Drone Cybersecurity Risks | What are the Risks of Consumer Drones
Image via: Wikimedia Commons
‘Tis the season . . . of increased consumer drone sales. The Consumer Technology Association (a trade group) and the Federal Aviation Administration (FAA) estimate that somewhere between 400,000 and 1 million new unmanned aerial vehicles will end up in the hands of consumers this holiday season. Many of these soon-to-be drone pilots, experts warn, lack aviation experience. The increasing popularity of these machines poses a physical security risk, prompting the FAA to issue new guidelines requiring all owners of 0.5- to 55-pound drones to register their machines with the administration. In addition to physical security concerns, do owners also need to be concerned about drone cybersecurity risks? As with all network-connected devices, drones are vulnerable to certain cybersecurity threats. Cyberattackers do not hesitate to attempt to exploit new technologies. Here are some of the possible cyber risks of having more drones in the sky.
Remote Takeover of a Drone
Drones are typically controlled by connecting back to their pilot’s device (smartphone or tablet) via Wifi or Bluetooth. That connection is not necessarily secure, as demonstrated by security researchers at DEF CON in August 2015. First, Ryan Satterfield, of security consulting company Planet Zuda, showed how to knock a Parrot A.R.Drone to the ground by remotely connecting to it via open Wifi and an open telnet port and terminating the process that makes it hover. Next, Michael Robinson, security analyst and adjunct professor at Stevenson and George Mason Universities, demonstrated how the Parrot Bebop drone’s open Wifi connection makes it possible for anyone to connect to a drone in-flight, by using a Wifi de-authentication attack against the original pilot. This vulnerability doesn’t just take down the drone, but allows the attacker to take control of the drone’s flight. Such an attack could be used to steal a drone and – in the case of commercial drones being used to deliver products to consumers – its cargo.
Attackers Gaining Access to the Drone’s Photos and Videos
Most drones are equipped with a camera or video camera that transmits images taken in flight back to the user. This, in itself, presents privacy concerns. To make matters worse, Robinson also found that the Parrot Bebop drone transfers photos and videos back to the user via an unsecured FTP server, meaning an attacker could access those images.
A lesson to be learned from examining the drone cybersecurity risks and vulnerabilities is that no “smart” device is immune to cyberattacks. Consumers can, however, protect themselves by doing research before buying a device, contacting the seller to ask about their cybersecurity measures if insufficient information is listed online. Drones that connect to their user via radio controls rather than Wifi or Bluetooth, for example, are less vulnerable. It is important for consumers to stay aware of security issues affecting devices that they own – from phones, to computers, to Internet-of-Things devices like smart refrigerators and thermostats – and to have their devices tested by cybersecurity professionals.