Drone Detection

The Story Plot

It’s a Sunday morning at 7AM. A 2018 Ford F150 parks along the side of the perimeter fence protecting the hydropower plant. The parked truck seems innocuous as it’s along the road passing the power plant, the same road 15,000 people travel on each day. In fact, no one seems to notice, as most people are still catching up on their sleep from the long work week.

The driver walks around the back of the truck and opens the tailgate. In the bed is a small consumer size drone purchased online for under $200. He then proceeds to take out an iPad, powers on the drone, and pairs it with the iPad. Sitting in the trunk bed, the driver (now drone pilot) flies the drone over the fence and around the back of the facility. A line of sight is not necessary as the pilot can view through the video camera as if he was sitting in the cockpit of the drone.

The drone approaches a sensitive portion of the facility where delivery containers are stored, as well as the emergency backup generators used in the event of a major plant failure. The power generated by this facility powers over 50,000 homes in the area, as well as a CDC remote facility, nearby Water Treatment Plant, a state prison, and local law enforcement.

As the pilot flies the drone closer, he obtains a close-up view of what he was looking for, the precise location of the power distribution bus and transformers, contained within a secondary fence. He additionally notes the manufacturer, model numbers, and other characteristics of this portion of the facility, including the perimeter cameras. Physical security doesn’t notice the activity, as the security cameras are pointed horizontally and downward towards the ground looking for unauthorized personnel or anything else nefarious. No one sees the drone flying overhead.

The driver flies the drone back to his truck, packs it up, and heads off in the morning sunrise, completely unnoticed and undetected by the physical security, video security, or network security. With this intel, he and his team can plan to drop a small bomb at a later time to take the facility offline. This follow-up attack will also go unnoticed or undetected, and allow the attackers to move onto their next target, while the staff at the current target are still trying to determine what happened, and by whom…

Detection of Radio Anomalies (Drones)

The capabilities exist today for your average person to conduct this exact type of spy mission. But what capabilities exist to detect such activity?

Drones such as this emit RF (Radio Frequency), commonly WiFi, but certainly other types of RF can be used to control the drone as well. In this scenario the drone is being controlled by an iPad. When the drone is powered on, it advertises an SSID, just like a regular access point. The iPad can then be paired with the drone to allow not only control, but viewing and recording of audio and video. As a result, characteristics about this drone can be detected using RF surveillance.

802 Secure’s AirShield can detect such activity by fundamentally detecting the RF transmissions to and from the drone. This is typical of some other solutions in the industry. But when performing detection or post-mortem forensics customers want as much information as possible to identify the perpetrator. The AirShield sees more than just the drone transmissions, it also identifies the specific make and model of the drone, the iPad used to control the drone as well as the relevant MAC address(es). This provides important forensic information. While the drone might be detected in the vicinity of the building, the iPad can be detected along the perimeter fence line. Correlating this to video feeds or physical security observations, the power facility can get a view of the perpetrator as well.

In this fictitious story we also described a 2018 Ford F150. This truck as well as many other new vehicles include built-in WiFi and/or Bluetooth. AirShield also identifies these transmissions as well, even if they’re just broadcasting but not paired to anything. Furthermore, AirShield sees more than just a MAC address, it identifies the type of vehicle. Another very important piece of forensic information. In the broader picture, perhaps a video feed caught a glimpse of the truck on the side of the fence or as it passed by the rest of the facility, maybe even the license plate.

Detection, monitoring, and forensics encompass the analysis of the broader picture, by correlating and understanding the who, what, when, where, and how. The more information the better, especially when protecting critical infrastructure such as a power facility on which so many people rely upon.

Garry Drummond Celebrates 15 Years of Professional Excellence

“PLEASANTON, CA, January 16, 2018 — Garry Drummond has been included in Marquis Who’s Who. As in all Marquis Who’s Who biographical volumes, individuals profiled are selected on the basis of current reference value. Factors such as position, noteworthy accomplishments, visibility, and prominence in a field are all taken into account during the selection process.

With 15 years of industry experience, Mr. Drummond has served as the founder and chief executive officer of 802 Secure, Inc. since 2014. In this position, he assists business in deploying and benefitting from wireless-enabled business processes and technologies. Prior to his current roles, he was a regional sales director for AirDefense (now Extreme Networks) from 2006 to 2014, and a regional sales director for nCircle Network Security (now Tripwire) from 1999 to 2005.

An expert in his field, Mr. Drummond is a certified wireless network professional, wireless security professional, and information system security professional. Throughout his career, he has been recognized many times for his contributions, earning Entrepreneur of the Year through CEO World Awards, and Chief Executive Officer of the Year Award through the Global Excellence Awards. His company, 802 Secure, has also earned recognition as Company of the Year, Start-Up of the Year, and one of the Fastest Growing Security Companies. In the near future, Mr. Drummond hopes that his company is still continues to thrive, and he intends to lead his team into new areas of technology that will prevent cyber crime. 802 Secure is an enterprise IoT wireless network security company. Over the last 36 months, Garry has bootstrapped his Silicon Valley garage start-up to become one of the market leaders in detecting and assessing wireless risk across the broader RF spectrum using software defined radios and big data analytics.

