HK’s drone jammer highlights complexity of IoT security

drones IoT security
One hundred LED drones form clinking wine glasses to celebrate the 10th anniversary of the CCB (Asia) Hong Kong Wine & Dine Festival in Hong Kong on opening night, October 25, 2018 Image credit: Chung Sung-Jun/Getty Images for Hong Kong Tourism Board

A HK festival canceled a drone performance after dozens of drones failed due to GPS jamming. The bigger lesson: IoT security is really, really complicated.

ITEM: The Hong Kong Wine & Dine Festival canceled a scheduled drone display performance on Sunday after dozens of drones plummeted into Victoria Harbour the previous night.

The drone display – which features 100 drones synced together to form LED light patterns in the night sky – went wrong on Saturday night after 40 of the drones went out of control and dropped into the harbour. Luckily, no one was hurt. The police are investigating, but have already ruled out hacking, reports the South China Morning Post:

“They [the police] were here all night working with us, and our vendor, and looking into all sorts of possibilities, and have come to the conclusion that it is not computer hacking,” Lau explained. “It is because someone jammed the GPS signal.”

If you’re wondering how easy it is for someone to jam a GPS signal in the first place, the answer is: pretty easy. GPS jamming devices – which work by broadcasting noise on the same radio frequency the GPS satellite system uses – have become something of a cottage industry in the last few years, and not just for messing with drones, according to Gizmodo. People have been known to use GPS jammers for things like dodging highway tolls, disabling tracking abilities on company cars, and even cheating at Pokemon Go.

Meanwhile, as drones become more popular (and potentially more invasive to privacy, since drones can carry HD video cameras) GPS jammers have become a way for people to prevent drones from flying over their property without resorting to gunfire. (Ironically, the latter is legal – at least in the US state of Kentucky – while GPS jammers aren’t legal anywhere in the US.)

They’re not legal in Hong Kong either, for that matter, but GPS jammers are reportedly easy to buy online, particularly in China, where many of them are made.

The HK drone jamming story highlights a couple of important issues, the first being that it doesn’t matter how robust drone network security is if you can knock them out of the sky or inhibit their movement with a cheap device you can buy online. With drones being a big part of the 5G/IoT narrative, that’s something we should be keeping firmly in mind.

The second, of course, is that the GPS system itself is becoming increasingly vulnerable to jamming and spoofing and other kinds of attacks as those attacks become more sophisticated.

There are countermeasures for such attacks – such as encrypted communications and array antennas – but in the case of the GPS system, those are reserved for military use, not civilian use. Even the EU’s Galileo system – which started operations in 2016, and is scheduled to achieve global coverage in 2020 – only made anti-spoofing technology available to civilians last year.

As it happens, the US Defense Department – which is painfully aware that its GPS system is essentially a single point of failure, in security terms – has been busy working to modernize the GPS, while DARPA has also been looking at alternative PNT (position, navigation, and timing) technologies that can serve as a GPS backup.

As this Wired report in March points out, there’s a lot more at stake here than making sure pranksters don’t hijack drone light displays:

… GPS satellites don’t just enable location and navigation services: They also give ultra-accurate timing measurements to utility grid operators, stock exchanges, data centers, and cell networks. To mess them up is to mess those up.

Obviously, messing them up isn’t nearly as easy as knocking out a dancing light drone, otherwise we probably would have seen massive GPS-related infrastructural failures years ago. The point is that as we move to a world where every ‘thing’ is connected, security becomes paramount, and we’ve already seen that the ‘things’ of the IoT have serious security issues that can enable devastating botnet attacks, among other things.

And as Hong Kong’s mysterious drone jammer just demonstrated, the security issues aren’t limited to encryption, firewalls and the like – even a GPS signal can be a weak link in the security chain.

Be the first to comment

What do you think?

This site uses Akismet to reduce spam. Learn how your comment data is processed.