Dronejacking

Source

McAfee Labs 2017 Threats Predictions November 2016
http://www.mcafee.com/us/resources/reports/rp-threats-predictions-2017.pdf?cid=BHP-070

What started as a fun toy for kids and a slightly expensive hobby for enthusiasts has really taken off, if you’ll forgive the pun. Drones are well on the way to becoming a major tool for shippers, law enforcement agencies, photographers, farmers, the news media, and more. It is hard to deny that drones have become a lot more valuable to many types of businesses and government agencies. Recently, we saw an example of a drone outfitted with a full hacking suite that would allow it to land on the roof of a home, business, or critical infrastructure facility and attempt to hack into the local wireless network. In 2015, a proof of concept hack was demonstrated at DefCon that showed how someone could easily take control of a toy drone. Although taking over a kid’s drone may seem amusing and not that big of an issue, once we look at the increase in drone usage potential problems starts to arise.

• Deliveries: Both Amazon and UPS have announced plans to deliver packages via drones. This creates a realistic target for a criminal looking to make a quick buck. Shipping drones will most likely be launched from a dedicated location, making traffic patterns easy to spot. Someone looking to “dronejack” deliveries could find a location with regular drone traffic and wait for the targets to appear. Once a package delivery drone is overhead, the drone could be sent to the ground, allowing the criminal to steal the package. To be fair, such thefts would be hit or miss as there would not be an easy way to know what is in the package, but it could turn out to be lucrative.
• Camera crews: Aerial photography is now much easier with the advent of drones. A quick search for “photography drone” returns pages of results pointing to high-quality and expensive equipment for both amateur and professional cinematographers. This highquality equipment would be a very tempting target for a criminal to dronejack. Pulling down a drone would allow criminals to resell the equipment, effectively making money fall from the sky. 
  
• Personal no-fly zones: There have been a few incidents in which people became annoyed with drones over their houses and took active measures (shotguns, throwing rocks, etc.) to deal with them. Exploiting software vulnerabilities in drones could allow someone to set up an electronic barrier around a house that either kills or redirects drones that fly too close. Although this may seem like a boon to those who prefer the “get off my lawn” approach to neighborhood life, drones are still a gray area in many local regulations and ordinances. This gray area could lead to heated debate and potential lawsuits over someone creating a personal nofly zone.
• Law enforcement: More and more law enforcement agencies are turning to drones to assist in surveillance and crowd control. In a highly charged situation like a protest or active shooter situation, a police drone would be a tempting target for someone looking to remain unseen by law enforcement. This scene has played out countless times in action movies. The bad guys (or heroes) go through elaborate measures to take out the security feeds of their target. Now, instead of wall-mounted security cameras, we have cameras attached to drones. As protestors and hacktivists start to mix more, the odds of a protester with the technology to knock out surveillance drones dramatically increases.

 
How will these attacks take place? Various researchers have found many consumer drones shipping with open ports and weak authentication methods, allowing a person with the right equipment to send commands to the victim’s drone. So far, this has been a fairly manual process but, as we’ve seen in the past, new exploits typically appear sooner or later in easily reproducible format. The majority of the vulnerabilities discovered on commercial drones can be easily fixed with a software update. Of course, this requires the manufacturer to release a patch. While high-end drones will most likely be patched quickly, cheap drones will most likely fly a long time before a patch is available. As we have seen with other IoT technology, once a device is connected to a network, people quickly start looking for ways to hack it. This effort is made easier by the general rush to market for IoT devices, including drones, that have little or no security. What makes drones potentially easier to hack is they are designed to have a quick and easy setup, often using unencrypted communication and many open ports. We predict in 2017 that drone exploit toolkits will find their ways to the dark corners of the Internet. Once these toolkits start making the rounds, it is just a matter of time before we see stories of hijacked drones showing up in the evening news. Even without a dronejacking toolkit in hand, we will begin to see an increase in drone-related incidents. In 2017 we will see a local news report about a person getting fed up with one of the neighborhood kids flying a drone over his back yard. But instead of using a shotgun loaded with birdshot, the drone will be taken out of the sky by software running on a laptop with a directional antenna. Given the viral nature of the Internet, this will soon show up on Facebook walls all over the world with arguments for and against the action, causing heated debates and snarky memes.
During 2017, we will also see more drones used by law enforcement agencies to monitor crowds. Initially protesters will react by throwing objects at police drones, but drone takedown hacks will be launched by protesters as a way to quickly remove surveillance drones from the equation. How will policymakers respond to these incidents? Already the US Federal Aviation Administration is scrambling to put rules into effect that govern when and where commercial drones can fly, but there are still a lot of uses that need to be addressed and surely some we have not yet thought of. Whereas commercial aviation grew slowly over time, commercial drone usage is on a steep flight path that will leave regulators struggling to get off the ground. 

---