April 29, 2016 By Kelly Ryver 5 min read

In spite of being relatively new technology, drones of varying types and sizes are readily available for consumer purchase. Where there was once one to two predator drones, now there are delivery drones, hobby drones, news drones, Hollywood drones and sightseeing drones.

Drone Electronics and Operating System

Some experimentation in taking a drone apart revealed that most ready-to-ship drones come with the same electronics as a smartphone or tablet. Nearly all drone code is the same as that found in Android except for open-source coding efforts built on Linux platforms, which can be found at Dronecode.

Onboard cameras are capable of storing video — anywhere from five minutes to two hours of video on a USB stick. Some advanced operating systems allow for real-time upload of video to external storage networks.

Even the cheapest drones have fully operational Wi-Fi, radio frequency and Bluetooth antennas or a combination of all three.

Types of Drones and Movement Capability

Drones come in many types or designs, such as aerial, aquatic, submersible, ground-based, quadrupedal and bipedal walkers, and those that can adhere to walls and ceilings. Several universities in the U.S. are experimenting with insect- and animal-like models, but these are not readily available to consumers — yet.

Drone movement can be preprogrammed or manually controlled by a hand-held device. Manual control requires radio frequency and can operate in several spectra:

  • Various short-range FM and UHF bands;
  • Unregulated frequency bands (typically 2.4 GHz and 5 GHz); and
  • Bluetooth technology frequency bands (very short range).

If a drone requires human control for movement, it is classified as a semiautonomous system. If its route or actions can be preset and do not require human intervention to move, it is considered an autonomous system.

Movement is typically along the x- and y-axes. It can be preprogrammed via code, provided through reference coordinates from a GPS and given by magnetic orientation or from optical queues such as guide markings or lights. Because of these abilities, individuals and organizations must be aware of the threats drones can pose.

Nefarious Drone Uses Within Industrial Areas

Industrial plants should have well-documented plans for avoiding or, at the very least, responding to the following scenarios:

  • Drones flying directly over nuclear cooling towers, where they can simply be shut off or drop while carrying an explosive payload;
  • Drones targeting or running reconnaissance on sensitive areas such as power junctions where touching two lines is enough to cause a blackout; and
  • Drone submarines that can propel themselves into hydroelectric turbines or detonate an explosive next to an aging dam.

New software allows drone operators to incorporate infrared and night vision, which could easily be employed to watch and document security patrols around corporate locations, military installations, national laboratories and federal buildings.

Nefarious Drone Uses Against Corporations

Public and private companies that plan to introduce drones into their environment should have solid response plans for the following:

  • Drones that are stolen from corporate teams and used to play back video, audio or motion maps;
  • Drones that are wired with microphones used to either eavesdrop on sensitive conversations, execute electronic harassment or commit industrial espionage;
  • When data stored on drones can be replayed so that current conditions are not actually displayed (i.e., replay data from two months ago). Granted, this is a sophisticated repurpose but not entirely unfeasible; and
  • When the drone network or infrastructure is hacked from within the organization or as the program is developed, which usually means complete compromise of all data. This is an entirely new twist on insider threats and will require the same care and thought that goes into any threat program.

Risk Scenarios and Nefarious Uses Against Civilians

The potential to use this cutting-edge technology against civilian populations is staggering. This short section will not do justice to the myriad of ways criminals will repurpose this technology. Here are a few examples that come to mind:

  • Drones can be shut down midflight, injuring bystanders and causing property damage, or flown into situations like traffic jams, buildings or people.
  • Drones can be flown into sports venues packed with spectators. This seems like a fairly innocuous scenario until you consider how fast the propeller blades on these drones spin. Removing the plastic guards essentially turns them into flying, radio-controlled razor blades.
  • Drones can be flown into commercial jets or jet engines while in flight. Interestingly enough, this scenario has played out several times in the past few months at several airports.
  • Terrorist organizations could easily design and build a drone capable of carrying several pounds of explosives into public areas and government buildings.
  • Terrorist organizations and extremists could handle, with a high degree of anonymity, explosive or incendiary payloads, radioactive materials, chemical agents or biological agents.
  • Any individual with a teaspoon of technical know-how could use drones to stalk, harass or eavesdrop on another individual.

