Thursday, November 3, 2016

Key Questions About Securing Drones From Hackers

Forbes
Gregory S. McNeal ,

CONTRIBUTOR

I'm an expert in law & policy focused on technology.

Opinions expressed by Forbes Contributors are their own.





In this Thursday, Sept. 22, 2016 still image from video, a test drone making a UPS delivery lands on Children’s Island in Marblehead, Mass. UPS partnered with robot-maker CyPhy Works to fly the drone on a programmed route for three miles over the Atlantic Ocean to make the delivery. (AP Photo/Rodrique Ngowi)

Americans are becoming increasingly familiar with drones and the technology is already delivering value to millions of end users. Despite these benefits, government officials are oftentimes seeking ways to think about the future — it was in that spirit that the Federal Trade Commission convened their Fall Technology Series on drones last week. I was a participant on one of the panels, which was preceded by a presentation in which FTC officials demonstrated the security vulnerabilities of low cost toy drones.

At the event, the FTC tested three drones (a Parrot AR, as well as two “toy” drones by Cheerson and DBPower) to see if they could access the camera feed, hijack or disable the drone’s navigation, collect information about nearby or connected devices, or modify the GPS signal. In a real-time demo, the FTC remotely accessed the Parrot AR’s video feed and turned it off in midair. (It’s important to note that the drone in the demo is six years old, and all three drones retail for less than $200. Not all drones are vulnerable to the complete range of these attacks and security varies with the sophistication of the drone and at the discretion of the manufacturer).

The demonstration was a launching point for a discussion about drones, their security, and their connectivity. I wanted to learn more, so I sat down with Jared Ablon, one of the foremost experts on drone security and my colleague at AirMap. As Chief Information Security Officer, he is charged with ensuring the company, its products, and the drone industry are secure.


Greg: The drones in the FTC’s demonstration were all under $200, and in the case of the Parrot AR, technology that is six years old. Are all drones vulnerable to these kind of attacks?

Jared: Any device is a potential target for an attack, especially devices that send and receive data remotely. This is true for the smartphone in your pocket, the garage door opener in your car, and the laptop in your office. Drones are no different.

Like these other devices, drones can be targeted for software and system attacks. And because they fly, navigate, capture video, and are controlled remotely, drones are also potential targets for other kinds of attacks: command and control (C2) data link jamming and spoofing, in which a hacker blocks or falsifies the data link to disrupt or take control of the drone; navigational sensor jamming and spoofing, which could also disrupt or take over navigation; and tapping the video or photo link, in which an attacker intercepts video and other data sent from the drone.

No device – whether it is a drone, smartcar, phone, or computer – is 100% secure. The good news is that because drones are a nascent industry, we have an opportunity to work together to counter any potential risks that come with these connected devices. I’m glad the FTC is continuing this conversation – it allows us to surface solutions to potential problems and discuss what else we need to realize a future that makes drones a part of our everyday lives.


Greg: Can the operator tell that a drone has been compromised? What happens when a drone is attacked?

Jared: Not always. It’s just like when someone hacks into a computer: sometimes people know because the attack affects performance, or the hack can be invisible to the user. It may be difficult for a drone operator to determine if a drone has been hacked or if it is just malfunctioning.

The scope and severity of an attack can range from gathering data about the drone’s location and video feed to taking complete control of the drone. Fortunately, to date we haven’t had a major incident caused by a drone being compromised.

To me, that means this is a good time to examine drone security together, as an entire industry. We’re on the cusp of drone delivery and autonomous flight beyond an operator’s visual line of sight. None of us want to see a security incident halt innovation or stifle the industry.


Greg: What can we do to reduce the risk of attack for drones?

Jared: Drone manufacturers have accelerated the pace of innovation and are building amazing drones with great features. I think we have an opportunity to put that intelligence to work to tackle the challenges of ensuring drones are safe and secure.

A first step is for the industry is to begin aligning around some common-sense, specific security standards that will allow drone innovation to take off. This would give us clear baselines for protecting the C2 data link, encrypting data channels, mitigating navigational sensor (such as GPS) attacks, hardening applications, and securing against physical access attacks. Standards alone are not enough; as an industry, we can also start security more seriously and develop very specific security controls that mitigate the major types of attacks. It is possible to come up with a short list of security controls that could mitigate the majority of security risks.

So, what kind of security controls might be effective in this context? Some examples would be adding encryption and mutual authentication on the C2 data link to protect against a drone take over, or encrypting the video data channel to help prevent interception. Encryption can be relatively cheap in cost and have limited impact on device size, weight, and power consumption. Encryption uses a bit more power, but the rise of Internet of Things (IoT) technologies has led to advancements in cryptographic algorithms that can significantly lower the power required to improve security.

Manufacturers could also consider fail-safe mechanisms for protecting against jamming of the C2 data link, adding multiple navigational sensors to detect and mitigate against spoofing and jamming, and including application security best practices in the Software Development Lifecycle, the security process of planning, creating, testing, and deploying new software.


Greg: What can commercial and hobbyist operators do to reduce the risk of a cybersecurity issue?

Jared:
Most prevention measures are in the hands of drone manufacturers, but I recommend being careful about who has physical access to a drone or an opportunity to modify it.


Greg: You were the sixth hire at AirMap and as part of the leadership team, have championed security from the very beginning. What creates a culture of security?

Jared
: It is far easier to make security part of company culture early than it is to change culture later on. Making an early security hire, and making that person part of strategy conversations at the executive level, is critical. It ensures that security and business objectives are aligned from the beginning, and it sets expectations for how employees can work securely and how engineers can tackle challenges and innovate to secure solutions.

With that said, it’s not too late for established companies to make security a part of their business strategy. A senior or executive security hire can help to realign company culture and work with the engineering team to ensure that security is being properly prioritized amid the demands of the product cycle. In the long run, focusing on security early leads to outcomes that are cheaper and easier to implement – it’s a win-win for everyone.

Members of the public can share their comments regarding drones and cybersecurity directly with the FTC through a public comment processthat is open until November 14, 2016.


Read more at:
http://www.forbes.com/sites/gregorymcneal/2016/10/19/key-questions-about-securing-drones-from-hackers/#3a6569c0501f

No comments:

Post a Comment