Dronejacking drops security headaches on IT staff

October 18, 20174 Minute Read

It may not be long before we see “dronejacking” added to the Oxford English Dictionary.

While the IoT has recently been a frequent touch point for discussions about cybercrime and security breaches, most of the concern about drones has been around their potential to cause havoc with existing air traffic or inadvertently invading people’s privacy. “Dronejacking,” on the other hand, is intentional.

A report released late last year by Intel McAfee Labs predicts 2017 will be the year that hijacked drones become a threat to contend with. We’re not talking just for hobbyists, but for the various industries and organizations that are becoming increasingly reliant on the flying technology, including agriculture, news media, logistics and shipping companies, government, and law enforcement agencies. Security software firm Symantec echoed that dronejacking prediction a month later.

Drone heists and hacking

The McAfee Labs: 2017 Threats Predictions released by Intel Security last November noted that dronejacking is no longer just about hijacking a child’s or hobbyist’s flying toy as drones continue to see more mainstream adoption. Both Amazon and UPS are looking at delivering packages using drones, as the report notes, and shipping drones become a realistic target for criminals when you consider they will most likely be launched from a dedicated location. This would make traffic patterns easy to spot, and dronejackers could easily stake out a location and wait for targets to appear.

Just as drones have demonstrated an ability to be used to hack the local wireless network of a home, business or critical infrastructure facility, it’s also been proven as far back as 2015 that someone could easily hack a toy drone, if only to steal and resell it in whole or for parts. McAfee Labs also noted that already there have incidents of homeowners being annoyed by drone flyovers to the point of taking them down with a shotgun. But another method of combating drone trespassers could be to exploit software vulnerabilities that enable someone to set up an electronic barrier around a house that either kills or redirects drones that fly too close.

More law enforcement agencies are increasingly using drones equipped with cameras to assist with surveillance and crowd control instead of wall-mounted security cameras, opening up the possibility of protesters and hacktivists knocking out a drone during a protest, for example.

Drone management is an IT issue

Both Transport Canada and the U.S. Federal Aviation Administration are developing regulations to govern drone usage. In the meantime, it will be up to IT departments to deal with the challenges created by drones, just as they are grappling with IoT. As already noted by research firm Tractica, how drones are deployed for commercial use and the particular industry segment will determine the effect on IT departments, while the number of drones deployed combined with their capabilities will determine the complexity of an organization’s IT system for managing their fleets.

Just like mobile devices and the BYOD trend, IT will have to safeguard drones against theft of data and intellectual property. Dronejacking could potentially affect certifications like ISO9001 or ISO27001 for information security. As Tractica notes, it’s not just the security of drone data that’s adding to IT departments’ workloads. Drones have the potential to produce large amounts of data that must be stored or processed, either locally or in the cloud, so data science expertise will also be needed. Some organizations may even find themselves requiring a Chief Delivery Drone Officer.

Software updates to the rescue

The good news is, like most endpoints, drones aren’t that different from desktop computers or smartphones. The vulnerabilities that might lead to dronejacking can be addressed by a software update, although, as McAfee Labs notes, any patch would have to be provided by the drone manufacturer. It’s likely that high-end drones would be patched quickly, but cheaper models by might continue to fly for a long time without getting the needed software update.

Ultimately, drones are like any other IoT device connected to a network in that they quickly become targets for hacking. But, the report notes, what makes drones potentially easier to hack is they’re designed to be set up quickly and easily, have many open ports, and often use unencrypted communication. They’ll be easy targets for dronejacking tool kits.

Who knows: Maybe at some point, Oxford may also have to add “drone wrangler” to its dictionary. It would look pretty cool on a resume.

Gary Hilson October 31, 2018 4 Minute Read

5 ways to prepare for PIPEDA’s updates

PIPEDA's getting an update, and it looks a whole lot like GDPR. Here are five best practices that will help you stay compliant.

Stephanie Vozza October 29, 2018 4 Minute Read

Brush up on these 4 fundamentals for Cybersecurity Awareness Month

From employee training to shoring up endpoints and passwords, get primed for Cybersecurity Awareness Month with these four security and privacy tips.

Graham Templeton September 26, 2018 4 Minute Read

Prepare for PIPEDA with better device security and data privacy

Complying with PIPEDA's new privacy amendments requires diligence in everything from internal processes to device security.