The global market for drones is expected to grow 36% a year between 2018 and 2022, according to analysts. But cybersecurity expert IOActive has warned this increase will create a range of new risks.
IOActive cautions that if the commercial market for drones is left unchecked then we could start to see drones being weaponised, presenting potential hazards to public safety.
As the range and functionality of drones improve and their cost reduces, weaponisation could become common, as poor cybersecurity could allow commercial drones to be hijacked by attackers.
This presents several risks which IOActive asserts have not yet been considered:
- Cybersecurity: Poor cybersecurity controls will enable commercial drones to be hijacked with ease. Malicious actors could programme drones to fly to specific GPS coordinates to launch cyberattacks on Wi-Fi networks, or other types of wireless networks, while the attacker is miles away, as IOActive’s previous research shows. They could also be used to perform man-in-the-middle attacks, disseminate malware or for GPS spoofing attacks and, as with webcams, they could also be used to spy on owners or steal data.
- Disruption and public safety: There has already been widespread disruption in airports due to drones being flown illegally into airport airspace. The drone activity that disrupted pre-Christmas flights in and out of London’s Gatwick airport cost airlines an estimated £50 million (US$64.5 million). This is likely to continue, IOActive says, but with the added risk that this method of disruption could be used with malicious intent, with hacked drones being used to prevent air travel or even put passenger wellbeing at risk. Hacked drones could even be used to ‘divebomb’ pedestrians or to cause chaos at traffic intersections, putting human life at risk.
- Privacy: The capabilities of drones to take photos and record audio and video in otherwise impossible to reach areas, raises several privacy issues. Drones can easily take high resolution pictures and movies through building windows, which could result in blackmail or other unwanted surveillance. In addition, the ‘follow me’ functionality could help people to turn drones into spying devices.
“With enough determination anything can be hacked, but the commercialisation of the drone market is making it all too easy – and many of the consequences for security, safety and privacy have simply not been thought through,” comments Cesar Cerrudo, CTO at IOActive.
“The range of drones is of particular concern as it opens up new areas of vulnerability that many will not have considered. For example, off-shore oil rigs have previously been protected from many short-range cyberattacks by their distance from land, but in the age of weaponised drones they could be fair game. We also see companies like Amazon trialling the use of drone deliveries, which also throws up problems – what if those drones are intercepted so that people can steal packages? Individual industries need to look at their own risk posture to determine if they need to make any changes in light of our new hovering frenemies.”
Cerrudo says manufacturers need to shoulder their share of the responsibility for the products they are bringing to market to ensure they are as secure as possible.
He said: “The relative speed at which these devices are taking to the sky raises several issues. While the use of drones within the military has been common for many years, those drones have been rigorously tested and built with security in mind – commercial manufacturers do not have the same concerns and are more focused on getting their product to market than ensuring cybersecurity.
“This attitude needs to change. Security should be a fundamental part of the core design, so that it is baked in from the ground up, rather than retrofitted as an afterthought. At the moment, drones are just sitting ducks.”
Lack of accountability and responsibility are also areas that needs consideration, concludes Cerrudo.
He said: “The airline industry, governments and manufacturers of these products all need to be vigilant and aware of the potential risks – there needs to be far greater accountability for safety and security. The issue just isn’t being given the seriousness it deserves and it’s better for all if action is taken before there’s a major incident that forces change to happen.”