By: Navid Kagalwalla
August 28, 2020
Security and Privacy of Drones
By: Navid Kagalwalla
August 28, 2020
A drone, also known as a UAV (unmanned aerial vehicle), is an aircraft piloted by remote control or onboard computers. With the advent of the concept of smart cities, drones are expected to play a huge role in the delivery of products and merchandise, enabling the reduction of greenhouse gases and introducing cutting edge navigation techniques which cut waiting times for perishables and non-perishables alike. Drones will enable ubiquitous broadband wireless access by serving as mobile hotspots for seamless internet connections throughout cities. They will eliminate the need for workers to physically access hostile environments where weather, radiation, or height can lead to accidents or health issues. With the recent technological advancements and the open source initiatives for hardware/software, drones are no longer only reserved for the military. Drones today can come in all shapes and sizes, be flown by almost anybody, and include highly advanced features such as live video feed, high speed, and cutting edge video resolution. However, the proliferation of drones brings together several cybersecurity and privacy concerns that must be addressed for public safety. While drones can be utilized for the betterment of society, malicious actors can easily threaten society by conducting cyberattacks on drones, leading to physical and technical security concerns.
Cyberattacks on Drones
Most drones communicate with the ground station controller using a WiFi network (IEEE 802.11 standards) to enable control through a phone/tablet or to broadcast video feeds to a computer/phone. This leaves the drone vulnerable to cyberattacks. In most cases, man-in-the-middle-attacks can easily hijack drones up to a distance of 2km due to the absence of encryption. With the non-existence of encryption onboard the WiFi drones' chip, anybody can hack the drone and use it for malicious purposes. At the Defcon hacker conference in 2019, an independent security researcher, Pedro Cabrera, hacked a smart TV by flying a drone close to the TV antenna. He was even able to display his video on the TV. Hacking incidents like this pose severe privacy issues. A robber may scout homes using drones to check which house would be the most favorable to target. With 3-D imaging and live video feed, robbers may be able to create 3-D plans of a building they intend to target. In most countries, however, privacy laws for drones are highly lacking, if not completely absent. Drones can also be used for spying to extract sensitive data from organizations and individuals.
By simply attaching a Raspberry Pi device that acts as a mini-computer, hackers can fly drones to forbidden areas and exploit WiFi, Bluetooth, or even radio-frequency vulnerabilities. This may impact an organization's critical infrastructure, leaving sensitive data in the hands of a malicious actor. Deauthentication attacks, which act as a type of DoS attack, enable an attacker to disconnect a drone from its legitimate access point and then get the drone to connect to a rogue access point or perform password attacks to gain access to the drone.
A GPS spoofing attack is another common attack performed on drones. GPS enables a drone's navigation and, with the absence of high-end encryption, can be easily hacked and spoofed. By transmitting fake GPS coordinates to the drone's control system, an attacker can gain complete access to the drone, enabling the drone to fly wherever the attacker chooses. This can pose a significant threat if an attacker chooses to fly this hijacked drone over an airport, putting many lives at risk. There have been several documented incidents of near-misses between drones and aircraft, such as the near-collision incident with a Boeing 737 and a drone at London's Heathrow Airport in 2016. This led Heathrow Airport to install an anti-drone system to prevent accidents and delays to aircraft.
How to Prevent Rogue Drones
Several steps can be implemented by an organization to prevent a drone attack on its facilities. A simple start while implementing this policy would be to post "no drone" signs. While these signs may or may not hold up in court, it will surely deter drone operators from flying drones too close. Several start-ups have emerged, such as Robin Radar Systems, DroneShield, Fortem Technologies, and many more developed systems that automatically detect and classify drones providing real-time alerts.
Gathering information about the rogue drone may enable one to track the flight path, giving the drone's origin, and subsequently leading you to the malicious pilot. An organization may also launch a counter-drone to intercept the rogue drone and bring it down. In many cases, radar, acoustic sensors, RF scanners, and thermal imaging can detect a drone. Finally, notifying local law enforcement and the FAA and providing them with all the information you have gathered through either the counter-drone or the drone radar systems enables them to find and prosecute the pilot.
Soon, drones will be used more pervasively for surveillance, communication, disaster relief, and recreation. While the need for robust security measures for drones is a must, it may take a while before governments worldwide enact laws that prevent the exploitation of individuals' privacy by drone attacks.
The increase in the feature sophistication of drones comes with the increase in sophistication of cyberattacks on drones. However, by preventing malicious actors by employing state of the art drone sensors and anti-drone systems, organizations can protect their facilities from exploitation.