Drones have very much been in the news lately after Rand Paul’s fiery filibuster on the senate floor about the civil liberty implications of government drone use. However, less has been said about the IT security aspects of drones. Certainly, people should be thinking of what the future use of these devices might mean to our privacy, not just on a distant foreign battlefield but possibly in use by the FBI and state and local police force for surveillance. If you haven’t seen the NOVA documentary on modern drones and their capabilities, “Rise of the Drones,” I highly recommend it. The capabilities of today’s drone technology are mind blowing, never mind what will be available in five or ten years.
But back to the main subject of this post: the security of these flying surveillance and attack platforms. Just like any piece of modern equipment, these devices are flying servers with high-end video recording and sometimes offensive capabilties. Think of a flying HD DVR device like you use in your corporate security. Except instead of the command and control signals travelling over a closed network, they go over the airwaves and travel over wide distances. The internal designs and configurations are highly classified but you can be sure that sooner or later, at least some of these plans will leak out. Our enemies or even our allies could recover downed craft and reverse-engineer the code to find ways to hack them. And even if that doesn’t happen for a while, open-source versions that are almost as sophisticated as the military ones are already downloadable off the Internet. How long will it be till terrorist or insurgents can launch their own mini-airforces? And at a fraction of the cost of traditional war planes.
Perhaps they won’t even need to build their own. Last year, it was reported that some US drones were still sending their data transmissions in the clear so enemies on the ground could intercept and use them even though the military had been warned of this issue years earlier.
How do we know if these vulnerabilities have been fixed since then? We don’t. Due to the sensitive nature, we don’t know about the current security status of the drone fleet. We don’t know if there are regular penetration tests being done on them or if they meet any modern standard for IT security. Imagine a DDOS attack on a vulnerable drone; it could have the potential to knock it out of the sky. God forbid one gets “owned” by the enemy. They could be turned on our troops in the field. And never mind the nightmare scenario of domestic drones being turned against civilians. I only hope the government is dedicating proper IT security resources and scrutiny to securing these vital elements of our military infrastructure. Because when you take away the Hellfire missiles and wings, they are no different than any other government or corporate server that has something that the bad guys want. And trust me, they want these goodies really badly.