Recently, a team from Stevens Institute of Technology showed off a remote-controlled aerial vehicle loaded with technology designed to automatically detect and compromise wireless networks. The project demonstrated that such drones could be used to create an airborne botnet controller for a few hundred dollars.
Attackers bent on network reconnaissance could use such drones to find a weak spot in corporate and home Internet connections, said Sven Dietrich, an assistant professor of computer science at Stevens, who led the development of the drone.
"You can bring the targeted attack to the location," continued Dietrich. "Our drone can land close to the target and sit there – and if it has solar power, it can recharge – and continue to attack all the networks around it."
Dietrich and two of his students, Ted Reed ’11 and Joe Geis ‘11, presented details of their drone, dubbed SkyNET, at the USENIX Workshop on Offensive Technologies, co-located with the USENIX Security Conference in San Francisco, in mid-August. They used a quadricopter – a toy that costs less than $400 – to carry a lightweight computer loaded with wireless reconnaissance and attack software. They controlled the homemade drone with a 3G modem and two cameras that send video back to the attacker. It cost less than $600 to build.
The researchers showed that the drone can even be used to create and control a botnet – a network of compromised computers. Instead of controlling a botnet via a command-and-control server on the Internet – a common technique that can lead investigators back to the operator – the hackers can issue commands via the drone. This method creates an "air gap" – where two systems, or networks, are physically separated – that could prevent investigators from identifying those responsible for an attack.
"The SkyNET drone project originated as a class project in the advanced cybersecurity class CS675 (Threats, Exploits, and Countermeasures) given in the spring 2011 semester,” explained Dietrich. “There students such as Ted and Joe had an opportunity to apply their computer and network security skills working with me on a project with real-world impact, publish their work at a well-known security conference, and now continue on the cutting-edge beyond graduation."