Questioning the Evidence: Are Drones an Emerging Threat?

Sometimes there are more there are tens of thousands of drone incidents occurring. It's very difficult to fit them all onto one page but this is really just to give an idea of what that is whether they're aircraft near misses, whether they're collisions with vehicles or humans, whether they're cartels and gangs smuggling contraband over borders, or whether they're prison drops.

There are many different ways of utilizing UAS. Some of the squirrely ones are using them for assassination attempts all the way to really tricky things like dropping incendiary devices for arson and things like that. So, there's lots here and what we'll do is we'll kick off with maybe a section on prison contraband and then we'll pause, and we'll discuss it between the three of us and keep moving on as to why that's important.

So, regarding prison contraband, something interesting that we've seen is the delivery of equipment to prison. We have seen things like loaded firearms and shifts and hacksaws and different engineering tools to try and aid inmate escapes. And this has occurred quite often. We're seeing hacksaws delivered to lower security prisons. That's something that's come up before. We've also seen UAS that are designed to look like police drones where they'll put on police stickers and vinyl. They'll have a uniformed officers turn up and deploy that drone just to try and mask what they're doing and try and play it off like they're meant to be there.

Of course, the heavy lift systems are less likely to be used in the prison setting, but we're still seeing that happening - especially in countries where there's less focus on that. Being able to prevent the inmates from getting into a yard and grabbing a very large package delivered by a drone is critical. We're seeing a lot of camouflage in relation to concealing those payloads.  So, everything from a paper mâché rock to try and make it look like a rock in the field to using fake turf and grass with the contraband underneath it, or dropping it as what looks like litter in milk cartons and things like that - making sure their payload delivery isn't found by prison guards and instead found by the right inmate.

We're seeing a range of hardware and software modifications [to the drones]. So, everything from signal boosters to make sure they can fly their drone from further away to potentially using things like autos to bypass those prisons where they know there are error scopes and use or systems that only pick up DJI.

And then we're seeing things like fishing drones. So, being able to fly at nighttime. During all-weather events when it's raining times, you wouldn't really normally expect a UAS be there by the window. Those are some of the unique things we're seeing apart from just prison drops. But keep in mind these drops are happening all the time. And the baseline is still possible using simple DJI equipment. 

David Lewin:

Mike, good comment. You were saying that it's pretty easy to hack the drone or make it be able to bypass some of the different, ways, measures of trying to lock it out of flying over a certain area.

What does that look like? And secondly, that seems to be what a lot of people are falling back on. Is there like remote ID in the U. S. is going to be required, is now required. And, they feel like, Hey, everyone's just going to be compliant and follow these rules. And these rules are going to make it So, you can't, eventually So, that you physically can't fly pass into a no-fly zone over an airport or a prison.

Do you have any more information on that? 

Mike Monnik:

I won't name the particular vendors, but it's very easy to be able to find and the ability to modify those altitude limits to have more power and speed for your system. And to just remove or bypass the geofences is very easy. It's been done for many years by many different hobbyists and modding groups. So, that's something that happens today just as easily. They can hide their drone ID, they can try to spoof their GPS, make their drone or the operator appear to be flying from a different location.

It's very basic and it's very well known in some of those drone hobbyist groups. So, I'd go as far as saying, outside of those that don't necessarily always fly drones, it's common knowledge. And it's one of those TDPs that just allow them to bypass some of those really baseline countermeasures.

David Lewin:

Interesting. And Chris, if you have any comments on that as well, I'm curious what you're seeing if this is readily available and proliferating in your world or if this is really super advanced. 

Christopher Church:

Most of the technology being used to bypass systems you can learn this on YouTube. You can learn this across forums. And we see this more and more nowadays. YouTube is one of the best universities to be a criminal or to learn how criminals are doing their work. And then obviously if you get more into it, you can go to forums which tell you. And the stuff is easily brought across Amazon, across AliExpress and places like that.

And you don't need a high degree of knowledge to be able to do this. You just need to be easy to engineer things, solder things together, or just put things together to be able to adapt your drone to what you need. And just going back to the prison drops and stuff, this isn't organized gangs doing this.

