DRONELIFE Exclusive: Can Hackers Use Drones to Steal Your Personal Data?

A conversation with leading data protection expert Michael Bruemmer, VP of Data Breach Resolution at Experian, multinational consumer credit reporting company.  We talked to Bruemmer about a hacker’s favorite tool, “smishing”, and what consumers can do to protect themselves.

The Pineapple

Drones are a useful tool for many critical industrial applications.  But when hackers use drones to help make their hacking tools more effective, consumers need to be even more protective of their personal data.  Michael Bruemmer describes one such tool to DRONELIFE: meet the Pineapple.

“The Pineapple is a hand-held device that individual hackers (and cyberthieves) can purchase for about $99 on the Hak 5 website,” says Bruemmer. “While originally developed to be used by security professionals – the “good guys” – to help spotlight how too many unsecured Wi-Fi networks were easily subject to “spoofing attacks,” it soon fell into the hands of cybercriminals.”

“With the device in hand, a cybercriminal can easily steal sensitive data, like passwords to an online bank account, from nearby users connected to unsecured Wi-Fi networks, such as at a conference or a coffee shop,” Bruemmer explains. “The device, while certainly useful to security professionals testing the integrity of Wi-Fi networks, is legal for anyone to buy, and at just $99 it’s been very tempting to bad actors.”

Expanding the Reach with Drones

Bruemmer explains how combining hacking devices like this with drones could introduce new risks to consumers – allowing hackers to fly over parks or public spaces, scooping up data.  “[A]s more and more cities install mobile hot spots in busy urban areas such as parks, stadiums and business districts, the pool of unsecured online targets has gotten far deeper,” says Bruemmer. “Given the size of the Pineapple device it would not be complicated for a cybercriminal to attach the device to an equally inexpensive drone device. There are currently more than 1 million drone devices legally operating in the U.S. today and the market for drone devices is predicted to get close to $100 billion by the end of 2020.”

Hacking with drones isn’t a new idea – but with the proliferation of drones on the market, concerns are increasing.  “Discussions around the vulnerability goes back many years,” Bruemmer says.  “It has heightened in recent years because of how easy drones are to obtain and the ease of using it for bad intent.  Last year, the US Department of Homeland Security reportedly warned about data security issues when using Chinese-made drones that were unknowingly stealing information while the user had no idea, according to CNET.”

“We’ve seen this Pineapple device used in a stationary situation, but with drones the hackers can be portable and it’s even harder to get caught.  A major hack hasn’t happened yet, but the potential is there.”

Phishing, Smishing, and Deepfakes

While tools like the Pineapple can be used to steal credit card and other personal information, they aren’t the only dangers out there for consumers.  “There are many different ways cybercriminals can penetrate systems and steal information,” says Bruemmer. 

“Phishing” is sending fake emails – but hackers have evolved the technique.  “In our 2020 industry forecast paper, we address a new technique called “smishing,” which are phishing attempts that are sent through SMS text.  This is especially relevant right now, for example, in an election year; as candidates build out online communities, a campaign page can be easily spoofed – soliciting donations via a fake email, and a “smishing” text message designed to look like it comes from a fellow campaign supporter can gain trust even faster,” Bruemmer explains.  “Signs of smishing scams are similar to the traditional phishing emails you may receive including misspelled words, poor grammar and requests for personal information such as your social security number, credit card or bank account information. A good rule of thumb is to refrain from responding to text messages from unknown senders.”

The Downside of Advances in Digital Images and Computer Vision

Fake videos or audio files are also evolving to scam consumers.  “The phrase deepfake was first coined by users on Reddit in 2017. The Artificial Intelligence–based technology was first developed in the mid-1990s as a result of academic research into computer vision, an interdisciplinary science that studies how computers can gain high-level understanding from digital images, allowing machines to perform visual tasks once left to humans. However, in recent years the technology has been used by amateurs and even cybercriminals for illicit purposes, including swapping the faces of celebrities into online pornographic videos.”

“This has already been used to steal money. In fact, last year Symantec, a major cybersecurity company, said it had seen three successful audio attacks on private companies. In each, a company’s “CEO” called a senior financial officer to request an urgent money transfer,” Bruemmer says.

How to Protect Yourself

Bruemmer says that consumers can reduce their risk by following some guidelines.

“In general, there are several good security practices consumers can follow,” Bruemmer recommends:

• Do not connect to public Wi-Fi.
• Only access safe and reputable websites with the SSL security certificate (the s in https://).
• Shredders are a smart way to destroy unneeded personal documents, like bank statements, so they don’t end up in the wrong hands.
• Consumers should also be weary of suspicious emails and avoid clicking any links that could be phishing scams.
• Password protecting devices and accounts can also help secure personal information, especially when it comes to a cell phone.
• Mobile technology provides access to sensitive information, so setting a unique password, and changing it regularly, can help keep that information protected. Enabling remote finding and wiping software, which tracks the phone or destroys data if the phone is lost or stolen, is an extra step that could ensure the safety of personal information.
• The risk of identity theft is also reduced by being careful about posting information, such as in social media.

Want more information? Check out this link to Experian’s Data Breach Industry Forecast.