Euro Security Watch with Mathew J. Schwartz

Attack of the Drones! After White House Crash, Weaponized Aerial Device Worries
Attack of the Drones!
Crashed drone recovered from the White House lawn. Source: U.S. Secret Service

Securing the Internet of Things - routers, "smart" door locks, remotely controllable home climate systems - might have seemed challenging enough. Then someone brought drones to the party.

See Also: Managing Identity, Security and Device Compliance in an IT World

In the wake of a government employee crashing a Phantom drone onto the lawn of the White House at 3 a.m. - as if any confirmation was required, the man has confirmed to the U.S. Secret Service that, yes, he was "inebriated" - questions are being asked about how sensitive airspace can be policed against an object that costs $1,000, weighs just 2.8 pounds, appears to be invisible to radar, and can sometimes be reliably controlled from up to 1,000 feet away.

Drones are the stuff of hacker dreams 

Cue concerns over the potential weaponization of these semi-autonomous, remotely controlled flying machines, and worries they might be modified to carry explosives, chemical weapons, biological agents or guns.

Ironically, the owner and operator of the Phantom "quad copter" that crashed the White House lawn works for the National Geospatial-Intelligence Agency, which is charged with mapping and national security duties, some of which are handled using drones. "The employee was off duty and is not involved in work related to drones or unmanned aerial vehicles in any capacity at NGA," the agency said in a quickly issued statement.

But since 2011, The Wall Street Journal reports, U.S., German, Spanish and Egyptian authorities have collectively foiled at least six would-be terrorist attacks involving drones. That warning comes via a U.S. National Counterterrorism Center analyst, who this month briefed a gathering of law enforcement and critical infrastructure officials on the increasing threat posed by drones, several unnamed attendees at that summit told the newspaper.

Cartels Trial Aerial Deliveries

Drug cartels have also been field-testing their own take on the Amazon Prime Air delivery concept. Last week, authorities revealed that they'd discovered a crashed Phantom drone in Tijuana, Mexico, which had been modified in an apparent attempt to carry drugs into the United States.

In the wake of the crashes, the Phantom drone's Chinese manufacturer, SZ DJI Technology, says it will issue a mandatory firmware upgrade that will prevent its drones from flying within 15.5 miles of downtown Washington, and follow that with another firmware update that will disable attempts to fly across borders.

Those updates will be enforced by GPS controls built into the drone, DJI spokesman Michael Perry tells the Guardian. "We have been restricting flight near airports for almost a year," he says. "The compass can tell when it is near a no-fly zone. ... If, for some reason, a pilot is able to fly into a restricted zone and then the GPS senses it's in a no-fly zone, the system will automatically land itself."

Cypherpunk Dreams

But that will only slap a Band-Aid on the bigger question of how mass-produced consumer drones might be weaponized. Before long, it's a sure bet, too, that hobbyists will start manufacturing drones using 3-D printers, and an open source movement will emerge - as surely it must - to crowdsource the development and maintenance of the software required to pilot such devices.

Indeed, drones are the stuff of hacker dreams, perhaps best embodied by Canadian cypherpunk granddaddy William Gibson in his 2010 dystopian thriller Zero History, in which the plot - spoiler alert - hinges on a massive, Taser-packing penguin drone that gets piloted via an iPhone. Furthermore there's something decidedly Gibson-esque about the possibility that consumer-grade drones might be used to terrorize government officials who themselves have ordered what President Barack Obama refers to as "targeted killing," using much larger, UAV "drones" armed with missiles and operated by U.S. military and intelligence agencies.

Whatever new drone-related regulations the Federal Aviation Administration - or its counterparts abroad - might pass, furthermore, it's a sure bet that would-be criminals or terrorists won't be paying much attention.

Hollywood Threat?

Information security experts have previously sounded warnings over the potential for remote-controlled flying devices to unleash havoc. Following the Sept. 11 attacks, in 2005 user interface pioneer - and model plane remote-control developer - Jef Raskin noted how easy it would be for terrorists to strap bombs to model planes and fly them towards the United States. At the time, information security expert Bruce Schneier characterized that as yet another Hollywood-style movie-plot terrorism risk, which might be best summarized as: "Sure, someone could potentially do this, but it's so elaborate and over-engineered that why would they bother?"

For now, the same is arguably true for Phantom drone attacks. Think about it: If you're planning on unleashing terror with explosives, chemicals or, once consumer drones' payload loadout increases, even nukes, are you going to strap your valuables to a semi-reliable - whatever the skills of the pilot - aerial device?

What the White House incident should highlight, however, is the clear-and-present public-safety threat posed by drones that - inadvertently or otherwise - end up in "protected airspace." To that end, building in new features to protect the physical security of whoever might be around the drone sounds like a great step forward.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.

Around the Network