This isn't just some random person deciding I'm going to fly a drone in and drop a hacksaw or blade or drop Some illicit goods into a prison we've seen in a lot of member countries This is again that go from prison to prison across the country on a weekly basis dropping the same Contraband into prisons and a lot of time it's been ordered Through the prison system, inmates place their order through a system and then they drop the drone with the content in, they drop the drone in, someone picks up the content, and it can be disguised as a rock or as an empty milk carton, but a lot of time it's just wrapped up in a plastic bag, they just slide the bag over, drop the bag into the prison yard and job done and it's an organized gangs doing this isn't just some random person deciding, I think I'm going to drop something into a prison today.

And the problem that we are struggling with is the prisons are generally they don't have the same [security] funding streams. They don't have the same technology and they don't have the solutions. So, we're currently working with a couple of countries where we know the drone drops into prisons is a problem to see how we can level up that interest and how we can level up that capability.

And that's by educating them what CUS systems can do, what they can't do, what they detect and what they don't detect. And it's a very long process, but we are starting the process because we understand prisons have been very under resourced in this area, but we also like to promote the use of when you do get a drone and you do capture it, either it's crashed or you knock it out of the sky, which some countries use for forensics because the forensics will really create a picture for you. 

YouTube is one of the best universities to be a criminal. Or to learn how criminals are doing their work. …And you don't need a high degree of knowledge to be able to do this. You just need to be easy to engineer things, solder things together, or just put things together to be able to adapt your drone to what you need.

Mike Monnik:

No, that's a really interesting insight Chris. And I think you would have a much better idea how forensics has been attributed with finding a lot of these groups because they're able to go through and look at the footage and see the home point. The actual home location where they kept filming or put that on the SD card or there was GPS lap long information. Forensics should be a part of every SOP for prisons. 

David Lewin:

You almost have to assume that bad actors are assuming that their drones are not gonna get caught - which is their, their oversight. But at the same time, they have the upper hand at the moment because most of the time their drones aren't getting cut. Or I don't know if you guys agree with that, but why would they keep a video of themselves flying from their home on the SD card or, whatever not figure out a way to hacking and remove some of the metadata around where that drones come from and gone?

Mike Monnik:

Yeah, I'd say there’s a lot of the chatter around using anti forensics or intentionally scrubbing the drone, removing the ID or the serial number, removing the SD card, and maybe even sometimes removing the cameras.

Is not necessarily super popular, it's not talked about as something they need right now. I'd say it's more if you were looking at a critical infrastructure type of disruption where they really wanted to get away with it and then knew there was some large charges behind it. There's been incidents where there's been 15 drones at a time over a single prison and there's been single drones that have been attributed to up to 80 flights to different prisons in different areas. So, you're looking at a lot of drones over the sky.

There are stores on SnapChat where you put in an order, 450 USD for that drop. Sometimes you will pay or provide your own contraband. Sometimes they have the contraband already prepared. And with that, the relative to the inmate or the person getting the drop in there is now disconnected from the threat. The drone pilot who is taking the service or the payment for the service conducts that drop. And what we're seeing in some cases is there's really mature logistic hubs. They have airport hangars where they're basing the operation out of, and they're doing multiple flights to prisons in a certain radius and making sure that they've got cell phones at the ready, SIM cards at the ready, contraband, things like that.

We won't go too much into detail of those, and I'm happy to talk about that more on one with people or in a closed forum. But as Chris said, they're moving to large groups up to 80 to 150 people involved in large drone contraband delivery efforts. 

David Lewin:

We just saw that in Fulton County, Georgia, recently here in the US where they got a massive network uncovered that, was made up of even local shop owners and everything who were involved repair, drone repair shops and such.

Yeah, that's one thing that I think is interesting from the detection standpoint. Whether radar or RF or camera or whatever sensors being used to detect a drone coming in it, a lot of folks want to mitigate, they want the ability to be able to knock the drone down, stop it, collect it. And yet especially in the U S, and I'm sure in certain other countries, it's very prohibited from a legal standpoint for a state local prison to physically mitigate a drone. However, I just think an interesting point is that. Uncovering this network of people involved is probably more, should probably be more of the end goal than stopping that individual delivery.

