‘Flying IoT’ is immensely useful, especially with 5G capabilities on the horizon. But such drones harbor complex IoT cybersecurity issues.

The Internet of Things is now taking to the sky. ‘Flying IoT’ is essentially drones fully equipped with network connectivity capabilities, and it marks a new frontier for smart devices—a frontier that comes with a host of challenges, according to an IoT specialist.

One key challenge for flying IoT is security, and it goes far beyond a consumer’s smart device unknowingly being used in a botnet distributed denial-of-service (DDoS) attack. That is because drones can be used in multiple ways for nefarious purposes. For example, a hacker can intercept data being transmitted between the drone and a base station. Or, a hacker could use the drone to take physical control of a smart device, using it as a backdoor into a company’s network.

According to Cherly Ajluni, IoT Solutions Lead, Keysight Technologies, if that proposition seems unlikely, consider that in 2016 researchers from the Weizmann Institute of Science in Israel and Dalhousie University in Canada did just that.  By equipping a drone with an autonomous attack kit, they hacked into a single smart light bulb. The hack quickly spread from one light bulb to all such smart light bulbs in a targeted office building in just a matter of minutes, allowing them to turn the building’s lights on and off. Had this been a real attack, the outcome could have been much worse.

Drone-based IoT attacks

In 2019, another group of researchers had used a drone to take over a smart TV.  Again, had this been a real attack, hackers could have easily changed the content on the viewer’s screen, displayed phishing messages to obtain credentials, or even used keyloggers to capture remote button presses.

Drones offer a compelling solution for rapid delivery of vital medical supplies but they are a potential source of cyberthreats.

Despite the security challenge, drones are expected to play an increasingly important role in everything from delivering packages to customer’s doorsteps and tracking criminals, to the rapid delivery of emergency supplies, medications, and vaccines. To enable optimal operation of these applications, drone security must be assured. That means, addressing the issue head-on rather than as an afterthought.

According to the Open Web Application Security Project (OWASP), the top 10 vulnerabilities in any IoT device, drones included, are:

  • Weak, guessable, or hardcoded passwords
  • Insecure network services
  • Insecure ecosystem interfaces
  • Lack of a secure update mechanism
  • Use of insecure or outdated components
  • Insufficient privacy protection
  • Insecure data transfer and storage
  • Lack of device management
  • Insecure default settings
  • Lack of physical hardening

The first nine vulnerabilities can be effectively addressed through penetration testing (PenTest). Brute force scanners, for example, can crack poor passwords. Service discovery tools can find insecure devices on the network. Using things like fuzzing attacks, application layer scans and attacks, and secure communication validation techniques, PenTest users can test for and find cybersecurity vulnerabilities early in the drone development process.

However, the continually evolving nature of cyberattacks means that even the best PenTest solution can quickly become outdated. The best way to address this is by ensuring any PenTest tool used is constantly updated via an ongoing application and threat intelligence subscription. Addressing the last vulnerability—lack of physical hardening—requires a physical solution.

Addressing Flying IoT vulnerabilities

On the other side of the spectrum, any company vulnerable to cyberattack via drone can protect itself using a good heterogenous mix of network security solutions. However, finding the right mix is not easy, since the solutions can be tough to verify together, and challenging to scale. Also, interactions between the solutions can sometimes impact security performance and network resiliency.

According to Ajiluni, businesses should seek out an easy-to-use application and security test ecosystem that can verify the stability, accuracy, and quality of modern networks and network devices. Ideally, it should be able to simulate real-world legitimate traffic, DDoS, exploits, malware, and fuzzing.

An ecosystem with these capabilities will allow vulnerable companies to simulate both good and bad traffic to validate and optimize their networks under the most realistic conditions.

As with any new IoT application, getting Flying IoT drones to market quickly, securely and sustainably will remain as one of the biggest technical considerations. “By designing security measures into drones early in the design cycle and appropriately testing them throughout the development process, developers can gain a much-needed advantage over would-be hackers. Given that modern drones are essentially now computers in the sky, the earliest possible preparation for the inevitable cyberattack is the only way to stay ahead of cybercriminals, while still realizing the full benefit of the flying IoT,” said Ajiluni.