Authored by: Cheryl Ajluni, Keysight Technologies
Times have changed in the amazing world of the Internet of things (IoT). What once was a new and compelling idea has quickly worked its way into the hearts and minds of consumers everywhere. From wearable devices like the Fitbit and pet trackers, to smart cows and smart farming, the IoT is now taking to the sky.
The flying IoT is essentially drones fully equipped with network connectivity capabilities and it marks a new frontier for smart devices—one that comes with a host of challenges. One key challenge for the flying IoT is security and it goes far beyond a consumer’s smart device unknowingly being used in a botnet distributed denial-of-service (DDoS) attack. That’s because drones can be used in multiple ways for nefarious purposes. For example, a hacker might intercept data being transmitted between the drone and a base station. Or, the hacker could use the drone to take physical control of a smart device, using it as a backdoor onto a company’s network.
If that proposition seems unlikely, consider that in 2016 researchers from the Weizmann Institute of Science in Israel and Dalhousie University in Canada did just that. By equipping a drone with an autonomous attack kit, they could hack into a single smart light bulb. The hack quickly spread from one light bulb to all such smart light bulbs in a targeted office building, in just a matter of minutes, allowing them to turn the building’s lights on and off. Had this been a real attack, it could have been much worse.
At the end of 2019, another group of researchers used a DJI drone to take over a smart TV. Again, had this been a real attack, the hacker could have easily changed the content on the viewer’s screen, displayed phishing messages to obtain private information like passwords, or even used keyloggers to capture remote button presses.
Despite the security challenge, drones are expected to play an increasingly important role in everything from delivering packages to customer’s doorsteps and tracking criminals, to the rapid delivery of emergency supplies, medications, and vaccines. To enable optimal operation of these applications, drone security must be assured. That means, addressing the issue head on rather than as an afterthought. It starts with knowing the possible security vulnerabilities.
According to the Open Web Application Security Project (OWASP), the top ten vulnerabilities in any IoT device, drones included, are:
Weak, guessable, or hardcoded passwords
Insecure network services
Insecure ecosystem interfaces
Lack of a secure update mechanism
Use of insecure or outdated components
Insufficient privacy protection
Insecure data transfer and storage
Lack of device management
Insecure default settings
Lack of physical hardening
The first nine vulnerabilities specified can be effectively addressed through penetration testing (PenTest). Brute force scanners, for example, can crack poor passwords. Service discovery tools can find insecure devices on the network. Using things like fuzzing attacks, application layer scans and attacks, and secure communication validation techniques, PenTest users can test for and find cybersecurity vulnerabilities early in the drone development process.
However, the continually evolving nature of cyberattacks means that even the best PenTest solution can quickly become outdated. The best way to address this is by ensuring any PenTest tool used is constantly updated via an ongoing application and threat intelligence subscription. Addressing the last vulnerability, lack of physical hardening, requires a physical solution.
On the other side of the spectrum, any company vulnerable to cyberattack via drone can protect themselves using a good heterogeneous mix of security solutions to secure their networks. Unfortunately, finding the right mix of solutions is no easy task, since they can be tough to verify together and challenging to scale. Plus, interactions between the solutions can sometimes impact security performance and network resiliency.
To counter such issues, businesses should seek out an easy-to-use application and security test ecosystem that can verify the stability, accuracy, and quality of modern networks and network devices. Ideally, it should be able to simulate real-world legitimate traffic, DDoS, exploits, malware, and fuzzing. An ecosystem with these capabilities will allow vulnerable companies to simulate both good and bad traffic to validate and optimise their networks under the most realistic conditions.
As with any new IoT application, there are many technical considerations that must be overcome to get to market quickly and satisfy customers over a long period. In the case of drones, cybersecurity will remain as one of the biggest technical considerations. By designing security measures into drones early in the design cycle and appropriately testing them throughout the development process, developers can gain a much-needed advantage over would-be hackers. Given that modern drones are essentially now computers in the sky, the earliest possible preparation for the inevitable cyberattack is the only way to stay ahead of cybercriminals, while still realising the full benefit of the flying IoT.