Therefore, allowing the drone to leave the premises, tracking it, looking back at the radar geo data points, or the camera footage, or the other elements helps to be able to start getting that pattern of life and to get law enforcement involved and obtain physical evidence to start building that bigger case and then eventually uncover the whole gang involved.

Remote ID does work but it's voluntary and if you're a criminal, why are you going to register your drone?

Mike Monnik:

Yeah, absolutely. I think I can just highlight something on that in relation to where they're flying the drones from. So, at one point we saw there was a number of apprehensions where people were on the side of the road or they were in an open field and they were launching the drones from, somewhere where they could then provide the contraband drop either to the yard or a window. And now we're seeing threat actors that are renting private residences or they're trading currency or, even narcotics, in exchange for being able to launch their systems from someone's backyard - whether or not they tell them it's for a real estate shoot or for a contraband delivery that's, in the details. But it just means that they’ve moved away from the road so they're not able to be seen by prison offices or local law enforcement driving their vehicles down those main roads where they could be stopped. They’re coming up with new ways to hide even their launch and land locations as they realize that's been a major bottleneck for some of these operations when they get caught. So, that's a pretty interesting one to us.

I'll play this video for you. But for example, in Ecuador, hopefully you can see this play, there's been firearm delivery, there's been cell phones, narcotics. And in this case, there was a large heavy lift or agricultural drone that had a detonation charge below it. It attempted to blow open the roof in order to allow one of the criminal leaders to actually escape the prison. So, you can see here, the law enforcement actually got involved and detonated it themselves because the charge failed to go off. They still had to detonate it, but it just goes to show the efforts they go to at trying to help inmates escape.

And we've said a similar thing about heavy lift systems potentially lifting people out. We're forecasting in the next six to 18 months that we'll see that happen. Large heavy lift drones picking someone out of a prison and flying away with them. It is a reality given that the weights and sizes now that drones can pick up. This just goes to show the operations are going to go from what we think are just contraband delivery to recognizing what they can do with some of these systems.

Christopher Church:

I think the biggest issue that we face is when you talk about prisons and law enforcement, there tend to be two different departments dealing with the prisons and obviously then the police. And one of the biggest issues we are seeing in member countries of Interpol is they don't even have a drone threat reporting structure established. Even in the U. S. you have the TSA, you have DHS, you have your local, your regional, and your borough departments. And there doesn't, there's, at the moment, in a lot of countries, there's not a joined-up drone threat reporting structure to understand.

Is this just a localized incident, or is this more of a regional problem? Or is this more of a national problem? We have seen one member country really get on top of this and they publish a drone threat report every two weeks, which is really interesting to read. And you can start to see the dynamics change over time of how people are going to use drones to commit crime or to facilitate crime.

But we're trying to push member countries to have some kind of threat reporting structure in place where everyone knows what should be recorded when a drone is being recorded as a threat, and what should be recorded and where that needs to be shared. You not just only have the law enforcement, you also, have the Federal Aviation Authority which need to know because they may be the ones responsible to try and enforce the airspace rules because police and the aviation authorities seem to want to work together to try and enforce the airspace, the secure airspace, but it's still a bit of an issue in many countries.

So, I just want to highlight the fact that if you, as a user in law enforcement, do not have a threat reporting structure in place to record these threats, then you're way behind the wave. You're right of the curve and you need to get ahead and obviously we're here to help countries do that and we can give you prime examples of what you should record and how you should record it. And that makes the DroneSec platform amazing is to see the trends that are happening within drones, but we're seeing it just grow exponentially.

And remote ID does work but it's voluntary and if you're a criminal, why are you going to register your drone? It doesn't work for that, and if you are registering, they tend to use someone else's name and address. And the reason why criminals aren't afraid of recording data on drones is because as soon as you switch a drone on, it's recording data, So, you don't have a choice. DGI drone is recording, 1800 data points every quarter of a second. And for you to then go in and change what that drone is doing, it requires some technical expertise. So, when we do come across a drone that's been altered in terms of what it's recording, how it's recording, you know you're dealing with someone a bit more special than just a hobbyist drone user.

