Cybersecurity White Paper 1

White Paper

APRIL 2018

DECEPTION IN THE SKIES:

How Hackers Use Drones to Infiltrate Corporate Networks

Cybersecurity White Paper 2

Executive Summary

Drones threaten the physical security of enterprises and their cybersecurity. Hackers and cyber terrorists take advantage of drones as a quiet, discreet technology, with the capability to carry heavy payloads over fences and right next to structures without attention. Nefarious actors use drones to sniff networks, intercept data, disrupt communications, or hack into servers. With the availability of consumer drones to the global market, pilots with malicious intention can hack networks, exposing sensitive client information and corporate intellectual property.

Cybersecurity threats are advancing and becoming more prevalent due to drones using hacking software, and their ability to swiftly infiltrate sensitive airspace. Drones are capable of identifying and following targets, can use cameras to spy on operations, and exfiltrate data or infiltrate and manipulate IT systems. Additionally, an employer without knowledge of drone activity in their airspace opens a dragnet of new legal issues, including cybersecurity, hacking threats and compromised employee privacy.

Few protections exist for enterprises to prevent drone intrusions, and before enterprises can put together a security program to mitigate risks, company leaders must first gain situational awareness and determine how many drones are entering their airspace. Many organizations jump into standard operating procedures and mitigation, but they can’t do any of that until they first understand if drones are entering their airspace without permission, and when these intrusions are occurring.

Cybersecurity White Paper 3

Enterprises are bracing for the next generation of hacking tools and vulnerabilities that exist in unprotected airspace.

Drones threaten the physical security of enterprises and their cybersecurity. Hackers and cyber terrorists take advantage of drones as a quiet, discreet technology, with the capability to carry heavy payloads over fences and right next to structures without attention. Nefarious actors use drones to sniff networks, intercept data, disrupt communications, or hack into servers. With the availability of consumer drones to the global market, pilots with malicious intention can hack networks, exposing sensitive client information and corporate intellectual property.

Recently, corporations such as Walmart, Apple, and Tesla, among others, have experienced public incidents of drones conducting aerial espionage. No enterprise is immune to drone threats, and ground security is not enough to protect vulnerable airspace. The consequences of a cybersecurity breach are becoming more complex and costly, and industry researchers are advancing their knowledge of the connection between internet-connected devices, including drones and how they can interact with secure systems.

As drone technology advances, and new applications are developed, the threats and risks they pose will evolve. Since the legal and regulatory landscape for drones remains uncertain, enterprises and corporations must be proactive in developing a secure airspace for their own operations. Laws against rogue drone pilots remain difficult to enforce, especially if a drone pilot is motivated to cause damage.

Laws can be circumvented, and enterprises must take proactive measures to integrate technology to assess their airspace risks, and prepare for drone intrusions. Dedrone provides a commercial, off-the-shelf airspace security platform that identifies the location of a drone, pilot, and its flight path, among other data, to provide security for operations and to record forensic evidence in the event damage occurs.

There are two types of companies: those who have been hacked, and those who don’t yet know they have been hacked.”

— JOHN CHAMBERS AT THE WORLD ECONOMIC FORUM, 2015

“

Cybersecurity White Paper 4

The integration of drones to international airspace is exposing new security vulnerabilities and gaps to lower airspace.

Drones were initially developed to support military operations, and over the years, have developed into technology for personal and commercial use, providing cost-effective solutions for multiple industries. Drones have supported first responders with search and rescue efforts, have gone to work in the energy and construction industries to inspect operations and facilities, are being used to entertain audiences as light shows, and an artistic tool for photographers and cinematographers to capture new perspectives of our world. They are capable of flying for hours at a time, carrying payloads of hundreds of pounds, including stabilized, high-definition cameras, and reaching altitudes of thousands of feet.

According to the FAA’s 2018 – 2038 FAA Airspace Forecast, the industry-wide standard of measurement of U.S. aviation-related activities, estimates the amount of drones in U.S. airspace will double in size from 1.1 million aircraft in 2017 to 2.4 million units in 2022. The average annual growth rate over the 5-year forecast period is 16.9 percent.

Corporations and enterprises invest significant financial resources to secure their property and ensure the safety of their intellectual property and employees. Drones carry threatening payloads including spying cameras, network sniffers, IoT hacking devices, and sensitive microphones. Different areas of a single facility may need customized protections, whether it’s an executive briefing center, customer entrance with an ATM, a data center, or research and development laboratory.

Cybersecurity White Paper 5

Cybersecurity threats are advancing due to drones using hacking software, and their ability to swiftly infiltrate sensitive airspace.

“And while you may believe that you have a right to keep drones out of your business, that’s not always simple.” shares tech reporter Lauren Barack, “It’s hard to catch drone pilots who break those rules — particularly those who already know they’re bending them by snapping a photo of a new test car.”

ID AND FOLLOW TARGETS Financial institutions have cameras in every direction of an ATM to protect the safety of their customers. Data centers have multiple security checkpoints to ensure authorized access to sensitive infrastructure. Corporations invest billions in creating infrastructure to protect their assets and customers. One thing they share is vulnerable airspace, and drones are being designed to identify and follow targets to observe security gaps, and accurately detect and manipulate vulnerable networks.

