Drones: The Next Great Hack

drone watching

As a kid, one of my favorite hobbies was flying radio control airplanes. Back in the day, we used to hang a colored flag off our antennas to notify other hobbyists what frequency we were on. If someone nearby had the same frequency, the person with the stronger transmitter could take over your airplane and crash it or fly it on a different route. The same is true today – but now, there are much more severe consequences than crashing a toy airplane. The toys may be new, but the technology isn’t.

So far, I have seen drones configured with cameras to show real estate (invasion of privacy), a Taser that was used on a person (personal safety), and a drone that was set up to steal smartphone data while the owner’s Wi-Fi was on (theft of personal data).

Encryption rules for these devices are nonexistent. From the research I’ve done, I’m disappointed to discover that NONE of the companies that sell drones mention encryption or security for any of their devices. There are no rules or regulations regarding drones, and as a result, they have become the true “Wild West” of toys.

Drones with cameras are especially dangerous, and here’s the problem. If the drone is taken over, the hacker has access to anything the drone’s pilot is looking at. This would be especially troubling in a law enforcement scenario. But predator drones used by the US military send video feeds unencrypted, so why should anyone else worry?

Drones that are connected by Wi-Fi are not safe either. A hacker has now released software to hijack commercial drones using simple software that is already available, as well as low cost hardware (a device called a Strawberry PI). (1) To use this hack, all one has to do is perform a Google search to find the correct Mac address for the drone. The hacker can then skyjack the drone and do whatever he or she wants with it. (2)

Six sites in Alaska, Nevada, New York, North Dakota, Texas, and Virginia have been chosen by the FCC to be drone testing sites. These are for commercial drones – not hobbyist drones.

Without encryption and oversight, both types of drones can be a danger to the public’s privacy. In addition, lack of an encrypted connection between the drone and the operator can be a danger to the public’s safety. A drone that has been hacked and taken over can create terrible scenarios, such as, drones intentionally crashing into crowds of people or open spaces where people congregate, surveillance and tracking of victims (for example, domestic abuse victims), and an increase in high-tech peeping Toms.

Technical innovation moves society forward, but at the same time, it also attracts nefarious individuals who take advantage of new technologies and twist them for their own purposes. The only way to stay ahead of the bad guys, at least, in the short term, is to mitigate the damage they can do. And for the devices, strong encryption is the only way to keep the bad guys at bay – at least for a little while. Without encryption, drones will become a target that will become too tempting for the bad guys.

Does your business have a use for drones, and if yes, what can you do to stay ahead of the bad guys? Be prepared, and devise strategies sooner rather than later.

Sources for this post:
(1) “Hacker Releases Software to Hijack Commercial Drones” by Bryant Jordan via Defense Tech

(2) SkyJack is a drone engineered to autonomously seek out, hack, and wirelessly take over other drones within Wi-Fi distance, creating an army of zombie drones under your control.

Image Credit: debspoons via FreeDigitalPhotos.net.

IBMThis post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.


wordpress blog stats

About Allan Pratt

Technology and cybersecurity professional with focus on tech news, cybersecurity, networking, infrastructure, data protection, consumer electronics, and social media.
This entry was posted in Data Security, Internet of Things, Privacy Rights, Tech Equipment and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s