Drone Blind Spots: Pentesting the Airspace Above Critical Infrastructure

Good morning, Bside Seattle. How are we doing today? Good to hear. Welcome to drone blind spots. Um, today we'll be talking about pentesting the airspace above critical infrastructure. My name is Alec Hunter. My uh moniker is breathadare. I will uh go ahead and throw out that trigger warning right now. Um, there is potentially controversial topics in my um discussion today. Try not to be alarmed. Um, I'm trying to be reasonable with it. So, we've all had some time to look at this photo of Henry Hag Lake um, in Oregon where I'm from. Did anyone notice anything strange about this photo

there? Oh,

>> okay. Um, this is blind spot number one. A lot of us don't see drones that are actually there. Um, this is a drone. There is indeed one out there. And we are on top of the Henry um, Henry Hag Lake Scoggins dam, which is critical infrastructure. If this dam had been equipped with the most basic of DTI, detect, track, and identification technology, it would know that that drone was there, its exact position, and its serial number and pilot ID. Um, this is the perspective from the drone. It is 1,500 ft away. Um, it can zoom in a lot. 7x zoom, we can see the spillway and what appears to be a technician standing on top of the dam.

At 28x zoom, we see the technician is waving at us. Well, that is not a technician. Uh that's my co-orker Noah Bradley who has a talk at 3M. You guys should check it out. I am Alec Hunter. I've been doing cyber physical security consultancy for the last 5 years special uh specializing in hardware IoT and drones. And um I've been providing normal drone services for up to 10 years. So that's real estate uh the whole nine yards. I realized there's a new blind spot recently. Who knows what that is? >> That's right. It is the flock safety camera, which you guys have a lot of here in Washington. Now, people don't like them in Oregon. So, they've been

kind of being removed. Uh, so in places like Oregon who don't like them and have been removing them, Flock Safety decided that they should make one that flies. So, this is called drone as a first responder. There are a lot of companies that already provide this, but uh Flock Safety seems to be kind of ratcheting it up. As a matter of fact, um I'm familiar with them. Uh as far as 6 months ago, as I was driving up here for besides Seattle, I saw one of these drones in Everett. Anyone else drive up here from Morgan? All right, just wanted to confirm. It's just flying on the side of I5. Very strange. Um, here's blind spot number two.

Anything anomalous about all these drones? >> They all have cameras. >> They do all have cameras. >> They all kind of look the same, don't they? Well, that one's a bomb. The whole point of this talk is the fact that I want to um instill upon you that drones will be ubiquitous in our everyday life very soon just like cars are. They will be flying around all over the place. If anyone is familiar with China, they already kind of have um infrastructure with drones like that. They do food delivery, specifically construction, um law enforcement, um any type of uh crowd control is used, uh is drones, and that's slowly becoming a reality for America. So, let's talk about some recent license

plate innovations. January 1st, 2023, California allows you to put vinyl stickers on the front of your car as your license plate. um March 15, 2024, uh the FAA makes drone remote ID the law. So, what does that mean? Anytime you go and buy a brand new drone, um they all have to be compliant. And that is one of these drones that looks nice, right? Like DJI, things like that. All those drones have to be emitting what we would call their license plate. It's the serial number of the drone uh via Bluetooth or Wi-Fi. You can actually download an app on your phone and you can always detect drones around you, potentially miles away. Um they also have to tell you their

exact location which is their lat long and altitude. The remote ID serial number is tied to the pilot when you register the drone just like a license is tied to you. So just like that we have solved vehicle security. Right now we know cars have license plates. We have faces and drones have license plates now. Right? So, all of our facilities have great defenses. Um, anywhere you go, there's going to be cameras, right? So, when you go to work, you have badges, ID cards, um, how far you can go into the facility, death protection, defense of death. Um, you have guards, and if you do something bad, law enforcement is called. This is also true with drones. Just about all