Potential Physical Security Measures

Reliance on human observation alone is impractical. As a result, the following security measures are viable:

  • A defensive perimeter can be established around power generation and distribution facilities. It should be implemented around all critical infrastructure and commercial and private airports. For these situations, a mesh of multiple defensive measures will most likely be required.
  • Power line protection is logistically unfeasible at this time due to technology limitations, but this should definitely be given further thought.
  • Acoustic and/or frequency spectrum monitoring equipment and a motion sensing network should be established both inside and outside of sensitive areas. The monitoring networks could be designed to sound an alarm, send a text message to your mobile phone or send an alert to the wearable on your wrist.

In a worst-case scenario, physical security personnel could practice their skeet shooting technique on the rogue drone, purchase a couple of drone-hunting eagles or deploy a kill-switch perimeter.

Practical Legal Measures

Organizations must also take care to approach a drone scenario carefully. There are various legal measures to consider:

  • Well-defined safety, technical and legal procedures on how to take control of a rogue or hostile drone could be defined in advance.
  • Handling of any questionable drones should be treated much like any other evidence, with proper chain of custody. Otherwise, any data captured and stored could be compromised by mishandling, thereby diminishing any legal and evidentiary value.
  • The vulnerabilities of the chipsets, operating systems, configurations and control interfaces should be clearly defined and remediated as appropriate. For those vulnerabilities that cannot be fully remediated, contingent controls should be established.
  • Vetting of all existing and future drone acquisitions by a company should include a technical vulnerability analysis and penetration testing, just like any other hardware.
  • A database should be established to document all drones’ history and operational usage. The information required will include, but is not limited to, acquisition (e.g., PO, vendor, manufacturer, date of receipt), physical inventory, picture of device, transmitter and receiver serial numbers, frequencies used, data and radio vulnerability analysis, department assigned and any maintenance performed on the device.

There Is a Positive Side

Drones can be employed for a wide range of beneficial uses. Some examples include monitoring gas leaks along pipelines where it may be too dangerous for a crew, furthering rescue efforts after earthquakes or natural disasters, determining how bad a meltdown at a reactor is, monitoring livestock, mapping terrain, completing storm damage assessments, monitoring the migration habits of endangered species in remote regions and catching poachers on private property.

Complete Lack of Security Framework

The National Institute of Standards and Technology (NIST) has not yet published a framework for drone hardware, components or source code. Likewise, there is no National Security Agency (NSA) or National Institute of Crime Prevention (NICP) protection profile for drone software outside of those used by the military.

Even scarier is the total lack of any type of standards, governance or open-source security project related to third-party controls and code bases. These standards and security measures will become necessary in the very near future.

A special thanks to my colleague Mark Carey for helping prepare some of these talking points.

More from Advanced Threats

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns

16 min read - Since March 2024, IBM X-Force has been tracking several large-scale phishing campaigns distributing the Grandoreiro banking trojan, which is likely operated as a Malware-as-a-Service (MaaS). Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails. The latest malware variant also specifically targets over 1500 global banks, enabling attackers to perform banking fraud in over 60 countries…

A spotlight on Akira ransomware from X-Force Incident Response and Threat Intelligence

7 min read - This article was made possible thanks to contributions from Aaron Gdanski.IBM X-Force Incident Response and Threat Intelligence teams have investigated several Akira ransomware attacks since this threat actor group emerged in March 2023. This blog will share X-Force’s unique perspective on Akira gained while observing the threat actors behind this ransomware, including commands used to deploy the ransomware, active exploitation of CVE-2023-20269 and analysis of the ransomware binary.The Akira ransomware group has gained notoriety in the current cybersecurity landscape, underscored…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today