“Drones scare the crap out of me,” says Chase Cunningham, Ph.D., A10 Networks’ director of cyber operations in an interview at RSA. “If I were a bad guy, I would go get a whole bunch of drones in front of an aircraft when it is landing. Imagine if you had 10 or 20 drones sucked into a jet. That’s it. You’re done,” declares Cunningham, who is a former U.S. Navy chief cryptologic technician.
While something that horrific hasn’t happened yet, there have so many near-misses involving drones around the globe that the prospect of a severe drone-related accident seems likelier by the day.
Consider the following: The terrorist group ISIS is releasing propaganda footage flaunting its ability to use drones for both reconnaissance and destroying targets. Just last week, Interpol warned that terrorists could employ drones equipped with explosives to launch attacks on critical infrastructure. The Department of Homeland Security reached similar conclusions in 2015. Last month, an African airline reported that one of its planes had crashed into a drone while in flight. At London airports last year, there were 13 near-misses involving drones at airports. Ten of those incidents were deemed to pose a “serious risk of collision.” And then there are separate incidents of drones that have crashed near the White House and in front of German Chancellor Angela Merkel.
Two of the most memorable examples of weaponized drones come courtesy of Austin Haughwout in Connecticut. In 2015, Haughwout attached a 9-mm pistol to a drone and demonstrated in a YouTube video that he could fire it using remote control. Several weeks later, he posted a similar video with a drone attached to a flame thrower.
Note: IoT security is a key item on the agenda at Internet of Things World in Santa Clara this May. Sample the speakers, preview the agenda, claim your free expo pass or book your place at the conference for the world’s biggest IoT event now.
Drones could also be used for data theft. The London security company Sensepoint has created software named Snoopy that can pluck data from mobile devices that may be nearby, including usernames and passwords for Amazon, PayPal, and Yahoo.
At present, many drones are easy targets for hackers. “They run on regular old RF transmission,” Cunningham says. “What is to stop someone from taking them over?” Ars Technica’s security editor Dan Goodin recently posted a video of a system known as “Icarus” that can control drones or anything else using the common DSMx remote control protocol. The device enables an intruder to take control over a drone, locking out the original pilot.
But a hacker wouldn’t have to take control over command and control of a drone to cause problems. “You could just jam the frequency so that no one is controlling it. If you have enough drones in the airspace, surely someone is going to run into it,” Cunningham says.
More Drone Applications, More Regulations?
To be fair, drones offer an array of benefits in various fields. Potential applications include delivering medical supplies, law enforcement surveillance, inspecting farms and construction sites from the air, and so forth.
But drones also raise thorny legal questions and serve as a reminder that the evolution of drone technology is moving much faster than regulation. Consider, for instance, the aforementioned case of Austin Haughwout, the drone enthusiast who prompted a federal investigation by attaching a gun and later a flamethrower to a drone. The FAA sent Haughwout and his father an administrative subpoena seeking records related to the stunts. The elder Haughwout declined to comply, arguing that FAA had no authority over model aircraft.
On the international stage, the amount of regulation and restrictions to drones is growing steadily. Iran recently banned private drones in Tehran. In August of last year, FAA introduced rules constraining how drone pilots use the technology. Further FAA rulemaking, however, could be slowed given Trump's recent executive order designed to reduce regulations.
There’s also the simple fact that public doesn’t seem to be overly concerned about drones at present. “From a pure probability standpoint, much of the public doesn’t appear to care about drones right now. They are likely to think: ‘I am more likely to get hit by a car than crossing the street than injured by a drone,” says Morey Haber, VP of Technology for BeyondTrust. “When nobody cares, how do the people who manufacture drones even justify fixing any security problems?” says Morey Haber. “I would suggest that this is still an academic conversation.”
At a federal level, regulating drones is complicated given the degree of overlapping jurisdiction between regulatory agencies such as the NTIA and FAA.
“One could argue that drones are, in effect, IoT devices and that their security needs to be addressed,” says Craig Spiezle, executive director and president of the Online Trust Alliance (OTA), which has participated in both the NTIA and White House efforts regarding drone policy. OTA has developed an IoT Trust Framework with security and privacy principles to provides prescriptive guidance to help drone makers and developers. The OTA has found in its own research that the vast majority of IoT devices lack basic security assurances. “In the rush to market drone vendors often leave security and privacy out of the discussion,” Spiezle says.
The Cloud Security Alliance reached similar conclusions about drones, stating: “Many indicators still show vendors consider security as an added cost and prefer to offer more features over protection.”
Ultimately, drones represent substantially greater risks than consumer-oriented devices like a connected refrigerator or a smart watch. “Both the public and private sectors need to consider the unintended consequences of the use of these devices and perhaps most importantly what are the physical safety issues that may result from either intended or unintended use and abuse?” Spiezle asks. “As technology advances, so will the risks. Prudent wisdom is to prepare for the worst and hope for the best.”