Skip links

How Wi-Fi spy drones snooped on financial firm

Modified off-the-shelf drones have been found carrying wireless network-intrusion kit in a very unlikely place.

The idea of using consumer-oriented drones for hacking has been explored over the past decade at security conferences like Black Hat 2016, in both the US and in Europe. Naomi Wu, a DIY tech enthusiast, demonstrated a related project called Screaming Fist in 2017. And in 2013, security researcher Samy Kamkar demonstrated his SkyJack drone, which used a Raspberry Pi to take over other drones via Wi-Fi.

Now these sort of attacks are actually taking place.

Greg Linares, a security researcher, recently recounted an incident that he said occurred over the summer at a US East Coast financial firm focused on private investment. He told The Register that he was not involved directly with the investigation but interacted with those involved as part of his work in the finance sector.

The Register corresponded with an individual affiliated with the affected company who corroborated Linares’s account and asked not to be identified owing to a non-disclosure agreement and employment concerns.

In a Twitter thread, Linares said the hacking incident was discovered when the financial firm spotted unusual activity on its internal Atlassian Confluence page that originated from within the company’s network.

This led the team to the roof, where a ‘modified DJI Matrice 600’ and a ‘modified DJI Phantom’ series were discovered

The company’s security team responded and found that the user whose MAC address was used to gain partial access to the company Wi-Fi network was also logged in at home several miles away. That is to say, the user was active off-site but someone within Wi-Fi range of the building was trying to wirelessly use that user’s MAC address, which is a red flag. The team then took steps to trace the Wi-Fi signal and used a Fluke system to identify the Wi-Fi device.

“This led the team to the roof, where a ‘modified DJI Matrice 600’ and a ‘modified DJI Phantom’ series were discovered,” Linares explained.

The Phantom drone was in fine condition and had a modified Wi-Fi Pineapple device, used for network penetration testing, according to Linares. The Matrice drone was carrying a case that contained a Raspberry Pi, several batteries, a GPD mini laptop, a 4G modem, and another Wi-Fi device. It had landed near the building’s heating and ventilation system and appeared to be damaged but still operable.

“During their investigation, they determined that the DJI Phantom drone had originally been used a few days prior to intercept a worker’s credentials and Wi-Fi,” Linares said. “This data was later hard coded into the tools that were deployed with the Matrice.”

The attackers specifically targeted a limited access network, used by both a third-party and internally, that was not secure due to recent changes at the company

According to Linares, the tools on the drones were used to target the company’s internal Confluence page in order to reach other internal devices using the credentials stored there. The attack, he said, had limited success and is the third cyberattack involving a drone he’s seen over the past two years.

“The attackers specifically targeted a limited access network, used by both a third-party and internally, that was not secure due to recent changes at the company (e.g. restructuring/rebranding, new building, new building lease, new network setup or a combination of any of these scenarios),” Linares told The Register.

“This is the reason why this temporary network unfortunately had limited access in order to login (credentials + MAC security). The attackers were using the attack in order to access an internal IT confluence server that contained other credentials for accessing other resources and storing IT procedures.”

Long-term problem comes to life

Linares said he had worked on a drone project in 2011 to test network attack capabilities and at the time, power, carry weight, and range were limiting factors.

“We revisited it again in 2015 and drone tech had come a long way,” he said. “Now in 2022 we are seeing really amazing drone advancements in power, range, and capabilities (for instance, the amazing synchronized drone shows that China puts out are utterly fantastic).”

“This paired with drone payload options getting smaller and more capable – e.g. Flipper Zero kit – … make viable attack packages that are reasonable to deploy,” said Linares. “Targets in fintech/crypto and supply chain or critical third-party software suppliers would make ideal targets for these attacks where an attacker can easily cover their initial operating costs with immediate financial gain or access to more lucrative targets.”

While the identity of the attacker has not been disclosed, Linares believes those responsible did their homework.

“This was definitely a threat actor who likely did internal reconnaissance for several weeks, had physical proximity to the target environment, had a proper budget and knew their physical security limitations,” he said.

Sophos senior threat researcher Sean Gallagher told The Register said the attack described is something people have done “warwalking” with Wi-Fi Pineapples or the equivalent.

“You bounce a user off the real network and try to get them to connect to your fake network,” he explained. “Honestly, unless there’s a very specific bit of targeting going on, this is very low on the threat modeling priority list for most organizations, especially when there are so many other ways to get network access without having a physical presence.”

Still, it might be worth checking the roof for parked or hovering drones now and again. ®