the facilities here in America, um, have remote ID detection. Uh, have radars. They have um lots of different counter drone systems in case a drone ever does something, right? We all agree. >> Oh, I lied about that. Um our critical infrastructure here in America doesn't detect drones almost ever. That's actually what my job is. I go around all over the place to do critical infrastructure pen testing with drones to make sure that they're able to see them. One of the main things that we always do is a uh threat sight threat model and that is an initial flight where we fly our drone and a lot of the time part of the scenarios is we just

loiter it for one full battery 20 minutes we put the drone in one spot and then when we have a follow-up meeting we go talk to people the security people who work at that campus guess what none of them say anyone reported a drone and it was just flying there you guys see how that's a home. If you saw a drone, would you report it? Raise of hands. One guy. You guys are doing not a very good job here. Okay. Um so, uh to kind of correct this, the cyber security infrastructure security agency, CISA, has been putting out be uh airware guidances about what people with critical infrastructure should do to protect the infrastructure sites. Now,

as you notice, these are guidances. They are not uh anything else. are not compliance or anything that can be enforced. And I wish we would do more of that because right now our adversaries on the ground have a high risk of committing a crime on critical infrastructure. But a drone has a very low lowrisk consequence for the pilot when it's detected. So let's talk about what CISA covers. These 16 critical infrastructure sites, some of them are more vulnerable to drones than others. Now, I don't know about you, but all those things on the right are pretty important to me. So, this uh talk is kind of a call to action. For the rest of it, we'll be

talking about how pen testing works with drones, aerial assessments, and things like that. I'd like you all to consider uh potentially learning about getting certified to do commercial flights and applying uh cyber security principles to your uh drone endeavors. Let's talk about the aerial defense program life cycle. So, in earlier versions of this talk, we would focus a lot on that green part. It's boring. It's mundane. It takes forever to get through. That's on you and it's a lot of work. So, just keep that in mind. But the whole point of establishing your legitimacy is to get buy in. And that is getting the right people to say yes to your plan, your terms, and your resources in writing.

Okay. Now, the fun part is the site threat modeling and pentesting part. We always start with an initial assessment and then that initial assessment leads us to developing scenarios. From there we can do our report and if any of the people in here are pentesters you know that 90% of the work is reporting right? Same for drones. If they like your report which has recommendations on placing systems that detect drones and dealing with them uh you'll do uh you'll implement them and tune them. You'll retest your scenarios with the systems in place and then you'll be able to do red air ops if they ever want to call you back. That doesn't happen a lot.

Let's define a drone. You're all going to need one if you want to get into this. It's a remotec controlled pilotless aircraft or small flying device. S stands for small under 55 lbs. UA stands for unmanned aircraft and S stands for system. Now it is unfortunate that this talk is somewhat controversial because uh as of yesterday as you know we've begun basically war and drones are um widely used by Iran. So, UAS is going to be in the headlines a lot uh going forward. Is this ancient technology? Looks pretty old, right? This is a F250 frame drone. It's one of the development frames from almost a decade, maybe a decade and a half ago. This is DJI's first drone,

but it's not. It's actually modern because what makes a drone modern is its capability. A drone is made up of an airframe, a power system, a propulsion system, guidance, navigation control, payloads, and the important part, the companion computer, which allows you to do edge computing. Some of these drones are equipped with Nvidia Jetson boards, which have GPUs. They can do a lot of incredible AI stuff and a lot of scary AI stuff. Um, we can run modern AI modules and they're completely autonomous flight capable. So, no pilot necessary. Why do we show you that first? Because these are what we call consumer offtheshelf. They're CS drones. They are this one, but with a nice body.

