, hobby drones, news drones, Hollywood drones and sightseeing drones.

Drone Electronics and Operating System

Some experimentation in taking a drone apart revealed that most ready-to-ship drones come with the same electronics as a smartphone or tablet. Nearly all drone code is the same as that found in Android except for open-source coding efforts built on Linux platforms, which can be found at Dronecode.

Onboard cameras are capable of storing video — anywhere from five minutes to two hours of video on a USB stick. Some advanced operating systems allow for real-time upload of video to external storage networks.

Even the cheapest drones have fully operational Wi-Fi, radio frequency and Bluetooth antennas or a combination of all three.

Types of Drones and Movement Capability

Drones come in many types or designs, such as aerial, aquatic, submersible, ground-based, quadrupedal and bipedal walkers, and those that can adhere to walls and ceilings. Several universities in the U.S. are experimenting with insect- and animal-like models, but these are not readily available to consumers — yet.

Drone movement can be preprogrammed or manually controlled by a hand-held device. Manual control requires radio frequency and can operate in several spectra:

  • Various short-range FM and UHF bands;
  • Unregulated frequency bands (typically 2.4 GHz and 5 GHz); and
  • Bluetooth technology frequency bands (very short range).

If a drone requires human control for movement, it is classified as a semiautonomous system. If its route or actions can be preset and do not require human intervention to move, it is considered an autonomous system.

Movement is typically along the x- and y-axes. It can be preprogrammed via code, provided through reference coordinates from a GPS and given by magnetic orientation or from optical queues such as guide markings or lights. Because of these abilities, individuals and organizations must be aware of the threats drones can pose.

Nefarious Drone Uses Within Industrial Areas

Industrial plants should have well-documented plans for avoiding or, at the very least, responding to the following scenarios:

  • Drones flying directly over nuclear cooling towers, where they can simply be shut off or drop while carrying an explosive payload;
  • Drones targeting or running reconnaissance on sensitive areas such as power junctions where touching two lines is enough to cause a blackout; and
  • Drone submarines that can propel themselves into hydroelectric turbines or detonate an explosive next to an aging dam.

New software allows drone operators to incorporate infrared and night vision, which could easily be employed to watch and document security patrols around corporate locations, military installations, national laboratories and federal buildings.

Nefarious Drone Uses Against Corporations

Public and private companies that plan to introduce drones into their environment should have solid response plans for the following:

  • Drones that are stolen from corporate teams and used to play back video, audio or motion maps;
  • Drones that are wired with microphones used to either eavesdrop on sensitive conversations, execute electronic harassment or commit industrial espionage;
  • When data stored on drones can be replayed so that current conditions are not actually displayed (i.e., replay data from two months ago). Granted, this is a sophisticated repurpose but not entirely unfeasible; and
  • When the drone network or infrastructure is hacked from within the organization or as the program is developed, which usually means complete compromise of all data. This is an entirely new twist on insider threats and will require the same care and thought that goes into any threat program.

Risk Scenarios and Nefarious Uses Against Civilians

The potential to use this cutting-edge technology against civilian populations is staggering. This short section will not do justice to the myriad of ways criminals will repurpose this technology. Here are a few examples that come to mind:

  • Drones can be shut down midflight, injuring bystanders and causing property damage, or flown into situations like traffic jams, buildings or people.
  • Drones can be flown into sports venues packed with spectators. This seems like a fairly innocuous scenario until you consider how fast the propeller blades on these drones spin. Removing the plastic guards essentially turns them into flying, radio-controlled razor blades.
  • Drones can be flown into commercial jets or jet engines while in flight. Interestingly enough, this scenario has played out several times in the past few months at several airports.
  • Terrorist organizations could easily design and build a drone capable of carrying several pounds of explosives into public areas and government buildings.
  • Terrorist organizations and extremists could handle, with a high degree of anonymity, explosive or incendiary payloads, radioactive materials, chemical agents or biological agents.
  • Any individual with a teaspoon of technical know-how could use drones to stalk, harass or eavesdrop on another individual.

Potential Physical Security Measures

Reliance on human observation alone is impractical. As a result, the following security measures are viable:

  • A defensive perimeter can be established around power generation and distribution facilities. It should be implemented around all critical infrastructure and commercial and private airports. For these situations, a mesh of multiple defensive measures will most likely be required.
  • Power line protection is logistically unfeasible at this time due to technology limitations, but this should definitely be given further thought.
  • Acoustic and/or frequency spectrum monitoring equipment and a motion sensing network should be established both inside and outside of sensitive areas. The monitoring networks could be designed to sound an alarm, send a text message to your mobile phone or send an alert to the wearable on your wrist.

In a worst-case scenario, physical security personnel could practice their skeet shooting technique on the rogue drone, purchase a couple of drone-hunting eagles or deploy a kill-switch perimeter.

Practical Legal Measures

Organizations must also take care to approach a drone scenario carefully. There are various legal measures to consider:

  • Well-defined safety, technical and legal procedures on how to take control of a rogue or hostile drone could be defined in advance.
  • Handling of any questionable drones should be treated much like any other evidence, with proper chain of custody. Otherwise, any data captured and stored could be compromised by mishandling, thereby diminishing any legal and evidentiary value.
  • The vulnerabilities of the chipsets, operating systems, configurations and control interfaces should be clearly defined and remediated as appropriate. For those vulnerabilities that cannot be fully remediated, contingent controls should be established.
  • Vetting of all existing and future drone acquisitions by a company should include a technical vulnerability analysis and penetration testing, just like any other hardware.
  • A database should be established to document all drones’ history and operational usage. The information required will include, but is not limited to, acquisition (e.g., PO, vendor, manufacturer, date of receipt), physical inventory, picture of device, transmitter and receiver serial numbers, frequencies used, data and radio vulnerability analysis, department assigned and any maintenance performed on the device.

There Is a Positive Side

Drones can be employed for a wide range of beneficial uses. Some examples include monitoring gas leaks along pipelines where it may be too dangerous for a crew, furthering rescue efforts after earthquakes or natural disasters, determining how bad a meltdown at a reactor is, monitoring livestock, mapping terrain, completing storm damage assessments, monitoring the migration habits of endangered species in remote regions and catching poachers on private property.

Complete Lack of Security Framework

The National Institute of Standards and Technology (NIST) has not yet published a framework for drone hardware, components or source code. Likewise, there is no National Security Agency (NSA) or National Institute of Crime Prevention (NICP) protection profile for drone software outside of those used by the military.

Even scarier is the total lack of any type of standards, governance or open-source security project related to third-party controls and code bases. These standards and security measures will become necessary in the very near future.

A special thanks to my colleague Mark Carey for helping prepare some of these talking points.

More from Advanced Threats

GootBot – Gootloader’s new approach to post-exploitation

8 min read - IBM X-Force discovered a new variant of Gootloader — the "GootBot" implant — which facilitates stealthy lateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise environments. X-Force observed these campaigns leveraging SEO poisoning, wagering on unsuspecting victims' search activity, which we analyze further in the blog. The Gootloader group’s introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2…

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Top-Ranking Banking Trojan Ramnit Out to Steal Payment Card Data

4 min read - Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

Detections That Can Help You Identify Ransomware

12 min read - One of the benefits of being part of a global research-driven incident response firm like X-Force Incidence Response (IR) is that the team has the ability to take a step back and analyze incidents, identifying trends and commonalities that span geographies, industries and affiliations. Leveraging that access and knowledge against the ransomware threat has revealed tools, techniques and procedures that can often be detected through the default Windows event logs (WELs). In particular, the X-Force IR team has identified several…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today