…A lot of people are waiting for that black swan event to happen to in order to enact change. And I think what you'll often find is if they started cataloging their threat incidents and merging them together and having a really good look at what's already happening, it probably would be enough ammunition to get some real change done…. and if you're not tracking that already, you are behind the curve and threat actors already 10 steps ahead. 

Mike Monnik:

I agree and also want to challenge what Chris said there, which is a lot of people are waiting for that black swan event to happen to in order to enact change. And I think what you'll often find is if they started cataloging their threat incidents and merging them together and having a really good look at what's already happening, it probably would be enough ammunition to get some real change done.

So, it's more about what they don't know is already happening. Rather than just waiting for the black swan event, and sometimes it can be stove piping of information as to what different agencies or law enforcement groups agree on what is a threat and how to report that. And I think that standardization is important. Rather than thinking about what kind of metadata should we catalog, it’s more about “let's just get this all-in-one place and start looking at it.” Hence why Drone Sec has had to in some cases take the lead just from a private partnership to be able to say let's kick it off and start it for you so you can get an idea of what's happening Not just in your own country.

And I think if you're in law enforcement and if you're not tracking that already, you are behind the curve and threat actors already 10 steps ahead. 

David Lewin:

Totally. I think if we can springboard pretty easily from there into the conversation around electric utilities and the emerging threat of drones to critical infrastructure in general, but electric utilities are in a funny spot, especially in the US, with their compliances for perimeter intrusion detection per NERC SIP. As far as I know, there's not a requirement to detect or protect what's going on in the air as much as there is on the ground.

However, there's a pretty strong sense of “hey, we're not allowed to do anything about it if we see it. So, why would we want to see it?” Maybe they feel like they're introducing themselves to risk or just the financial, priorities.

At their sites, or very similar sites in similar areas, they ask if there actual evidence or data that says this has happened repeatedly. They are also concerned about gunshots taking down substations. Extra hardened ballistic fences that are super expensive around all these substations are going to be obsolete in an instance if those actors begin to pivot like drone operators do. Are drone threats just this wild scenario – like van full of explosives or drivers with shotguns - or is it more concrete than that?

[At utilities sites], drones extended the ability to be able to infiltrate a compound, or alternatively, …to be able to drop something.

Mike Monnik:

I can provide a perspective here and then I'd love to hear what Chris thinks on this. I think hostile vehicle mitigation, as you explained, has a place in time and they're always going to need to protect against that. In my background, I was a red team operation operator where was to try and break into substations and electric power facilities. We started using drones again and again because they were just so easy to evade guards, fly over walls, evade CCTV.

Drones extended our abilities to be able to infiltrate a compound, or alternatively, you could use that drone to be able to drop something. I'm going to show you one or two slides on what we're seeing here. And I'm specifically not going to show anything specifically domestic here just because this is a public forum, but to give you an example for example, in Myanmar there is a heavy use of drones.

It is, if not potentially the second largest use of drone warfare or attacking different targets - after Ukraine - and it has been going for quite some time. They use fixed wing systems, hexacopters, octocopters, different types of drones for different target types and critical infrastructure is one of those that they consistently go after.

And it's really interesting to look at how this works, right? You've got heavy lift drones. Often they'll have between six to 10 payloads each. Sometimes I'll have a heavier munition on it and try to focus on taking out power stations or substations either for a subsequent night operation where they have on ground or on foot militia. Then, when the town or the whole district is in darkness, they're focusing on taking out powerful weapons factories or for factories that are producing things for enemy military operations. They're able to launch these from quite a bit of distance away. And that simply means that, they're able to keep doing this without threat of retaliation, or at least, within the construct of conflict. A specific incident just recently in April where 38 bomblets were dropped from just four heavy lift UAS onto a power station. Almost 10 payloads each that they're doing comprehensive destruction or damage to that facility We're not just talking about a single drop, right? The other thing is that they're often using multiple drones to be able to film and use that for propaganda use cases and be able to share it to their followers and make the enemy or the adversary kind of shaking their boots. Sometimes they'll even share the flight logs and the footage of this to show how they conduct those attacks.

