SA at risk as hacker drones bypass traditional security
The increased use of unmanned aerial vehicles, or drones, in SA over the last few years has opened local organisations to a significant and evolving scope of threat in areas such as cyber espionage, illegal surveillance, electronic snooping and reconnaissance.
Security experts warn that while drone technology is increasingly being harnessed to carry out a host of commercial tasks faster, safer and more efficiently across industries including agriculture, media, health and defence, it is also increasingly being exploited by criminals as a tool to usher in a new era of physical and IT security threats.
There is an estimated 40 000 to 50 000 drones currently being operated in SA, according to the Rocketmine State of Drone Report 2018, adding to the increasing potential to “punch a gaping hole” in existing physical and IT security strategies.
Pieter Scholtz, infrastructure solutions architect at T-Systems South Africa, believes that as drones become less expensive and their potential applications continue to expand, it is expected that countries across the globe will see a rise and evolution of this threat.
“Every enterprise and every individual protected by a traditional fence now requires an aerial equivalent,” notes Scholtz.
“Drones are bypassing all the traditional security measures that have been in place for years and are breaking all the rules regarding physical access and countermeasures. What compounds the threat is that drones are relatively inexpensive, easy to operate and can carry heavy payloads that can perform surveillance, capture data, or disrupt networks.”
Drones as weapons
One of the key things that both private and public organisations need to do is expand their cyber security policies to include the threat posed by drones, he advises.
He cites an incident in which a German company found a drone parked on the roof of its data centre, where it tried to hack into the centre’s command and control network.
“Hacker drones can eavesdrop electronically on conversations, perform network attacks, or create fake wireless access points that can trick an organisation’s employees to connect to it, instead of the corporate LAN,” Scholtz says.
Elon Musk's research firm, OpenAI, warned that drones could be turned into weaponised, artificial intelligence (AI)-controlled swarms if left unregulated.
In a 101-page report titled The Malicious Use of Artificial Intelligence, OpenAI researchers and partner universities reveal the real danger of drone use could come from hackers wielding malicious code to target vulnerabilities in AI-automated systems, giving people greater capacity to cause physical or political harm.
Experts warn that, apart from breaching physical and cyber defence systems to cause disruption and steal data, drones have serious vulnerabilities that could allow them to be hacked up to a mile away. In addition, drones can be used to cause physical harm, such as being deliberately crashed into planes and placing public safety at risk.
Arthur Goldstuck, MD of World Wide Worx, believes that while surveillance drones are increasingly being used to enhance security and save costs, in the same light they can be used by the “baddies” to wreak havoc.
“It’s open season for industrial spies. Drones are an easy tool for industrial espionage where bad actors, as they are referred to, would use drones to collect sensitive information about important company resources.
“This is done either by infiltrating buildings by way of surveillance or they can create fake WiFi hotspots to access the networks. The problem is that many organisations have not woken up to the reality of this threat and the result can be catastrophic.”
Discussing the possibilities of drones being used to attack government departments, Goldstuck points out that while this is always possible, it is not easy to use drones to attack government systems, due to the high levels of surveillance security systems and electronic defences that often surround governmental buildings.
“In situations where governments themselves are using drones, the software can be hacked into; however, it will not be easy to use drones to attack government departments, as drones are visible tools, and entering a building for a limited period of time without being spotted won’t be easy.”
Are regulatory frameworks enough?
Sam Twala, business and technical director at NTSU Aviation Solutions, says regulations alone will do little to discourage criminals exploiting drone technology for nefarious purposes. Instead, he says, organisations need to rely on drone detection technology to protect themselves.
“Terrorists or people with malicious intent do not read regulations and comply prior to carrying out their plans. Hence, it is important that organisations develop defence models that will help to protect them against drones. Unfortunately, there is ‘no one-size-fits-all’ solution as the variance in threats delivered by drones means many different types of facilities are vulnerable.”
Goldstuck believes the current drone regulations in SA will only protect organisations to a certain extent.
“While the regulations are there, they won’t necessarily protect organisations from criminals whose mission is to ignore the regulations.
“Where the regulations help is that they very strictly regulate the use of drones in public areas and who is using them. So anyone using drones for illegal purposes can be prosecuted.”