'You can Google it': Security experts raise alarm over online drone-hacking instructions
Manuals on hacking military drones have been available online for quite some time, apparently. Research spotting weaknesses is alarmingly commonplace, an Israeli defense specialist warns, citing its possible use in the 2011 downing of a CIA drone by Iran.
Drones have become a ubiquitous tool for war. They save on costs, prevent soldiers from dying in battle and can perform a number of functions. But with this ubiquity comes many risks, and there’s increasingly little stopping malevolent entities from exploiting these.
The manual called ‘The Requirements for Successful GPS Spoofing Attacks’ was published in 2011, just a month before the fact [of the drone’s downing], according to Israel Aerospace Industries cyber-programs director Esti Peshin, who spoke on Monday at the Defensive Cyberspace Operations and Intelligence conference in Washington DC.
"It’s a PDF file… essentially, a blueprint for hackers," Peshin said of the paper, co-authored by Nils Ole Tippenhauer from ETH Zurich in collaboration with University of California academics and others at ETH.
Although, according to the official, there’s no way to tell if the manual’s publication played a direct role in the shooting down four years ago, Peshin says the 2011 study could have played a role. The story of Iran’s efforts to take over the drone was reported by the Christian Science Monitor, which outlined techniques eerily similar to ones described in the ‘manuals’ Peshin spoke of. This aptly demonstrates how easy a target UAVs are in the computer age. All the Iranians had to do was hijack the drone’s navigation systems and guide it down to Earth.
The hack involved fooling the drone by making its onboard GPS lose sight of GPS receivers on the ground. The study also focused on where attackers must position themselves to generate fake signals and fool the drone into thinking it’s flying in the right direction.
"You can Google, just look up 'Tippenhauer' – it’s the first result in Google. Look up 'UAV cyberattacks’ – it’s the third one. ‘UAV GPS spoofing attacks’ – the first one," she added.
The authors of the study claimed it wasn’t a manual for terrorists, rather a way of drawing authorities’ attention to “effective receiver-based countermeasures, which are not implemented yet in current standard GPS receivers.”
But Peshin says that’s no excuse, as intent doesn’t matter when you’re practically giving someone a loaded gun that begs to be fired.
"The fact is that we are slower than the bad guys and the bad guys could take this article and render it into a form of an attack," Peshin went on. "One of the things that keeps me up at night is cybersecurity for operational networks, military systems, weapons systems."
Peshin is astonished at the United States’ short-sightedness. A security assessment by NATO came out in 2013, listing which drones are “riskier than others.” Making the list were the American Reaper and Sentinel UAVs, each a formidable piece of equipment in its own right.
Reporters at the conference asked if any security measures had been implemented after the 2011 report’s release, with Peshin declining to comment. However, the Pentagon is known to be hard at work on bolstering its drone navigation and surveillance defenses, according to Defense One.
But the 2011 report is only the latest in a series of warnings, if they are to be considered as such: the problem of GPS-hijacking was discussed way back in a Los Alamos National Laboratory vulnerability report of 2003. “In a sophisticated spoofing attack, the adversary would send a false signal reporting the moving target’s true position and then gradually walk the target to a false position," the authors said, prophetically.
This seemingly dire situation is exacerbated by the fact that much of the infrastructure used to run the deadly machines is outdated, as security expert Marc Rogers explains. “Don’t want to trivialize it, it is actually quite a sophisticated hack, but so long as somebody supplies you with equipment and instructions, anyone can do it,” he told RT.
It will cost the criminal some $2,000-3,000 for the equipment, Rogers explained. Once they gain control, as in the Iranian case, the UAV can be reverse-engineered and another one can be built using the blueprint. “Or, if they want, they can just take it and use it,” Rogers adds.
As he goes on to explain, the old infrastructure used in today’s navigation “doesn’t have protection. And so you can’t put protection on one thing – and not the other. And it will be too expensive to replace all of that infrastructure. So there’s always going to be things that are old and weak… we should start thinking about the big picture, because, by the time someone… uses something like this to interfere with an airplane, the catastrophe will mean it’s too late.”
The tumult over military drone security comes at a time of increasing drone concerns elsewhere. They’re becoming incredibly common among civilians, and very serious surveillance equipment is being sold in shops, practically packaged as toys. But this veneer doesn’t fool privacy advocates and people that have been scrutinizing the drone issue – a reworking of all laws and regulations relating to drones (not just cybersecurity) is currently being worked on.