Times have changed in the amazing world of IoT. What once was a new and compelling idea has quickly worked its way into the hearts and minds of consumers everywhere. From wearable devices such as the Fitbit and pet trackers to smart cows and smart farming, IoT is now taking to the sky.
Flying IoT is essentially drones fully equipped with network connectivity capabilities. These devices mark a new frontier for smart devices — one that comes with a host of challenges. One key challenge for flying IoT is security. The security vulnerabilities go far beyond a consumer’s smart device unknowingly being used in a botnet distributed denial-of-service (DDoS) attack.
That’s because drones can be used in multiple ways for nefarious purposes. For example, a hacker might intercept data being transmitted between the drone and a base station. Or, the hacker could use the drone to take physical control of a smart device, using it as a backdoor into a company’s network. If that proposition seems unlikely, consider how in 2016 researchers from the Weizmann Institute of Science in Israel and Dalhousie University in Canada did just that.
By equipping a drone with an autonomous attack kit, they could hack into a single smart light bulb. The hack quickly spread from one light bulb to every smart light bulb in a targeted office building in just a matter of minutes. This allowed them to turn the building’s lights on and off. Had this been a real attack, it could have been much worse.
At the end of 2019, another group of researchers used a DJI drone to take over a smart TV. Again, had this been a real attack, the hacker could have easily changed the content on the viewer’s screen, displayed phishing messages to obtain private information or even use keyloggers to capture remote button presses.
Despite the security challenge, drones are expected to play an increasingly important role in delivering packages to customer’s doorsteps, tracking criminals, and rapidly delivering emergency supplies such as medications and vaccines. To enable optimal operation of these applications, drone security must be assured. This means companies must address security issues head on rather than treating them as an afterthought.
According to the Open Web Application Security Project, the top ten vulnerabilities in any IoT device, drones included, are:
- Weak, guessable or hardcoded passwords
- Vulnerable network services
- Unprotected ecosystem interfaces
- Lack of a secure update mechanism
- Use of insecure or outdated components
- Insufficient privacy protection
- Unprotected data transfer and storage
- Lack of device management
- Vulnerable default settings
- Lack of physical hardening
With the exception of the very last security vulnerability, each of these issues can be effectively addressed through penetration testing — or pen testing . For example, brute force scanners can crack poor passwords. Service discovery tools can find unguarded devices on the network. Using things such as fuzzing attacks, application layer scans and attacks, and secure communication validation techniques, pen testing can test for and find cybersecurity vulnerabilities early in the drone development process.
However, the continually evolving nature of cyberattacks means that even the best pen test solution can quickly become outdated. The best way to address this is by ensuring any pen test tool used is constantly updated via an ongoing application and threat intelligence subscription. Addressing the last vulnerability, lack of physical hardening, requires a physical solution.
On the other side of the spectrum, any company vulnerable to a cyberattack via drone can protect themselves using a good heterogenous mix of security solutions to secure their networks. Unfortunately, finding the right mix of solutions is no easy task, since they can be tough to verify and challenging to scale. Plus, interactions between the solutions can sometimes impact security performance and network resiliency.
To counter such issues, companies should seek out an easy-to-use application and security test ecosystem that can verify the stability, accuracy and quality of modern networks and network devices. Ideally, the security solution should be able to simulate real-world legitimate traffic, DDoS, exploits, malware and fuzzing. An ecosystem with these capabilities will allow vulnerable companies to simulate both good and bad traffic to validate and optimize their networks under the most realistic conditions.
As with any new IoT application, there are many technical considerations that must be overcome to get to market quickly and satisfy customers over a long period. In the case of drones, cybersecurity will remain one of the biggest technical considerations.
By designing security measures into drones early in the design cycle and appropriately testing them throughout the development process, companies can gain a much-needed advantage over would-be hackers. Given that modern drones are essentially now computers in the sky, the earliest possible preparation for the inevitable cyberattack is the only way to stay ahead of cybercriminals, while still realizing the full benefit of flying IoT.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.