Now, unfortunately for you all, I like DJI a lot, but as of December uh last year, the United States has decided to ban new DJI or Chinese-made drones, which are good drones. So, you're pretty much only going to have the option to buy used drones if you want to get into this. These are the four I recommend. So, if you're interested in getting into this, I recommend taking a photo. Now, defenders, you also will need drones. These are three of the most common drones that you'll find on secure sites. The Sky X10 is what we call a followback drone. It actually abides by the rules of uh DFR, drone first response. Patrol drones are becoming very common in a lot

of um more wealthy sites, not necessarily critical infrastructure. So, what this means is when a drone is detected flying into the boundary or breaching um the site, these drones get deployed to follow the drone back to where it may have came from and take photos of whoever may have launched it. What we call soft kill drones, the one in the center there, is a drone that is meant to mitigate the drone threat without destroying it. that allows us to do forensics on the drone. The hard kill drone, which is the Andrew Anvil, um is really interesting because that drone is an AI drone that will ram itself into the drone threat. It will do all the

calculations and then an operator just has to hit enter on the keyboard for it to smash it out into oblivion. All critical infrastructure sites on that right side specifically should have one staff uh person responsible as a pilot. Um I I just don't see another way. We need someone there to understand drones and be able to respond by following them. That is the best mitigation we have without uh approvals for kinetic force. Now the red teaming part, if you are able to do pen testing with drones, you will eventually be able to do red teaming. Uh red teaming is always going to require you building your own drones. So if you want to build drones, this is

a good reason to do so. These are the three major classes of do-it-yourself drones. a Whoop, which is a drone that's primarily made to go indoors. Uh an FPV racer, a drone that's primarily made for warfare currently, and the heavy lift drone, which is your deacto standard drone for uh doing just about anything with red teaming because they can basically carry anything. You can put any payloads you want. We'll get into that in a moment. Okay, I'm going to show you some of the ones I made. So, as I said before, getting buy in the hardest part about doing any pen testing, this is true for normal and drone pen testing, physical pen testing in general. I call the dog

and pony show because when you meet with the seauite, they want to see what you're capable of doing. And to do that, you have to show them drones you've built. This is the best way to do it. Trust me, I have five years of learning that the hard way. This drone is a uh drone that we use to teach people drone hacking. Um, you can jam it, hack it, spoof it, whatever. Um, in this, uh, anacoic chamber, which is a Faraday cage. That means no signals leave. Uh, which allows us to do things that would be normally illegal, like jamming and hijacking. Next one is kind of the trigger warning one. This is a threat effects drone. So, we

build this one to teach people what the psychological effects of having one of these chase you down or um, being in the field with, right? And, uh, they they can go 90 miles an hour easily. They have a fake 3D printed payload on it, but it looks pretty scary. And the the people who want this type of training um have always said that even though it's not a real threat, it is the most terrifying thing on the planet. And I'm deeply emotional about this stuff because I can only imagine what it's like overseas. This is an AI recon drone. This one flies itself completely. It does um autonomous uh signal intelligence, triages those wireless signals, and um

we use this drone primarily to evaluate how people respond to the drone threat outside of the boundary of the facility. This drone is a mother ship, which allows it to be a relay. As you can see on the bottom of it, it drops a smaller drone via servo that you can control through this drone's relay, and then you fly into the boundary and see how they respond, but they won't target your bigger drone because you're not necessarily breaking a lot with that one. Okay. Now, what is the important part about uh getting your authorized initial assessment? Once you get buy in by usually the dog and pony show, your goal is to enumerate. And you have two ways

of doing that. You're going to look for observable and actionable and the cross-section of both which is in the center. I'm not going to list them all. You can read them. But the whole point of this is to develop threat profiles and scenarios based on the assets that you find on a on a facility during the site threat model. For the initial assessment, I always like to do espionage. So what is that? Capability is the proumer CS which is um one of those drones. I recommended you guys get one of those four like the DJI one. And then uh your intent is structured. Structured would mean that you are more than uh you are someone who's capable.

Your drone is capable of doing something potentially harm potentially cyber crime. Let's talk about that part. An aerial threat is the capability of the drone times the intent of the pilot. This is a little tiny matrix that is non-exhaustive whatsoever about what you could possibly have uh covered. So um again in the center there proumer structured corporate espionage an apt state actor might use a DIY drone and the sophisticated element of that would be uh chaotic disruption jamming things like that swarms. Uh the list goes on. You could, you know, use your imagination. Once we make our third profiles, we apply them to potential scenarios. What's a scenario? It is something that you can repeat. It's like

a a test case. Uh, and you develop it specifically uh tailored for your client. I have determined that there are three types of services you can offer in a scenario. Uh, intelligence-based, transport-based, or chaos-based. Intelligence would cover ISR, intelligent or um surveillance, recon, and intelligence, which is what we always do for initial assessment. You always do ISR for the first one. It does not matter. You need to enumerate what the facility is like. Then we can do more things like transfer of chaos. Um who's who knows what a rubber ducky is? Who thinks it's a cool idea to put a rubber ducky on a drone, fly it into a facility, and drop it on the ground?