SPY ON OPERATIONS Apple has invested millions of dollars into building the most innovative corporate campus, and yet, drone spies are evading their security teams and even crashing into their buildings. Tesla Motors has observed drones in their airspace, capturing footage and production information on their new automobiles. Despite investment in on-ground security, there’s nothing stopping motivated drone pilots from spying on WalMart and Facebook data centers and posting footage publicly. Drones can also drop high-gain microphones in high-activity areas to gain sensitive information.

SURREPTITIOUSLY EXFILTRATE DATA Researchers with Ben Gurion University’s Cyber Security Research Center demonstrated an alarming hacking technique by using drones to detect vulnerabilities in air-gapped computers installed with malware. Once a computer is infected, a drone with a camera can be deployed to hover outside a window, near the hardware. Detected through electromagnetic signals, the transmitting computer can be located by the drone, and capture data through LED signals emitted by the hard drive.

SNOOP ON AND INFILTRATE NETWORKS In addition to using cameras for spying and computers for hacking, drones are also discretely delivering snooping devices to discover vulnerabilities in a corporation’s security protocols. A sniffing device, Raspberry Pi, or transceiver can monitor employee and security movement, observe or hack into wireless activity, or intercept and log data.

Cybersecurity White Paper 6

Regulators are unable to keep up with the onslaught of issues drones pose to enterprises that looking to protect assets.

An employer without knowledge of drone activity in their airspace opens a dragnet of new legal issues, including hacking threats and compromised employee privacy.

DRONES SPYING ON EMPLOYEES RAISES LEGAL AND ETHICAL PROBLEMS Cameras on drones watch and record all sorts of processes for employers, from monitoring large areas, employee productivity and surveying property for security breaches. Lawsuits brought on by employees against drone spying have been successfully fought and won. Drones also creating a distraction hazard for employees who may not be aware of the nature of the drone or why it’s in their airspace.

DRONE PILOTS MAY NOT BE LIABLE FOR NEGLIGENCE OR DATA BREACHES During a flyover, imagery and associated data, such as GPS coordinates, may not be important information to a pilot, but could be sensitive if the information were made public innocuously. Vulnerabilities could begin at the moment a drone pilot enters a protected area. Federal law may not protect data gathered by a drone, and a drone pilot may be able to own the data they record without any consequence. For corporations alleging injury due to a data breach caused by a trespassing drone, the only data that they can use against a pilot is the data they collect themselves from a drone detection program. (More legal information) However, most data breaches are the result of malicious criminal acts by malicious actors who intentionally steal data.

Cybersecurity White Paper 7

Drone detection technology diagnoses airspace activity, enabling security providers to protect their operations against all drone threats.

Few protections exist for enterprises to prevent drone intrusions, and before enterprises can put together a security program to mitigate risks, company leaders must first gain situational awareness and determine how many drones are entering their airspace. Many organizations jump into standard operating procedures and mitigation, but they can’t do any of that until they first understand if drones are entering their airspace without permission, and when these intrusions are occurring.

Initial airspace assessment reveals all drone activity, including drone types and communications protocols, the amount of times a single drone has visited a protected site, and the flight path. Once a drone is detected, an automated alarm can be deployed as well as a countermeasure, such as lowering blinds, closing doors, shutting off systems, or directing security personnel to monitor a specific area for any interruptions.

With this information, security personnel can adjust ground patrols, determine vulnerable areas, and analyze the severity of their threat. Defense cannot exist without first under-standing and diagnosing the problem. Once an enterprise gains situational awareness of their airspace activity, they can create new security protocols to protect their site and cyber operations.

Take action against rogue pilots before your operations are compromised.

Enterprise security providers must be proactive in assessing their airspace activity and understanding the threats that exist in their skies. Before countermeasures or security protocols can be developed, drone detection technology must be integrated to a security ecosystem, to answer the question: “How many drones are in your airspace?”

Airspace security technology is designed to be integrated into an existing security ecosystem. Enterprises require solutions that meet security standards, integrate with existing procedures, and enable multi-user management at scale. A drone detection technology installation may include new software to help analyze data collected through existing security hardware, or could incorporate new detection hardware, depending on the need and characteristics of the protected site.

Ultimately, an enterprise that takes proactive measures to build intelligence surrounding their airspace activity will be able to strengthen their existing security programs. Organizations must be proactive and hold themselves accountable for the risks unauthorized drones pose to their building, networks and employees, and ensure that no drone pilot interrupts or causes harm.

Additional Reading from Dedrone

• Protecting Against Drones: A Brief Review of Passive Countermeasures

• Airspace Security Report 2017 - Year-End

• Dedrone’s Multi-Sensor Detection Platform Prevents DIY Drones from Sneaking Through the Skies

• Hackers in the Skies: How Drones are the New Weapon for Espionage and Data Hacking

Published April 2018

© 2018 Dedrone

dedrone.com

GLOBAL

HEADQUARTERS

1099 Folsom St

San Francisco, CA 94123