Share this
On Drones and Physical Security
by Reflare Research Team on Nov 5, 2022 7:47:00 PM
As commercial and non-commercial drones become more commonplace, so do their dubious applications. We profile several crimes enabled by drones, and how security professionals must now consider the physical implications of defending against such an attack.
First Published 5th November 2022
When spying on his ex-wife, Friðrik Halldórsson, 54, always puts his physical protection first.
4 min read | Reflare Research Team
Flying the Friendly Skies
Back in 2019, The Federal Aviation Administration (FAA) – one of the US transportation agencies of the U.S. government that regulates all aspects of civil aviation in the country and over surrounding international waters – released their forecast for what they anticipate to come by 2039. One particularly interesting part of the report is their prediction of commercial drones tripling by 2023 while the non-commercial drone market will slow down.
The word “drone” has become a mainstay in the media for the past several years. Whether due to success on the battlefield, major brands such as Amazon want to use them to deliver parcels, or people using them to make low-budget films more interesting – if someone can find a way to use a drone, they would do it. Following are some of the clever use of drones we saw this year:
Robbing a Bank
Earlier this year, the French police arrested two men who used a mini-drone to help them steal 50,000 Euro from an ATM of Caisse d'Epargne in Reims. According to the French news outlet Le Journal De Dimanche, the perpetrators skillfully navigated the drone into the tiny air vent of the building into the ATM control room. According to the report, the air vent was too small for a small person to enter but large enough for a mini-drone.
Once the drone was inside the ATM control room, it was then used to press a button which opened the door to the control room. Once in, the thieves used the secret code that should only be known to the security company managing cash distributions for the bank to open at the ATM vault.
The news also reported one of the people arrested was a former employee of the company that performed maintenance on the ATM and that the secret code to the vault was rarely changed.
Winning In-play Betting
In 2019, Wired Magazine published an article describing profitable horse-racing syndicate operations that utilised drones to gain an edge in in-play betting. The operators used drones to watch the races live from the sky and place their bets before other punters who mainly bet from home and had to rely on video streaming services or local TV channels to watch the races – meaning, they are at least a few seconds behind the drone operators due to transmission delays and other hurdles they have to go through which make them – in a business where a fraction of a second matter – be at disadvantaged.
The practice of transmitting live information from spectators at sporting events about crucial moments in races or matches is also known as courtsiding. While the UK Gambling Commission does not view access to real-time data and footage as cheating, many sports organisations and operators, especially those with a partnership with gambling companies, see this as a threat to their business model and strictly disallow it at their premises. For example, it is not unusual to see spectators getting escorted out from a stadium during a tennis match for transmitting live information out.
In the case of the drone syndicate, the race courses tried everything they could, including sending legal threats to the drone operators. However, their actions were futile.
Hacking Wi-Fi
In October, The Register reported a cyberattack targeting a US private investment firm involving a drone. According to the news article, the hacking incident was discovered when the security team at the financial firm detected unusual activity on its internal Atlassian Confluence page that originated from within the company's network. Upon further investigation, they found that the user whose MAC address was used to gain partial access to the company Wi-Fi network was also logged in remotely from home, several miles away, which raised a red flag.
Using a Wi-Fi testing tool to trace the signal, the team was led to the building roof, where two modified drones were discovered. Attached to one of the drones was a Wi-Fi Pineapple device used for network penetration testing. The other was carrying a case that contained a Raspberry Pi and several batteries, a GPD mini laptop, a 4G modem, and another Wi-Fi device.
During their investigation, they also found that one of the drones had initially been used a few days before to intercept a worker's credentials and Wi-Fi. The information was then used in the attack against the financial firm.
According to a security researcher with knowledge about the case, the attack had limited success, even though it was the third cyberattack involving a drone that he had seen over the past two years.
Let's Get Physical
Physical security is one of the pillars of information security, and it includes a wide range of measures, from locks and alarms to security guards and CCTV. The level of security you need will depend on the type of business you run, the value of your assets, and the level of risk you are willing to accept. However, as it is getting harder and harder to attack a network directly, we will see many more attacks, like in the stories above, that will try to exploit weaknesses in physical controls.
While most companies no longer hesitate to invest in application and network controls to protect their information, physical control security is still something many organisations neglect. After all, clever use of drones like the ones we shared above used to only happen in the movies.
Stay up-to-speed on the latest trends and analysis in cybersecurity with your subscription to Reflare's biweekly research newsletter. You can also explore some of our related articles to learn more.
Share this
- December 2024 (1)
- November 2024 (1)
- October 2024 (1)
- September 2024 (1)
- August 2024 (1)
- July 2024 (1)
- June 2024 (1)
- April 2024 (2)
- February 2024 (1)
- January 2024 (1)
- December 2023 (1)
- November 2023 (1)
- October 2023 (1)
- September 2023 (1)
- August 2023 (1)
- July 2023 (1)
- June 2023 (2)
- May 2023 (2)
- April 2023 (3)
- March 2023 (4)
- February 2023 (3)
- January 2023 (5)
- December 2022 (1)
- November 2022 (2)
- October 2022 (1)
- September 2022 (11)
- August 2022 (5)
- July 2022 (1)
- May 2022 (3)
- April 2022 (1)
- February 2022 (4)
- January 2022 (3)
- December 2021 (2)
- November 2021 (3)
- October 2021 (2)
- September 2021 (1)
- August 2021 (1)
- June 2021 (1)
- May 2021 (14)
- February 2021 (1)
- October 2020 (1)
- September 2020 (1)
- July 2020 (1)
- June 2020 (1)
- May 2020 (1)
- April 2020 (2)
- March 2020 (1)
- February 2020 (1)
- January 2020 (3)
- December 2019 (1)
- November 2019 (2)
- October 2019 (3)
- September 2019 (5)
- August 2019 (2)
- July 2019 (3)
- June 2019 (3)
- May 2019 (2)
- April 2019 (3)
- March 2019 (2)
- February 2019 (3)
- January 2019 (1)
- December 2018 (3)
- November 2018 (5)
- October 2018 (4)
- September 2018 (3)
- August 2018 (3)
- July 2018 (4)
- June 2018 (4)
- May 2018 (2)
- April 2018 (4)
- March 2018 (5)
- February 2018 (3)
- January 2018 (3)
- December 2017 (2)
- November 2017 (4)
- October 2017 (3)
- September 2017 (5)
- August 2017 (3)
- July 2017 (3)
- June 2017 (4)
- May 2017 (4)
- April 2017 (2)
- March 2017 (4)
- February 2017 (2)
- January 2017 (1)
- December 2016 (1)
- November 2016 (4)
- October 2016 (2)
- September 2016 (4)
- August 2016 (5)
- July 2016 (3)
- June 2016 (5)
- May 2016 (3)
- April 2016 (4)
- March 2016 (5)
- February 2016 (4)