About Marquis Who’s Who :
Since 1899, when A. N. Marquis printed the First Edition of Who’s Who in America , Marquis Who’s Who has chronicled the lives of the most accomplished individuals and innovators from every significant field of endeavor, including politics, business, medicine, law, education, art, religion and entertainment. Today, Who’s Who in America remains an essential biographical source for thousands of researchers, journalists, librarians and executive search firms around the world. Marquis publications may be visited at the official Marquis Who’s Who website at www.marquiswhoswho.com.”

The Internet of (Invisible) Things

The Internet of (Invisible) Things

Whether you embrace it or not, IoT devices are infiltrating your organization. Many of these devices are not plugged into the network, but rather connected wirelessly directly through your WiFi or connected through other wireless devices via a wireless bridge or gateway. For those who have embraced IoT, the landscape has been littered with vulnerabilities ranging from insulin pumps that could lead to overdose or pacemakers that can disrupt a patient’s heartbeat; to breaches at a government agency and manufacturing plant through IoT-enabled thermostats.

All of these radio frequency (RF) enabled devices present a new threat landscape to every organization. If someone adjusted the heat to 80 degrees or turned it off altogether during the winter at a location in Michigan, the results could be catastrophic to the business. Buildings and their computer systems would overheat or water lines would freeze and burst. In the examples of medical devices, many of these IoT devices have autonomous capabilities, extending the risks from on-network risks to now off-network risks to the organization; and truly impacting lives.

This Internet of (Invisible) Things requires a new approach to network security. But with any new security approach, a thorough understanding of what devices and risks we’re looking for is required. Here’s a list common IoT and IIoT (Industrial Internet of Things) devices to help you get started:

  • Examples of IoT devices that may be on your network:
    • Thermostats, wireless printers, HVAC, surveillance cameras, production flow sensors, PLCs, temperature sensors, inventory monitoring, manufacturing equipment failure monitoring, SmartTVs, Theft tampering sensors, smart bulbs, location sensors, health monitoring and maintenance devices, smart home assistants (Alexa, Google Assistant, etc.)   
  • Examples of risky IoT devices not on your network (but in your air-space):
    • Drones, spy cameras (fake cellphone chargers, clocks, etc.), audio recording devices (bugs), WiFi Pineapples, WiFi Hotspots, third-party vendor monitoring tools  

Most organizations lack wireless security monitoring, thereby creating a blind-spot when attempting to identify these IoT devices. Some may have wireless intrusion detection as an extension of their wireless LAN, but few use it or find the information actionable. IoT further complicates the security monitoring as more of these wireless devices are communicating over non-wifi protocols or frequencies, such as Z-Wave, Zigbee, LoRa, SigFox, and many more. A Wi-Fi monitoring tool simply cannot see these other devices or transmissions, whereas a Software Defined Radio (SDR) can provide broad coverage across many frequencies and protocols.

Whether your organization has embraced IoT or not, identifying and mitigating these risks is essential to protecting your business. Here are some suggestions for fortifying your organization:

  • Perform ongoing 24/7 monitoring of the IoT assets in your environment across IoT protocols and frequencies; and categorize these devices by device-type for clear indications of approved assets vs. rogue or risky devices
  • Segment your IoT networks from the corporate network to limit damage when an attack or malware infestation occurs.
  • Monitor the security posture of the approved IoT assets to identify misconfigured or malware infected devices. IoT malware variants such as Mirai enable insecure services such as telnet or ftp, and change the characteristics and security posture of the device. Monitoring the security posture of your IoT or IIoT devices can provide early warning signs of an infestation and allow quick response to quarantine the threat before it spreads.  
  • Detect attacks on the wireless and IoT infrastructure before a breach occurs. Advances in Artificial Intelligence and Machine Learning can vet out anomalies when they occur; whether they be an attack, or otherwise a newly misconfigured device or simply a new IoT device connected to the wireless network.
  • Automate threat mitigation through wireless IoT deceptive networking and termination to fortify your defense-in-depth strategy. A deceptive network can lure attackers into a low hanging fruit network and allow the solution to fingerprint the attackers and enhance your blacklisting and blocking capabilities through APIs, SIEMs, and reporting.

Employing these IoT security defense-in-depth strategy allows your organization to fortify your network without extensive network integration and bring transparency to the Internet of (Invisible) Things. Additionally, it moves your defense model from reactive to proactive. If an IoT threat or attack is identified on the wired network, it’s too late and post-mortem, the bigger question is how long has it been there and how much data has been breached. Most of us would prefer to identify an intruder outside rather than inside your house. Proper Wireless Monitoring puts you in a more proactive stance and at the heart of wirelessly-enabled IoT. 

802 Secure to present at DEF CON 25

802 Secure to present at DEF CON 25

Researchers from 802 Secure, Inc. will be presenting 3 topics at the worldwide DEF CON 25 conference in Las Vegas. The topics will range from Artificial Intelligence and Machine Learning, to IoT protocol analysis and exploitation.

The following is a list of the sessions at DEF CON 25:

  • Catch me leaking your data … if you can.. – Saturday, July 29th, 11:00AM PST – https://skytalks.info/
  • A picture is worth a thousand words, literally – Saturday, July 29th, 1:00PM PST – https://defcon.org/html/defcon-25/dc-25-speakers.html
  • Modern day CoverTCP, with a twist – Saturday, July 29th, 2:10PM PST – https://www.wallofsheep.com/pages/dc25