Most people do not realize it, but every time they switch on their laptop or smartphone, they are potentially opening themselves up to becoming victims of Virtual Terrorism. Almost any object connected to the Internet and with a camera can be turned into a cyber drone that can watch and listen to people just like a drone can. While a drone can spy on people whether they are invited or not (usually from a distance), a phone, laptop or webcam brought into a home or office by their rightful owners can be turned into a drone or robot via remote control, making it possible for anyone to spy on anyone anywhere and at any time.
In 2015 a group of researchers from Singapore demonstrated the feasibility of launching a cyberattack using just a drone and an app running on an Android smartphone. They literally zoomed in on an overlooked weak link that is ubiquitous in every office -- the wireless printer. The researchers exploited the common assumption that attackers must be in relatively close physical proximity (i.e. within the local network) to access a printer, and that there was no need to secure or encrypt a printer’s wireless access, which usually remains unsecured by default.
Flying a drone equipped with an Android smartphone and a special app, the team had enabled remote scanning and access to unencrypted wireless office printers. After identifying an open printer’s wireless network, the app established a similar wireless access point on the cellphone residing on a drone hovering within Wi-Fi reception range of the office building. The app tricked the office staff into believing they had sent a print job to the departmental printer, when in reality they had printed a document into the smartphone, so to speak. The smartphone later sent the print job to the cloud via its 3G/4G connectivity and placed it in the attacker’s Dropbox. To cover their tracks, the attackers’ app could resend the print job back to the printer so that the office staff would be able to collect the printout, albeit without too long a delay, so as not to draw suspicion.
The US Transportation Security Administration (TSA) conducts a security background check of all remote pilot applications prior to issuance of a certificate (which means that pilots must first volunteer to be ‘screened’, since the US government has no way of knowing who is actually operating a drone). Operators are responsible for ensuring a drone is safe before flying, but the FAA is not requiring small drones to comply with Agency airworthiness standards or aircraft certification. Although the rules do not specifically deal with privacy issues in the use of drones, and the FAA does not regulate how drones gather data on people or property, the FAA ‘encourages’ all drone pilots to check local and state laws before gathering information through remote sensing technology or photography.
The ‘limited’ scope of current regulations governing drones is evidence of the embryonic nature of the drone industry. Local, state and national governments will continue to struggle with how to regulate and manage drones going forward. At least there has been an attempt made to seriously regulate the drone sector, but doing so comprehensively and effectively will remain a challenge for the foreseeable future.
While there is an ongoing assumption that drones can ultimately be regulated (and thus, controlled, to some degree), that remains to be proven. Other aspects of the cyber ecosystem are unlikely to ever be effectively regulated. One such component is the Global Positioning System (GPS), which we all rely on to one degree or another. Most people do not think about it much, but the data stream that we use to get from one place to another via GPS is mostly unauthenticated and unencrypted. While its open nature has been its biggest strength, it is fast becoming its biggest flaw.
The core issue is that we use a lot of GPS infrastructure that is based on a security architecture from the 1970s, roughly equivalent to operating computers without firewalls or basic security checks. Since its signals come from satellites, GPS relies on very weak signals that are extremely vulnerable to spoofing attacks and jamming. There have been numerous instances when ordinary individuals have unwitting interrupted normal operations of businesses, airports, and even entire small towns by using simple GPS jamming equipment to shield themselves from the prying eyes of their employers.
Given the potential gravity of the problem, governments around the world have devoted substantial resources to attempting to better secure GPS systems. Since 2009 the US Department of Homeland Security began a program called Patriot Watch, wherein a network of sensors are able to detect, characterize, and locate interference sources. The US Defense Advanced Research Projects Agency has also been working on an app that would make Android cellphones able to detect GPS jamming sources.
Being cognizant of the risks associated with using what is today considered ‘basic’ technology - such as laptops, smartphones, and GPS - is at least half the battle associated with thinking about ways to combat virtual terrorists. Since we are essentially inviting virtual terrorists into our homes, cars, and offices every time we turn these devices on in these locations, we should perhaps consider whether investing in more secure forms of operational technology will make us feel better about doing so. Most people would undoubtedly trade some convenience for enhanced security, and would no doubt spend good money to be able to achieve it. The question becomes whether it is actually achievable.
*Daniel Wagner is the author of the new book “Virtual Terror”, founder of Country Risk Solutions, and Managing Director of Risk Cooperative.