Drones are growing in popularity with consumers, in agriculture, for delivery, and for government use. Some of the first practical and commercial use of aerial drones includes data gathering in the form of geographical mapping, general reconnaissance, rescue surveillance, video and photography, and other such applications. Agricultural companies were some of the first to begin wide use of drones to collect data related to crop yields, soil quality, nutrient measurements, and rainfall — even prior to the Federal Aviation Administration (FFA) lifting a usage ban in 2014. Now in more ubiquitous and acceptable use, large carrier companies are about to widely implement usage in a way long envisioned: for transportation and physical delivery of consumer goods.  

For example, Pizza Hut is trying out a new approach for delivery. The Wall Street Journal reported that Pizza Hut Israel will test out sending drones to drop multiple orders at government-approved landing zones where delivery drivers will collect orders and take them to customers. Other companies, such as Wingcopter, are doing great things with drones as well, including partnering with UNICEF for COVID-19 vaccine delivery to remote areas. 

With all the positive things that drones can accomplish, there also comes the need for assessing the security of the devices themselves or the threats they could directly impose. Bad actors could exploit a number of things and cause issues.

For starters, exploiting a drone directly threatens the confidentiality of the data it carries or has gathered. That data can be used for a multitude of purposes or further exploits, including outright theft and use of data for espionage, sale of data if someone else finds value in it, or use in further exploits. 

The threat to the integrity of the data also exists, which can beget more nefarious and resource-impacting exploits. For instance, if an actor can manipulate agricultural data, the actor has potentially threatened at least a portion of the food supply or at least the bottom line of a food supplier. Naturally, the threat to availability of data (e.g., if the data is deleted before it can be properly used) can create potential hardships or at least affect outcome efficiencies that might be lost.

In addition, there is the threat of commodity theft or supply disruption, given that drones are likely to become part of the consumer transportation economy. Opportunity works both ways, and undoubtedly, bad actors will make attempts, in addition to pilfering goods directly from the drones, to hijack and redirect their intended destinations or otherwise bring them down through other interfering means. The scariest use of drones, in my opinion, is their weaponization either as individual units or, for maximum damage and effect, in a swarm.

Drones are also being used for more close-quarter, precision cyberattacks against devices that might be physically removed in terms of access from the outside. Whereas a bad actor may have been able to scan for active Wi-Fi networks from a more openly accessible location outside the facility, attenuation issues often made it difficult to proceed beyond detection. This has been a practice known as war-driving. Now, with the use of drones, proximity is no longer an obstacle to scan and attempt penetration of a Wi-Fi network. This practice, referred to by some as “war flying,” uses the drone more directly as an offensive platform to perform a cyberattack. In fact, there are even special toolkits with hacking programs available on the web that are optimized for use by drones.

It begs the question: What can I do about it? The last part about weaponization is almost too much to think about, though it should not be lost on anyone that drones, as well as other Internet of Things (IoT) devices, have made more of a direct impact on life and safety than almost anything else in the cyber realm (short of outright cyber warfare). One of the first things to consider as an organization that uses or will use drones is your supplier or manufacturer. It has always been feared that some nation-states may have tampered with certain electronic components, chips, or products they manufacture to facilitate, at best, some level of espionage or, at worst, direct physical sabotage. In fact, an executive order was issued in January of this year, encouraging entities of the U.S. government to abstain from procuring and using drones manufactured by companies on the blacklist maintained by the Commerce Department.  

The tentacles of this executive order are only starting to reach out, concurrently as the likes of Amazon, UPS, FedEx, and other major carriers won FAA approval in late 2020 to employ drones over people and at night. Here’s the rub: It doesn’t take a nation-state altering drones of its own manufacturing device when they can affect the source of electronics and other coded components in countries not on the blacklist. And if nation-state actors can do it, so can other actors with the right support, patience, and time.

With the increase of bad actors going for the source, the ways that they can access it are growing as well. In the recent cyberattacks that affected many companies, the source (such as the SolarWinds breach) unknowingly infected the other companies. Bad actors are always looking for new opportunities to get ahead, and the increase in drone usage may be their next target. 

Almost comically, though proven to be effective, the use of predatory birds to counter the drone threat has been used by the military. Certainly, most companies are unlikely keen on maintaining a flock of eagles or hawks for this purpose, so other defense mechanisms such as lasers, net cannons, or jammers will continue to gain market share over time. The reality is that there is not a uniform mitigation strategy or set of best practices to mitigate the threats posed by drones at present. Perhaps there will be one day, but the reality is that the drone is simply a delivery mechanism that can be used for malicious purposes — another means of conveyance for bad actors to commit malfeasance. Aside from security of the hard-coded components, it is largely a physical security issue. But we all know that poor physical security can undermine even the strongest level of cybersecurity, so don’t expect that this will continue to be a fringe activity. Drones are omnipresent these days, and now we should expect to see them more often in the normal course of our daily lives. Sooner or later there will be a reckoning, and I believe it will be the cybersecurity industry that leads the way in drone defense, one way or another.

As a Managed Detection and Response (MDR) service provider, we actively hunt all data that we have access to, including data from drones and autonomous vehicles. If there is a threat, we are able to detect and mitigate the incident, working with our customers to restore operations to normal. Stopping the bad actor at the source is the best defense. Learn more in our whitepaper Stop the Spread of Ransomware at the Root.

Ron Pelletier

Founder and Chief Customer Officer | PONDURANCE

Ron Pelletier is the original Founder of Pondurance, having started the company in 2008, and presently continues on as Founder and Chief Customer Officer. Prior to Pondurance, he was a Senior Manager at EY and Senior Consultant at Haverstick Consulting. He also served as a Computer Emergency Response Team Lead for the Indiana Army National Guard, as commander of HHC 88th Regional Support Group, an adjutant to the CIO – Deputy CISO, and as 2nd Lieutenant – Captain and Deputy Chief of Protocol for the U.S. Army. He graduated with a Bachelor’s Degree in English from Indiana University South Bend in 1994.