Yeah, that's a pretty good test case. That's a great scenario. So what we do is we come up with things like that and we create something called a scenario platter and then we say okay here I've come up with a list of scenarios I think would be great to test on your facility. Would you like to do any of them? A lot of the time they say yeah let's do one or two. If they like it they do more. Then you deliver a pentest report. You try to do all your scenarios in one report. You don't want to do a report for each. It just doesn't make sense. Your reporting structure only has two elements that matter that in for this

talk. It's the site threat model which we kind of just discussed and the DTI counter drone placement. These are systems that we're about to discuss for that particular facility. In this case, uh the the dam Scoggins. Um this is where I would place three RF detection units and one acoustic detection system. All right. So we layer these systems. There could be u dozens of them. It's not just you buy one and you're done. Uh for a campus like the one we're at today, uh Microsoft should probably have one on every building. So they don't, by the way, and if anyone in Microsoft wants to hire us, please do. So radar DTI detects the drone at the farthest lengths. Um you

usually place all your DTI systems on the site. So that red dot and then the green circle is just to show you the layer. They go the farthest identifies a cross-section of a drone. What does that mean? A drone looks like this normally, right? So, if a radar hits the drone, it's going to look like an X. Make sense? Great. The radar uh radio frequency, which is going to be that drone uh the remote ID that we talked about earlier, is going to be falling under this primarily, but if it doesn't have remote ID, then it can actually uh figure out what the signal type is in many other ways. Uh but the primary purpose of them is

for triangulation. If you can get a bearing on a drone that's not transmitting its location, then you can track it more easily. you can make better reports and investigations. Third is called optical DTI. Uh when a drone breaches our facility or gets near enough, how do we know it's a drone? Someone needs to either look at it or a camera has to take a photo of it. And then you can kind of figure out what you're dealing with. You can look, you know, do drintent, which is looking up the drone and trying to figure out what model it is. Lastly is acoustic DTI. It's not really worth mentioning. So what we'll talk about is primary and secondary

detection. The primary is on those outer rings and the secondary is on the inner rings. The inner rings uh verify the outer rings detect. So it's called uh yeah first opportunity detection FOD the earliest moment your system could have detected a drone. To tune these systems so when you buy them you usually get a C2. Who know what a C2 is? Command and control right? Okay. It's basically um a visual way of looking at data. In the case of drones you're going to see flight path. So, they're going to look like lines being drawn in an etcho sketch. So, to tune them, uh, what we want to do is an automated flight with one of those

drones we bought, those commercial offtheshelf ones, and we're going to try to, uh, write a word in the sky. Best way to do it. You're not really skyriting, but in the terminal, in the guey of this application, you're going to see the word if the things are tuned properly. Make sense? Cool. Okay. And uh basically this is kind of the goal. When you have got the DTI systems all set up, you want to retest every scenario that they approved initially. Why? Because it's going to allow us to verify whether or not those uh those tests would basically fail. Now, from the red team's perspective, blue team has to do what blue team does. Red team has a bit of a harder job. Uh

you need to execute the profile precisely. You have to maintain signature discipline. you cannot cause any safety hazards or accidents and you need to provide clean artifacts immediately and by doing so the blue team can work very effectively and very quickly. Their goal uh if they have uh a pilot on site is to find where you the red team operator launched your drone and landed it. Usually you're standing by it. If they like that they will um potentially hire you for red air ops which is another talk. That's it.

