Have You Checked What’s On Your Roof?

Blog / Have You Checked What’s On Your Roof?

Drones are being weaponized with network intrusion equipment.

Thanks to the rapid pace of technology, staying on top of the latest news is an absolute must for providing effective cybersecurity. A lot of that focus is on watching for vulnerabilities in important software, active attack campaigns, and problematic software patches (here’s looking at you, Windows). Articles that provide details about evolving tactics are a high priority, and while there’s typically a new ransomware or social attack making headlines, this week I found something rather surprising new tactic; drones.

As you most likely know but just in case you don’t, drones have been around for a fairly long while now, and they come in all sorts of shapes and sizes, and I do mean that literally. Drones range in size from so small they fit in the palm of your hands to missile-sized drones with weaponized payloads, as they were adopted by the military almost immediately and have already seen active use in multiple conflicts. This time they were being used in a whole new way though; to deliver network penetration equipment to an investment firm’s roof and hack its wireless network.

Pineapples From Above!

To give you a rundown of things, the firm’s personnel noticed some odd behavior when a user account currently logged in offsite attempted to access the network locally. After some investigation, they found a drone parked on the with a Pineapple device attached to it. Pineapples in this context are off the shelf wi-fi penetration testing devices that operate on a USB power source. The attackers launched the drone and parked on the firm’s roof, where a USB battery powered the Pineapple while it probably ran through various automatic scripts to gain access.

Pineapples like the one used in this attack cost a little over $100, while the DJI brand drones used are pretty expensive ($1,000+ USD) so the attackers made a reasonably sized investment. However, just because they were going after an investment firm so the payout warranted the expense doesn’t mean the actual cost to try and pull this kind of attack off is particularly high.

More Dangerous Fruit-Themed Tech

First off, a drone is little more than a way to deliver your payload and a mobile battery to a rooftop. The smaller the equipment the less power it consumes, so the longer the battery will last and the smaller the drone you’ll need. That means minimal hardware for the attack itself, but for compromising wi-fi you just need another computer with wi-fi. A Raspberry Pi is less than half the price of a Pineapple, but would require more skill on the part of the attackers to setup (the Pineapple is intended to be used this way after all, while a Raspberry Pi requires programming). Regardless, in terms of actual monetary investment, a skilled programmer could getaway with the cheaper of the two.

A Raspberry Pi is light and small, but it would still need some minimal protection from the elements. Even then you wouldn’t require a particularly heavy or powerful drone to lift the total package. It would require some actual testing to determine how long the drone battery would last,  but a small- to medium-sized drone could probably run a Pi for at least a day.

The Final Price Tag?

Likely somewhere between $100 and $200 CDN. You could probably get away with an even smaller/cheaper drone, but it’s unlikely the battery life would be long enough to make it worthwhile.

One thing that’s often overlooked about technology is how the physical world affects it. Sometimes the wi-fi signal of an organization will extend far past its building, giving an attacker even more places to hide equipment like on a neighbor’s roof or parked in a car in your lot. Being aware of new and novel attacks lets you adjust your defenses to compensate and now that drone-delivered attacks have been shown as viable and don’t require a massive investment, they’re an attack vector worth watching. You might even want to take a peek on your roof every now and then. You might be surprised what you’ll find.

If you’d like to discuss other new hacks, contact one of our experts to discuss TRINUS’s latest cybersecurity packages.

For this weeks Shakespeare quote I’ll pull a line from Macbeth: “If you can look into the seeds of time and say which grain will grow and which will not, speak then unto me.”

 

Be kind, courtesy your friendly neighbourhood cyber-man.

/Partners /Systems /Certifications

TRINUS is proud to partner with industry leaders for both hardware and software who reflect our values of reliability, professionalism and client-focused service.

View more partners