Hacked commercial drones could pose a major threat to the UK
15 April 2019
The announcement by the UK Airprox Board (UKAB) that illegal drone incursions in and around UK airports rose by over 34% in 2018 brings to light concerns around cybercriminals hacking into commercial drones to carry out surveillance over sensitive locations.
According to a recent report from UKAB, illegal drone incursions near UK airspaces were so high last year that the number of recorded dangerous encounters between airplanes and drones soared to 125 in 2018 compared to just 93 in 2017 and 71 in 2016.
Commercial drones are a major threat to passenger safety
Considering that a bulk of private commercial drones are not highly resistant to malware intrusions and remote hijacking by cybercriminals, there is a possibility that hackers could exploit insecure commercial drones to carry out surveillance over sensitive areas such as airports, air force bases, and other sensitive installations.
“The use of drones within the military has been common for many years, but those drones have been rigorously tested and built with security in mind. Commercial drones don’t stand to face such rigour. The relative speed at which these devices are taking to the sky raises a number of issues,” says Cesar Cerrudo, CTO at IOActive.
“Manufacturers of these devices are more concerned with getting their product to market than ensuring cyber security. But as we have seen, with malicious or even mischievous intent they have the ability to create mass disruption, as well as potentially putting passenger safety at risk.”
Cerrudo adds that as drones improve in range and functionality and become more affordable, their weaponisation could become common as poor cyber security could allow commercial drones to be hijacked by attackers.
“Malicious actors could program these drones to fly to specific GPS coordinates to launch cyber attacks on WiFi networks, or other kind wireless networks, while the attacker is miles away. The airline industry, government, and manufacturers of these products all need to be vigilant and aware and there needs to be greater accountability,” he adds.
Hostile nations could use drones to carry out surveillance
The misuse of commercial drones for malicious activities by cybercriminals or nation states has a precedent. A couple of years ago, a leaked report from the US Department of Homeland Security revealed that Chinese drone manufacturer DJI, a leading manufacturer and seller of private drones in the UK and the United States, was “providing US critical infrastructure and law enforcement data to the Chinese government”.
The memo quoted a reliable source with first and secondhand access in the drone industry to claim that DJI drones were used by commercial establishment to monitor critical infrastructure assets in the U.S., as well as water reserves, power plants, rail hubs and other large-scale infrastructure.
It added that DJI drones were also used to monitor “proprietary and sensitive critical infrastructure data, such as detailed imagery of power control panels, security measures for critical infrastructure sites, or materials used in bridge construction”. Once such data was collected, it was uploaded to a cloud server to which the Chinese government most likely had access.
According to security firm McAfee, drone exploit toolkits are now finding their way into the Dark Web and ‘drone jacking’ is among the top potent security threats the world may witness in the near future.
“Drones have recently boomed in popularity, and not just for the Average Joe: they’re now used by law enforcement, farmers, and the media alike. And that’s exactly why they’re so enticing to cybercriminals – they’re now completely omnipresent. If a crook gets ahold of one—and it isn’t hard for them to—the hacking possibilities are endless,” the firm said.