Security

Cyber-crime

How Wi-Fi spy drones snooped on financial firm

Check your rooftops: Flying gear caught carrying network-intrusion kit


Modified off-the-shelf drones have been found carrying wireless network-intrusion kit in a very unlikely place.

The idea of using consumer-oriented drones for hacking has been explored over the past decade at security conferences like Black Hat 2016, in both the US and in Europe. Naomi Wu, a DIY tech enthusiast, demonstrated a related project called Screaming Fist in 2017. And in 2013, security researcher Samy Kamkar demonstrated his SkyJack drone, which used a Raspberry Pi to take over other drones via Wi-Fi.

Now these sort of attacks are actually taking place.

Greg Linares, a security researcher, recently recounted an incident that he said occurred over the summer at a US East Coast financial firm focused on private investment. He told The Register that he was not involved directly with the investigation but interacted with those involved as part of his work in the finance sector.

The Register corresponded with an individual affiliated with the affected company who corroborated Linares's account and asked not to be identified owing to a non-disclosure agreement and employment concerns.

In a Twitter thread, Linares said the hacking incident was discovered when the financial firm spotted unusual activity on its internal Atlassian Confluence page that originated from within the company's network.

This led the team to the roof, where a 'modified DJI Matrice 600' and a 'modified DJI Phantom' series were discovered

The company's security team responded and found that the user whose MAC address was used to gain partial access to the company Wi-Fi network was also logged in at home several miles away. That is to say, the user was active off-site but someone within Wi-Fi range of the building was trying to wirelessly use that user's MAC address, which is a red flag. The team then took steps to trace the Wi-Fi signal and used a Fluke system to identify the Wi-Fi device.

"This led the team to the roof, where a 'modified DJI Matrice 600' and a 'modified DJI Phantom' series were discovered," Linares explained.

The Phantom drone was in fine condition and had a modified Wi-Fi Pineapple device, used for network penetration testing, according to Linares. The Matrice drone was carrying a case that contained a Raspberry Pi, several batteries, a GPD mini laptop, a 4G modem, and another Wi-Fi device. It had landed near the building's heating and ventilation system and appeared to be damaged but still operable.

"During their investigation, they determined that the DJI Phantom drone had originally been used a few days prior to intercept a worker's credentials and Wi-Fi," Linares said. "This data was later hard coded into the tools that were deployed with the Matrice."

The attackers specifically targeted a limited access network, used by both a third-party and internally, that was not secure due to recent changes at the company

According to Linares, the tools on the drones were used to target the company's internal Confluence page in order to reach other internal devices using the credentials stored there. The attack, he said, had limited success and is the third cyberattack involving a drone he's seen over the past two years.

"The attackers specifically targeted a limited access network, used by both a third-party and internally, that was not secure due to recent changes at the company (e.g. restructuring/rebranding, new building, new building lease, new network setup or a combination of any of these scenarios)," Linares told The Register.

"This is the reason why this temporary network unfortunately had limited access in order to login (credentials + MAC security). The attackers were using the attack in order to access an internal IT Confluence server that contained other credentials for accessing other resources and storing IT procedures."

Long-term problem comes to life

Linares said he had worked on a drone project in 2011 to test network attack capabilities and at the time, power, carry weight, and range were limiting factors.

"We revisited it again in 2015 and drone tech had come a long way," he said. "Now in 2022 we are seeing really amazing drone advancements in power, range, and capabilities (for instance, the amazing synchronized drone shows that China puts out are utterly fantastic)."

"This paired with drone payload options getting smaller and more capable – e.g. Flipper Zero kit – ... make viable attack packages that are reasonable to deploy," said Linares. "Targets in fintech/crypto and supply chain or critical third-party software suppliers would make ideal targets for these attacks where an attacker can easily cover their initial operating costs with immediate financial gain or access to more lucrative targets."

While the identity of the attacker has not been disclosed, Linares believes those responsible did their homework.

"This was definitely a threat actor who likely did internal reconnaissance for several weeks, had physical proximity to the target environment, had a proper budget and knew their physical security limitations," he said.

Sophos senior threat researcher Sean Gallagher told The Register said the attack described is something people have done "warwalking" with Wi-Fi Pineapples or the equivalent.

"You bounce a user off the real network and try to get them to connect to your fake network," he explained. "Honestly, unless there's a very specific bit of targeting going on, this is very low on the threat modeling priority list for most organizations, especially when there are so many other ways to get network access without having a physical presence."

Still, it might be worth checking the roof for parked or hovering drones now and again. ®

Send us news
35 Comments

Microsoft Copilot for Security prepares for April liftoff

Automated AI helper intended to make security more manageable

Row breaks out over true severity of two DNSSEC flaws

Some of us would be happy being rated 7.5 out of 10, just sayin'

Majority of Americans now use ad blockers

We're dreaming of a white list, because we're just like the ones you used to know

ZenHammer comes down on AMD Zen 2 and 3 systems

Boffins demonstrate Rowhammer memory meddling on AMD DDR4 hardware

In-app browsers are still a privacy, security, and choice problem

Regulators reminded that longstanding concerns haven't been addressed

In the rush to build AI apps, please, please don't leave security behind

Supply-chain attacks are definitely possible and could lead to data theft, system hijacking, and more

FreeBSD Foundation hands out Beacon gongs for safer software

Multiple CHERI-related projects win money for important research that prizes safety over speed

Canva acquires Affinity, further wounding a regulator-bruised Adobe

Yet another reason to reconsider that overpriced Creative Cloud subscription

March Patch Tuesday sees Hyper-V join the guest-host escape club

Critical bugs galore among 61 Microsoft fixes, 56 from Adobe, a dozen from SAP, and a fistful from Fortinet

Miscreants are exploiting enterprise tech zero days more and more, Google warns

Crooks know where the big bucks are

Good news: HMRC offers a Linux version of Basic PAYE Tools. Bad news: It broke

Python 2 has been dead for four years

'Thousands' of businesses at mercy of miscreants thanks to unpatched Ray AI flaw

Anyscale claims issue is 'long-standing design decision' – as users are raided by intruders
BREAKING NEWS: FTX crypto-crook Sam Bankman-Fried gets 25 years in prison