So, where before we try to look for open areas where someone might launch a drone from you also need to be aware of, and have detection for, all of those non-menacing flights that may have seemed like hobbyists but in reality could be people just probing those defenses and seeing what's there for the real attack.

And if you were just to simply catalog these, which is what we do, and have a look at what those similarities are how they usually fly directly over to do those drops, things like that. You can learn a lot from it. But that's one of the key parts about Myanmar. The other thing is just in relation to how people are practicing and being able to target practice with this. There was an example where four men were identifying themselves as police officers and they had drones with small little water bottles under them. And they were simply flying these drones in this church area for some time until they were challenged as to why they were there. And they quickly escaped the area. If you look on Google Maps as to the location of that church, it's just over the border fence of an electric power plant there. You have just a really close ability for them to potentially drop bombs. Fake bomblets or munitions in the form of water bottles, empty water bottles, or even those that just will be able to demonstrate where that drop would occur. If there is any reaction from the power plant and whether they send, guards after them, or if there was a countermeasure that disrupted their drones frequencies, those are the types of things they're potentially looking at right now and trying to gauge.

So, where before we try to look for open areas where someone might launch a drone from you also need to be aware of, and have detection for, all of those non-menacing flights that may have seemed like hobbyists but in reality could be people just probing those defenses and seeing what's there for the real attack.

Christopher Church:

What we see is Critical Infrastructure, right now, is that they’re getting their act together on this. They are trying to do the same as what the airports are doing, what prisons are doing, by trying to bring everyone together to understand the threat. Again, this is threat reporting. However, as you say, we see people run sorties into Critical Infrastructure first to test to see if there is a response- to see am I going to be chased down by a guard or a patrolling officer? And then if I fly a drone into an area, is it going to be mitigated or is it going to be detected? And they do a lot of this to see if it's, if there is going to be a challenge to them.

But then, when we then talk about cUAS systems, when we talk about installing cUAS systems into Utilities into airports at the moment. And as soon as you start to introduce drones which do frequency hopping or drones that run across four or 5G, this presents real challenges for the cUAS detection systems. The thinking is we have to have a multi-tiered solution, long, short and mid-range solutions to be able to do that detection, tracking, identification. And at the moment. I can't see many places being able to facilitate such use because it is such a high cost and it is a high demand on personnel because when we do see cUAS testing as part of the European Union Project Courageous, we have the people who build the cUAS systems at the screens for eight hours a day, changing codes and making it work more efficient.

In some cases, cUAS systems are in place and security personnel see a drone in the air and the system is not alerting them to that the drone's in the air because the drone is running across 4G, 5G. There is this disparity of what's real world and what's theoretical. And the problem is we, as part of the Interpol Project Courageous team, we're trying to bring those two worlds together because the CUS community is very passionate about doing the right thing. But the problem is they always think about the worst scenario, the worst technology, the most advanced technology possible.

When most people doing these attacks just doing very simple things to enable them to do this work. So, when we talk about geofencing, it's very easy to trick the drone to think it's somewhere else in the world to allow you to fly in an area where it shouldn't be flying. And then, as soon as you start to add autopilots, where you plan the flight path and you just throw it and launch it, or you're powering it across 4 or 5G, it's a never ending challenge for everyone to try and combat.

In some cases, [RF detection-centric] cUAS systems are in place and security personnel see a drone in the air and the system is not alerting them to that the drone's in the air because the drone is running across 4G, 5G. …There is this disparity of what's real world and what's theoretical. And the problem is we, as part of the Interpol Project Courageous team, we're trying to bring those two worlds together. They [security risk assessment] always thinks about the worst scenario, the worst technology, the most advanced technology possible - when most people doing these attacks just doing very simple things to enable them to do this work.

And I think this is a huge challenge for us, but only by everyone working together and coming together to combat this issue can it really be solved. And we're trying to do this. But, I hate to think how many cUAS tests there are going on in the world at any one time - I would guarantee there's probably 20 to 40 tests. Or for law enforcement because everyone has different test plans. Everyone has different testing scenarios.

