Physical proximity between attacker and target is required in most cyber-attack scenarios. If you watched the television show Mr. Robot, you are probably already familiar with this concept thanks to the misadventures of Elliot and friends. In real life, getting physical proximity to a target network can be difficult and risky, but now, thanks to inexpensive consumer drones, it’s gotten a little easier.
Student researchers Jinghui Toh and Hatib Muhammad, under the guidance of Yuval Elovici, head of iTrust, a cyber security research center at the Singapore University of Technology and Design, have developed an app for identifying and exploiting unsecured WiFi printers. When combined with an off-the-shelf DJI Phantom quadcopter, the Singapore research team demonstrated it is possible to target a specific floor of an office building and intercept documents being printed over WiFi. With a range of about 30 meters, a drone simply needs to carry an Android phone and hover outside of the building, near the window of the unsuspecting target office.
You might think that working on a secured floor in a 30-story office tower puts you out of reach of Wi-Fi hackers out to steal your confidential documents.
But researchers in Singapore have demonstrated how attackers using a drone plus a mobile phone could easily intercept documents sent to a seemingly inaccessible Wi-Fi printer. The method they devised is actually intended to help organizations determine cheaply and easily if they have vulnerable open Wi-Fi devices that can be accessed from the sky. But the same technique could also be used by corporate spies intent on economic espionage.
The drone is simply the transport used to ferry a mobile phone that contains two different apps the researchers designed. One, which they call Cybersecurity Patrol, detects open Wi-Fi printers and can be used for defensive purposes to uncover vulnerable devices and notify organizations that they’re open to attack. The second app performs the same detection activity, but for purposes of attack. Once it detects an open wireless printer, the app uses the phone to establish a fake access point that mimics the printer and intercept documents intended for the real device.
The following video shows two examples of the Android phone powered hack. The first example features a drone and second example features a robotic vacuum cleaner (think Roomba):
Cyber Security Patrol
How Attackers Can Use a Drone Carrying a Smartphone to Gain Access to Unsecured Wireless Printers. By Yuval Elovici, Toh Jing Hui, Muhammad Hatib at iTrust@SUTD
About the Singapore University of Technology and Design (SUTD)
The Singapore University of Technology and Design (SUTD) is the fourth autonomous university to be established in Singapore. SUTD’s mission is to advance knowledge and nurture technically grounded leaders and innovators to serve societal needs. At SUTD, design as a discipline cuts across the curriculum and provides a novel framework for the research and educational programmes.
SUTD undergraduate students are granted either a Bachelor of Engineering or a Bachelor of Science degree with a major in one of its four areas of focus, called “pillars”: Architecture and Sustainable Design (ASD), Engineering Product Development (EPD), Engineering Systems Design (ESD) or Information Systems and Technology Design (ISTD). It also offers an MIT–SUTD Dual master’s degree programme, a full-time programme leading to a degree from both MIT and SUTD. SUTD also offers Ph.D. degrees in each of its four pillars. SUTD is the only institution in Singapore apart from the Yale-NUS College to follow a holistic admissions process.