"Because drones rely on vulnerable telemetry signals, attackers can leverage them using any of the classic attacks including buffer overruns, format strings, SQL injections and authentication bypasses that exist in drone firmware," explains Cabetas.
Examples of successful attacks on drones are already on record. In 2009, insurgents in the Middle East intercepted Predator drone signals due to a failure to use secure protocols, according to Cabetas. This enabled the insurgents to spy on what the Predators were spying on (via airborne video). Without secure protocols, similar attacks are possible with domestic UAVs.
And, in a 2012 case, Texas A&M college students, by invitation of Homeland Security spoofed the University drone's GPS signals, insinuating the errant location data into navigation computers, resulting in the drone's untimely collision, Cabetas notes.
"But, the scariest thing we've seen so far was accomplished by the winner of the 2012 DroneGames, a Drone programming contest. The winner created a virus that took over any Drone that came close to the infected Drone," says Cabetas. Using a single vulnerability in the homogenous firmware of the drones, an attacker could fill the skies with UAVs ready to follow his every command.
And, in a couple of years, drones will be standard components of physical penetration testing, corporate espionage and hacker attacks, according to Cabetas. "Attackers could take high resolution photos and videos in windows (looking for passwords on sticky notes and other sensitive data). They'll be able to plant high fidelity microphones for eavesdropping on the outside of sensitive rooms (conference rooms, CEO offices)," Cabetas asserts.
CSOs should investigate appropriate physical security counter measures for attacks by drones they do not own or control while requiring secure protocols for any UAVs they do deploy.
Sign up for Computerworld eNewsletters.