Off-the-shelf drones that had been modified were discovered with wireless network intrusion equipment, which is quite unusual.
Black Hat 2016, one of the largest security conferences in the world, had discussions on the potential use of consumer drones for hacking. Similar discussions have taken place in the United States.
For example, in 2017, DIY tech enthusiast Naomi Wu showcased a project dubbed Screaming Fist. Furthermore, in 2013, security researcher Samy Kamkar showed off his SkyJack drone, which utilized a Raspberry Pi to wirelessly take control of other drones.
These kinds of assaults have recently become commonplace.
Security researcher Greg Linares recently described an event that he claims took place at a private investment business on the East Coast of the United States during the summer. According to his statement to The Register, he was not personally engaged in the investigation but did have professional interactions with others who were.
The Register had a conversation with a corporate insider who confirmed what Linares said but requested anonymity due to NDA and employment issues.
According to a Twitter thread started by Linares, the hacking incident was uncovered when the financial business saw suspicious activity on an internal Atlassian Confluence page.
The company’s security staff investigated and discovered that the same MAC address had been used to access the Wi-Fi network at home, kilometers away. That is, the user has engaged in activities away from the building, yet a suspicious attempt was made to utilize the user’s MAC address wirelessly by someone within the building’s Wi-Fi range.
The group then took action to track out the source of the Wi-Fi signal, ultimately settling on a Fluke system to make the determination.
This, Linares said, “took the crew to the top, where they found a modified DJI Matrice 600′ and a modified DJI Phantom series.
According to Linares, the Phantom drone was in perfect working order and equipped with a modified Wi-Fi Pineapple device for use in network penetration research. A Raspberry Pi, multiple batteries, a GPD tiny laptop, a 4G modem, and another Wi-Fi gadget were all stored in a case aboard the Matrice drone. It seemed damaged but remained functional after landing close to the HVAC system of the building.
They found that the DJI Phantom had been used to steal a worker’s credentials and Wi-Fi network a few days earlier, Linares added. “This information was eventually hard-coded into Matrice’s associated tools”
Linares claims that the drones’ tools were used to attack the company’s internal Confluence page and steal credentials that could then be used to access other internal devices. He claims this is the third hack he has witnessed in the previous two years employing a drone, and that it was only partially successful.
According to Linares’s interview with The Register, “the attackers specifically targeted a limited access network, used by both a third-party and internally, that was not secure due to recent changes at the company” (such as a rebranding effort, a move to a new building, a change in the building’s lease, a new network setup, or a combination of these scenarios).
“Because of this transient nature of the network, login credentials and MAC addresses were required for access. The goal of the assault was to get access to a confluence server within IT that held sensitive information and processes.”
The Long-term Problem Comes to Life
According to Linares, power, carry weight, and range were all issues during a drone project he worked on in 2011 to evaluate network assault capabilities.
In 2015, “we went back to it,” he says, “and drone technology had come a long way.” By 2022, “truly incredible drone developments in power, range, and capabilities” will have become commonplace; “for instance, the great synchronized drone displays that China puts out are totally fantastic.”
Linares said that “this combined with the shrinking and increasing capability of drone payload alternatives – e.g. the Flipper Zero kit – provide realistic assault packages that are reasonably deployable.” If an attacker can pay their initial operational costs quickly with instant financial gain or access to more valuable targets, then they are more likely to go after targets in the financial technology/cryptocurrency sector, the supply chain, or crucial third-party software vendors.
Although the perpetrator has yet to be identified, Linares is confident that they were well-prepared for their attack.
According to him, “this was obviously a threat actor who likely performed internal research for several weeks,” had close access to the target environment, a sufficient budget, and was aware of the environment’s physical security weaknesses.
During an interview with The Register, Sophos senior security researcher Sean Gallagher claimed that the reported attack is something individuals have done when “warwalking” with Wi-Fi Pineapples or similar devices.
You try to lure a user away from the legitimate network and onto your phony one, he said. Since there are several other ways to get access to a network remotely, “unless there’s a very particular amount of targeting going on, this is pretty low on the threat modeling priority list for most enterprises.”