Cybercrime Takes Flight: The Case of the Dual-Drone Hack

For a while, it seemed like drones were everywhere – you couldn’t spend a day at a park or go to an outdoor event without hearing the familiar whir of propellors starting up and buzzing over the crowd. Cool concert footage not withstanding, drone operators have often faced some contention with their right to fly, particularly with some notable incidents like the time a drone crashed into a bike race, causing one cyclist to crash (thankfully with only minor injuries,) or the time a drone operator buzzed a police helicopter during a manhunt.  Then the FAA stepped in, and there was less danger of a drone colliding with a commercial airliner.  However, there are still concerns about drones just falling from the sky and knocking you unconscious.

Despite all the concerns that led to regulations on where and how to fly drones, one thing that was not addressed was the concerns about drone security. Not the drones themselves being hacked—although that is actually upsettingly easy—but about using them to infiltrate networks.  

Enter the threat from above

As reported in The Register, it started with unusual activity on an internally hosted confluence page. When security personnel spotted this, they traced it to a MAC address on their corporate WiFi….that happened to match one logged in on a network several miles away. After verifying that the user was, in fact, working from home, they used a WiFi signal tracer to follow the signal this device was attached to….and it led them to the roof.

There, much to their surprise, they discovered a pair of drones.

One of them had a WiFi Pineapple.  Unlike the delicious fruit, this is a device used by security testers to test WiFi networks for weak spots.  Unfortunately, it’s also very useful to hackers who want to use it as a rogue access point.  Apparently, this particular drone had made a prior visit, during which it discovered a temporary, less-than-secure Wifi network that it was able to snoop on to get an employee’s credentials and MAC address.  Then, a couple of days later, it came back with a friend that had almost $15,000 of spying and hacking equipment with it – including a Raspberry Pi, a 4G modem, a laptop, and several extra battery packs.  The credentials the first drone had stolen a few days earlier were hard-coded into all of these tools.  

Thanks to their exceptionally vigilant security team, the attackers did not get much, including their drones back. 

Are the drones coming for all of us?

Realistically, probably not….this wasn’t a cheap endeavor, nor was it simple to plan and execute.  All told, the hackers spent a lot of money and put a lot of time and effort into this operation.  With the amount of customization, research, and lucky timing, it’s unlikely that this could be easily replicated.  The fact that the target of this hack was an unnamed financial institution suggests that it was only worth it to the hackers for the potential of an exceptionally large payout. Of course, this isn’t to say it couldn’t happen, but it’s not likely that armies of drones will be filling the skies to perch on the roof of your building and spoof your WifFi network any time soon.

What you SHOULD be worried about is that hackers rarely have to go to this much trouble to breach your network. When you look at other high-profile breaches like Okta and Cisco, the hackers simply had to gain access to an employee’s Gmail account. When Target was breached in 2013, it was via malware installed on an HVAC contractor’s laptop (not even an actual Target employee!). The sad truth is, with 81% of all data breaches caused by stolen, weak, or re-used passwords, hackers don’t have to put that much effort into getting access to your network.  

The lesson here is not that this happened, but that good security will protect you no matter where the threat comes from. Thanks to the vigilant efforts of the security team who noticed the odd activity right away, it didn’t happen – ultimately, the hackers didn’t really get anything of value.