The number of drones registered in Brazil increased 51% from 2018 to 2019, jumping from 18,389 to 27,665 in that period. The data are from the National Civil Aviation Agency (Anac). The Brazilian unmanned aerial vehicle market has been growing by an average of 30% per year. There are more than 720 companies involved in the production chain of this market, according to a survey by Droneshow, a Brazilian reference fair of the sector.
Worldwide, the growth is also exponential. Gartner analysts have predicted that the productivity gains that drones bring will drive corporate demand for this technology. With this, the base of 324,000 devices registered in 2019 will go to more than nine million worldwide by 2028.
But are drones a threat to cyber security?
Companies adopt these devices to assist in farming, transporting blood bags to save lives, fighting fires, and even delivering pizza. But there is one caveat that cannot be ignored. Drones can spy on networks, capture data and block communications. And organisations must have a plan to manage these and other risks.
It may seem unlikely that these small aerial vehicles are such a risk. But the fact is that a drone can be used in almost any situation. If someone wants to take a picture, all they have to do is install a camera on the drone. If you want to listen to someone's conversation, just put a listening device on it. Spoof a WiFi network? It is also possible. Because almost any kind of technology can be fitted to a drone.
Moreover, its ability to penetrate traditional ground defences and keep the operator away from the site of attack makes it a weapon in the hands of a malicious operative. Barbed wire fences and perimeter intrusion detection systems, such as infrared sensors, or even CCTV video analysis, have an almost zero chance of detecting a small drone.
Traditional security measures protect against intruders coming over water, over land, but there is little security in most commercial environments against aerial threats.
Many models are almost invisible from just a few hundred metres in the sky, and cannot be heard. Because of this, drones are able to do very close surveillance while remaining totally undetectable. And by combining simple hardware with penetration testing software, a drone can gain access to unprotected wireless devices within the confines of a secure physical facility. A single vulnerable point, such as a WAP with outdated firmware, or a printer with Wi-Fi where the features have been left at factory defaults, are already enough to provide the starting point for a larger attack.
Drones, hackers and espionage
A drone security review published this year identified multiple threats and vulnerabilities in drones. These include GPS spoofing, malware infection, data interference, interception and malicious manipulation. For example, the links that transmit video and other data to and from certain types of drones are not encrypted, making the information vulnerable to capture, modification and injection of malicious code. Many drones have serious design flaws, and most are designed without wireless security protection.
In a December 2011 incident, the government of Iran claimed it had successfully blocked the communications links of a US spy drone and reconfigured its GPS coordinates to force the drone to land in Iran. A few years earlier, engineers in the country claimed to have been able to intercept and download live video transmissions from US drones.
While some have disputed the validity of the claims, the warning stands. A security researcher, as far back as 2013, demonstrated how an adversary could configure a drone to find others in the air within Wi-Fi range, hack into the wireless network, disconnect the original owner and take control of the device.
In Brazil, there have been numerous incidents, such as bank robberies, where the drone has mapped to the route used by police officers, and cases where, prior to a residential burglary or kidnapping, criminals have used drones to study the security routine of the house.
Organisations need to protect themselves
In general, drones are built without the concept of safety. Parallel to this, laws and enforcement are lacking. Therefore, when mapping cyber risk, companies cannot disregard these threats. If they adopt the direct use of drones in some process, it is essential to assess the probability of attacks, conduct a careful analysis of the data stored by the device and prepare an incident response plan to minimize the possible impacts if certain information is leaked.
One way to minimise the risk of data theft is to ensure that the drone used by the company never connects to Wi-Fi or another network while it is operational. Once on the ground, apply specific guidelines to extract the information, preferably without connecting the drone to any network, but rather from a direct connection from the unit itself. It is also important not to forget to empty it before reconnecting to a network.
In short, data in a drone is like data in any computer system. And likewise, it needs to be protected.