On Drones and Physical Security

As commercial and non-commercial drones become more commonplace, so do their dubious applications. We profile several crimes enabled by drones, and how security professionals must now consider the physical implications of defending against such an attack. 

First Published 5th November 2022

When spying on his ex-wife, Friðrik Halldórsson, 54, always puts his physical protection first.

4 min read  |  Reflare Research Team

Flying the Friendly Skies

Back in 2019, The Federal Aviation Administration (FAA) – one of the US transportation agencies of the U.S. government that regulates all aspects of civil aviation in the country and over surrounding international waters – released their forecast for what they anticipate to come by 2039. One particularly interesting part of the report is their prediction of commercial drones tripling by 2023 while the non-commercial drone market will slow down.

The word “drone” has become a mainstay in the media for the past several years. Whether due to success on the battlefield, major brands such as Amazon want to use them to deliver parcels, or people using them to make low-budget films more interesting – if someone can find a way to use a drone, they would do it.  Following are some of the clever  use of drones we saw this year:

Robbing a Bank

Earlier this year,  the French police arrested two men who used a mini-drone to help them steal 50,000 Euro from an ATM of Caisse d'Epargne in Reims. According to the French news outlet Le Journal De Dimanche, the perpetrators skillfully navigated the drone into the tiny air vent of the building into the ATM control room. According to the report, the air vent was too small for a small person to enter but large enough for a mini-drone.

Once the drone was inside the ATM control room, it was then used to press a button which opened the door to the control room. Once in,  the thieves used the secret code that should only be known to the security company managing cash distributions for the bank to open at the ATM vault.

The news also reported one of the people arrested was a former employee of the company that performed maintenance on the ATM and that the secret code to the vault was rarely changed.

Winning In-play Betting

In 2019, Wired Magazine published an article describing profitable horse-racing syndicate operations that utilised drones to gain an edge in in-play betting. The operators used drones to watch the races live from the sky and place their bets before other punters who mainly bet from home and had to rely on video streaming services or local TV channels to watch the races – meaning, they are at least a few seconds behind the drone operators due to transmission delays and other hurdles they have to go through which make them – in a business where a fraction of a second matter – be at disadvantaged.

The practice of transmitting live information from spectators at sporting events about crucial moments in races or matches is also known as courtsiding. While the UK Gambling Commission does not view access to real-time data and footage as cheating, many sports organisations and operators, especially those with a partnership with gambling companies, see this as a threat to their business model and strictly disallow it at their premises. For example, it is not unusual to see spectators getting escorted out from a stadium during a tennis match for transmitting live information out.

In the case of the drone syndicate, the race courses tried everything they could, including sending legal threats to the drone operators. However, their actions were futile.

Hacking Wi-Fi

In October, The Register reported a cyberattack targeting a US private investment firm involving a drone. According to the news article, the hacking incident was discovered when the security team at the financial firm detected unusual activity on its internal Atlassian Confluence page that originated from within the company's network. Upon further investigation,  they found that the user whose MAC address was used to gain partial access to the company Wi-Fi network was also logged in remotely from home, several miles away, which raised a red flag.

Using a Wi-Fi testing tool to trace the signal, the team was led to the building roof, where two modified drones were discovered. Attached to one of the drones was a Wi-Fi Pineapple device used for network penetration testing. The other was carrying a case that contained a Raspberry Pi and several batteries, a GPD mini laptop, a 4G modem, and another Wi-Fi device.

During their investigation, they also found that one of the drones had initially been used a few days before to intercept a worker's credentials and Wi-Fi. The information was then used in the attack against the financial firm.

According to a security researcher with knowledge about the case, the attack had limited success, even though it was the third cyberattack involving a drone that he had seen over the past two years.

Let's Get Physical

Physical security is one of the pillars of information security, and it includes a wide range of measures, from locks and alarms to security guards and CCTV. The level of security you need will depend on the type of business you run, the value of your assets, and the level of risk you are willing to accept. However, as it is getting harder and harder to attack a network directly, we will see many more attacks, like in the stories above, that will try to exploit weaknesses in physical controls.

While most companies no longer hesitate to invest in application and network controls to protect their information, physical control security is still something many organisations neglect.  After all, clever use of drones like the ones we shared above used to only happen in the movies.

Stay up-to-speed on the latest trends and analysis in cybersecurity with your subscription to Reflare's biweekly research newsletter. You can also explore some of our related articles to learn more.