Yeah, please feel free to connect with me on LinkedIn. If you have questions, please feel free to ask. I know it's a lot of information. It's actually much less information than I initially had. I'm still trying to tune the talk and uh if you have feedback, please give it to me. >> How scared should we be about Chinese mosquito drones? >> Uh they are dangerous. Yes. Um, but we're going to have those out soon, too. It's not just China anymore. Anything else here? >> Uh, when you posted the drones that you said to, you know, buy if you want to get into it, uh, a couple of them had the exclamation point on. >> Yeah. Uh, that was the warning that I

was saying. So, um, as of December of last year, new DJI or Chinese-made drones are no longer allowed to be sold. They're banned. It's basically a blanket ban. You can only buy grandfathered in ones which are used. Yes. Do >> you know if we can overseas? >> Uh, you sure can. Uh, it's it's a legal gray area, but you can do it. >> Yes. >> Uh, I was wondering about uh where does stuff like uh modifying modifying drones to no longer have an ID or systems that do not have or do not use signals like fiber optic cable. Um th those are warfare drones. For the context of this type of pen testing in the US, we aren't

using warfare drones. Yeah. Um but it is a concern and they probably well they'll never be allowed to fly in the United States. Fiber optic drones cause a lot of ecological disasters. >> The does the FAA require commercial drone license or is there a drone? There is a drone license. >> Oh yeah, there's a lot of stuff you got to do that that green part is extensive. If you want to get into this, you'll find out yourself. Uh but you do need to get licensed with a part 107 certification. It is a painful process. It's expensive, but it's worth doing. >> Yeah. >> Um question about like the mitigations like what what is like a typical cost to

like secure a site? >> That's a good question. Um a quarter of a million dollars, >> not including the operational cost of having >> um Yeah, that's probably what the system costs. Yeah. Uh there's a hand back there. Yeah. >> By the way, uh quick question is you asked everyone earlier on how many reports. How do you go about reporting it? >> How do you go about reporting what specifically? Just speak up a little bit. I didn't hear you very well. >> How do you go about suspicious? >> I just did a workshop on that uh at the at this besides um that would be a long conversation. Uh if you want to add me

on LinkedIn, I I'll happily tell you about it there. >> Yeah. >> Thank you. >> Anyone else? >> Yes. What was your background prior to getting into drones? >> Uh pen pen testing and red teaming. Um this is just the natural progression. >> Yep. >> When registering a drone, what's keeping somebody from putting like fake information there? So it doesn't >> because it's it's a government website like ID. >> Yeah. You're going to have to provide your government ID. >> Um I was you mentioned uh you mentioned different of the different detection systems. Um I think first one was was it radar? Correct. >> Yeah, radar. Yeah. one and then you had what was it was these uh radio frequency

um and my follow question to that is um are what are what are the non like you mentioned the mother the >> mother ship >> yeah mother ship >> um follow back drones do I presume they can follow back from the small drone to the mother ship to you then Um, okay. Let's let's get that out of the way. Uh, you cannot jam, hack, or interfere with a drone in flight. You will go to jail for up to 20 years if you do any of that. Uh, you cannot shoot a drone over your property with a shotgun. You are shooting an aircraft out of the sky. Your only response is to watch that drone, report that drone, or use your

own drone to follow it to where it may have launched from. That is all you can do. >> So, a drone following. So, >> yeah. do the >> that. So that's the point of the mother ship. The drone is disposable. You don't care about it. It's a canary. You fly it into their boundary. You w you basically try to figure out what the response would be to a drone intrusion with a cheap teu drone. >> In the US, who is authorized to neutralize? >> Only a couple critical infrastructure sites. Um military defense base, military bases in general. No one else is allowed to. >> Local law enforcement. Law enforcement can't do anything more than you and I

can. >> Um, are dams and such consider? >> They sure are. >> For in terms of kill site for kill drones, >> no. Um, they're they're not. The only places you're going to have a drone that will kill your drone is going to be like energy nuclear reactor areas um you know, military bases. It just those things where there could be catastrophic uh consequences for not dealing with the drone. >> All right. Thank you everybody.