×

The biggest hijacking threat Americans face today

Along the U.S.-Mexico border, drug traffickers are hacking into the drones that border-patrol agents use to monitor from the skies. That was the latest from Department of Homeland Security program manager Timothy Bennett, who shared this news during a panel discussion in mid-December. Despite Bennett's sober delivery, he spoke in no uncertain terms about what U.S. border-patrol agents are up against.

"The bad guys on the borders have lots of money, and what they're putting money into is in spoofing and jamming of GPS [systems]," said Bennett, referring to two techniques used to hack into drones that DHS has been tracking.

The DJI Phantom 3 Standard drone.
David Paul Morris | Bloomberg | Getty Images
The DJI Phantom 3 Standard drone.

Spoofing is a familiar term for those who follow drones closely. It's a technique where a signal sent by hackers impersonates the signal a drone had been receiving, effectively relinquishing control of the drone. In June 2012, a research team from the University of Texas at Austin used spoofing to nearly take a surveillance drone out of the skies. As research team leader Professor Todd Humphreys told Fox News at the time, it was a test of technological mischief with broader implications: "What if you could take down one of these drones delivering FedEx packages and use that as your missile?"

Humphreys' question was a nod toward the drone-filled future that is now 2016. While businesses who would pilot for profit are clamoring for the Federal Aviation Administration to finalize its proposed commercial drone regulations, Amazon is preparing Prime Air (packages delivered to your doorstep and accompanied by the sound of 1,000 angry hornets).

Drones are entering U.S. skies in ever increasing numbers, and spoofing presents one potential threat not only to drones used by the government but also to smaller, unmanned aerial vehicles — the camera-toting quadcopters often used to make YouTube videos of spectacular aerial sights.

"Drone hacking will be an increasing threat in years to come," said Peter Singer, a cybersecurity strategist at the New America Foundation.

Should we be increasingly concerned about the possibility of airborne technology being hijacked?

"The drone manufacturers are looking at encryption methods to secure their drone channels. That would be the most vulnerable to hijacking." -Rich Hanson, head of government and regulatory affairs, Academy of Model Aeronautics

In early 2015, DHS was warning that "current-generation unmanned systems are vulnerable to spoofing, hacking and jamming." But according to Carlos Lazo, a U.S. Customs and Border Protection spokesperson, the vulnerability lies in the smaller drones.

He said that CBP unmanned aircraft systems are equipped with encryption that prevents GPS spoofing, and GPS spoofing does not interfere with CBP's ability to perform its border security mission. Lazo also said that the CBP actively works in concert with the Department of Defense to assess and address possible future threats to their security.

Currently, more than 180,000 recreational fliers — hobbyists who fly drones for fun — have completed their FAA-mandated sign-ups on a drone registration website the agency launched in December. At the December panel, Bennett alluded to the "millions of aircraft that are going to be in the air" over the next few years when talking about small UAVs.

After his 2012 test, Humphreys said that while civilian drones will be vulnerable to spoofing, actually gaining remote access to a drone is not so simple.

"Hacking a drone is a lot more difficult than people make it out to be," said Michael Robinson, department chair of cyber forensics at Stevenson University in Maryland and a threat intelligence analyst for a major software company.

The ease with which a drone is hacked usually depends on the way in which the drone is controlled. Hacking drones that utilize Wi-Fi connectivity in order to fly is an easier prospect, one that Robinson himself described last August at the annual DEF CON hacking conference. When it comes to drones that are operated via radio control, there is no open Wi-Fi connection for a hacker to exploit.

"While those drones are a much more difficult hack, we have seen people who have jammed them," said Terry Kilby, co-owner of drone photography company Elevated Element. Kilby is referring to frequency jammers, devices that interfere with a person's control of a drone. Such jammers can be found and bought online, but using them in the U.S. is illegal.

Manufacturers fight back

Still, gaining remote access to a drone, or even the data being collected by a drone, can be done. Just look at the cybersecurity researchers from China who claimed they successfully spoofed a DJI Phantom 3 and changed its GPS coordinates.

"Someone who wants to do something is going to find the equipment to do it," said Brendan Schulman, vice president of policy and legal affairs at DJI, the company that sells the popular Phantom quadcopters. "I think what we can do as an industry is address the typical user and provide them with the safety features and information that they need to make the appropriate decisions."

Indeed, many drone manufacturers already outfit their aerial devices with a variety of security technology, more for the benefit of the customers than due to a significant fear of someone's drone being hijacked. Geofence software, for example, prevents drones from flying into demarcated GPS coordinates. A fail-safe system on radio-controlled drones ensures that if the connection between the controller and drone is broken, the drone flies itself back to where it took off. So while it might be possible to hack into a drone, as this YouTube uploader shows, chances are good the drone just returns to its starting point.

Nonetheless, the drone industry is taking further steps to safeguard the technology. "The drone manufacturers are looking at encryption methods to secure their drone channels. That would be the most vulnerable to hijacking — the command channel, but also the data link, depending on what kind of data is coming down," said Rich Hanson, head of government and regulatory affairs for the Academy of Model Aeronautics, a nonprofit that represents more than 140,000 model aviation enthusiasts in the U.S.

The FAA doesn't have an official line on the potential of drones being hacked (it declined to speak on the record). Ultimately, whether the sorts of demonstrations that pop up at hacking conferences trickle into the world of purposeful, malicious hacking — the commandeered quadcopter carrying your Amazon order — is the question.

"When you start looking at packages flying and more sophisticated GPS in our airspace, then I think the potential and the consequences become more significant," Hanson said.

For the time being, consumers new to flying drones should focus on responsible flying to ensure that their drones don't end up in a position where a hacking attempt could spell bigger trouble. As Stevenson University's Robinson puts it, inexperienced pilots are the bigger threat — for now.

"The problem we're having now is people flying over people's houses," he said. "People don't know the rules, and I think that's a bigger issue."

—By Andrew Zaleski, special to CNBC.com