And when we did red and blue teaming for the World Cup in Qatar, we knew It would be possible to get a drone into the stadium if we wanted to, but we didn't want to because the point of doing the red and blue teaming was to build the muscle of the response team to give them the confidence that they could respond to a drone in the air. They could do what they needed to do to get rid of that drone out of the airspace and this is what we achieved, and we were able to. It compromised their response protocols so instead of having to radio permission to bring the drone down or jam it, they were just able to do it. There and then, and this is sometimes the issue is that the theory doesn't match real life.

A lot of our work is bringing the real-life theory together and trying to find the best way possible. Let me just go to a couple of slides. Obviously, this is the kinds of threats you have. If you're dealing with compliant, you have no problem. If you have careless, they may be a bit risky, but they probably won't do anything. Most of them tend to be clueless or uninhibited, and they tend to make up 60 to 80 percent of your drone threat. But then when you get to the criminal and terroristic side, this is where you need to really take note.

We keep it very simple. This is the drone paradigm for Interpol. We're looking at drones as tool, threat and evidence, and obviously we're talking about the threat. And to be fair, when we started to look at the threat, we didn't want to look at countermeasures to start with, but then someone decided one of our member countries wanted us to do airport cUAS testing, which we did in Norway. And it's still one of the only publicized and publicly available testing regimes out there. I won't play that, but this is the curve that we're talking about. Obviously, if you look at the risk, you have the crazy, the clueless, the careless, the compliant, but then when you get into the criminal combatant, you can see raises and the adversity challenge becomes even more.

But then when you get to the criminal law and the combatant, you need to have that defense, which is delayed detection and defeat mechanisms. But as you say, in the U.S., there are very few entities that can bring a drone down once it's in the air. And this is why criminals are brazen, they know once my drone is in the air, unless I have The FBI or DHS in the area, no one's going to interfere with my drone because it's under federal laws.

And how do you stop a drone? I love this slide. You can have an eagle, you can have a jammer, and that gun, I'm not sure, it's not going to play, unfortunately. So, you can have an eagle, So, the Dutch did Eagles, where they used eagles to catch drones, but unfortunately the welfare of the animal was more of a problem. You can use a net gun, but I would say if you're using a net gun, by the time you get the gun out and you fire it at the drone, you're probably going to be in the line of explosion if there is an explosive attached to that drone. You could jam it, but then if you jam, what else are you jamming? And then you can have another drone with a net. That's a very expensive solution to a very simple solution. This is why we're trying to educate and inform law enforcement that this is great neutralization, but it's your last resort. There are other ways by having response teams. And if you have a cUAS system, you should be able to detect, track and identify the drone and the home point, and then try and find the pilot.

So, you send a response team out for that. But there is no silver bullet. So, you it's an ever-evolving landscape. You need to always remember that you may buy the state of the art system today, but tomorrow it may not be state of the art. And the drone threat is always evolving because a lot of drone countermeasures rely on libraries, signal libraries.

And So, a lot of the signal libraries are dependent on the companies finding the drones that are being used and then recording those signals and putting into the library of detection. So, there's always that. Cat and mouse game. I'm not sure if it's the same. Yeah, see there's the cat and [00:38:00] mouse game.

So, you're always going to be behind the curve and no matter where you are But obviously if you have radars and you have signal panels and stuff that may give you more ability But then the cost gets more and more. And one of our biggest problems we have in drone countermeasures, because obviously this is Echodyne, is when we see testing, it's tested in the middle of nowhere.

So, of course it's going to go 5km, but then if you put that drone countermeasure in a prison in an urban environment, it's going to go less than 0. 5km. If you're lucky. And then alSo, what is the other interference it has. So, I think I've said enough at the moment. So, back over to Mike and I challenge you on that, Mike.

There is no silver bullet [for cUAS]. …It's an ever-evolving landscape. You need to always remember that you may buy the state-of-the-art system today, but tomorrow it may not be state of the art. And the drone threat is always evolving especially because a lot of drone countermeasures rely on [RF] signal libraries.