Consumer drones: ensuring secure communication protocol between drone and pilot
Aerial drones have come a long way in a short period of time. In the past 10 years, they have become a routine tool for photographers, landscape gardeners, golf course designers, law enforcement, architects, film-makers, and many other professionals. In many cases, owners rely on their unmanned aerial vehicles (UAVs) to deliver a high-quality service, and by and large, that's what they provide.
However, as some users are finding, UAVs come with their own unique security vulnerabilities. As more people use drones, the risk of hijacks and thefts is rising, especially where video and photographic content is concerned. But few owners appear to know how to secure their vehicles against these attacks.
This blog will look at some of the technical issues surrounding drone security. We'll look at the types of threats posed to UAVs, how they work, and what can be done to counteract them. Hopefully, we'll put your mind at rest and allow you to pilot your vehicle without the stress of cybersecurity risks hanging over your head.
What type of attacks affect drones, and what causes them?
Firstly, many pilots are simply unaware of the many threats associated with their UAVs, leading them to fly them publicly and without any safeguards to ensure they retain total control. So a quick run through of the major risks is absolutely essential.
One way to model these threats is by considering two axes: uplink threats and downlink threats.
1. Uplink threats - When you pilot a UAV, signals are transmitted wirelessly via radio frequencies from your remote control, laptop, or smartphone, and these signals can be intercepted and modulated to suit the needs of anonymous attackers. this is surprisingly easy with many brands of consumer UAV. The firmware they use and the wifi standards required to transmit instructions are rarely encrypted, and firmware tends to be updated infrequently. If the drone relies on GPS signals, attackers can also use a technique known as "GPS spoofing", which mimics the signals transmitted via GPS satellites.
2. Downlink threats - Conversely, hackers could target information sent from drones to targets on the ground. Video footage taken by drones tends to be transmitted in unencrypted radio format, so anyone within range could theoretically intercept, store, and sell a pilot's footage.
How do these drone-jacking threats work in practice?
This might seem fairly abstract right now, but there are plenty of real-world examples of drone hacking in action. For example, in 2016 cybersecurity researcher Jonathan Andersson unveiled a tool (appropriately) called Icarus. Using standard DSMx radio transmissions, the Icarus box proved capable of hijacking drones from many mainstream vendors. Moreover, it could also prevent legitimate owners from regaining control via code injection, allowing for simple drone theft.
Andersson is far from alone. Also in 2016, Samy Kankar demonstrated how easy it was to hijack police drones from as far as one mile away. In Kankar's case, he used standard radio frequencies to reprogram the software on target vehicles, making them think that he was the legitimate pilot. This gave him total control over the flight plan of law enforcement UAVs.
He took the concept even further, developing a tool called Skyjack, which could be attached to a UAV. After scanning the nearby area for drones with vulnerable MAC addresses, Skyjack can take control, and potentially summon up "swarms" of UAVs controlled by a single hacker with a Raspberry Pi. It's a terrifying prospect, but one that is facilitated by the weak security employed by most contemporary UAV manufacturers.
Why footage taken by drones is particularly vulnerable
Should you worry about drone jacking if your business relies on taking aerial video footage? Probably. For one thing, camera drones are one of the juiciest targets for cybercriminals around. They know that companies using these vehicles tend to install high-quality cameras and accessories, in order to capture the best possible footage. So camera drones are a prime target - if only due to their resale value.
But the data captured by camera drones could be even more attractive. Security experts have shown that it's relatively simple to steal the login credentials of pilots, providing total awareness of flight paths, footage, and any other data. This can be sold on to third parties, used in corporate espionage, or just exploited for personal use.
When unedited footage leaks, it can be a huge reputational risk for the company that captured it, as well as a loss of valuable proprietary data. So it makes sense to secure your footage as much as possible, but how can you do so?
How to protect footage taken with your UAV
Until drone manufacturers come up with 100% secure firmware and transmission procedures, using UAVs will never be completely secure. However, there are some steps pilots can take to minimise the risk of theft or drone jacking.
Firstly, secure file storage is essential. Many remote UAV operators choose to store footage with Cloud-based providers, and that makes a lot of sense. But it can lead to security risks as well, so choose secure providers with 2-factor authentication and full encryption.
It's also a good idea to encrypt anything that your UAV transmits to and from your receiver (usually a standard laptop). This is where Virtual Private Networks play an important role. VPNs encrypt everything that leaves your laptop while anonymising your digital footprint. This means that if you are sending footage to Cloud storage providers, or using unsecured wifi while piloting your UAV, it's very tough to extract footage once it arrives on your computer.
VPNs vary widely though, so choose a supplier you can rely on. This guide to the best free VPNs should point you in the right direction.
Updating the firmware on your UAV is also extremely important. Developers don't always make this as simple as it should be, so if needed, be sure to enquire with the support staff to check for recent patches.
It's also absolutely vital to keep your controller and receiver free of malware. Malware is a major vector for the theft of UAV login credentials and data extraction, so fine-tune your anti-malware tools and never click on links in unsolicited emails.
Finally, it's worth investing in up to date drones that come equipped with anti-drone jacking technology. Operating systems used in consumer drones have come a long way in the last few years, making break-ins a lot harder. So don't assume that cheap UAVs represent a real-world saving. The lack of security measures can cost you dearly further down the line.
Treat drones like smartphones or work computers
Many pilots still regard aerial drones as a form of accessory (or even a toy). As a result, UAVs can be sidelined in corporate security planning or used unwisely by ordinary consumers. This has to change.
As we've seen, drones are highly vulnerable to a variety of attacks. Hackers can take control of flight systems, lock out pilots, or steal data - often without users knowing about it. This makes it essential to guard your UAV via VPNs, anti-malware tools, and regular firmware updates.
Above all, it means becoming security-conscious when your drone takes to the sky. You never know who is waiting to take control.