1. information security
  2. Security Advice and Best Practice
  3. Drones and Information Security

Drones and Information Security

By the Office of the Chief Information Officer
First published in: Oct 2015

Drones, officially known as Unmanned Aerial Systems/Vehicles (UAS/UAM), have been a popular recreational activity for hobbyist in recent years. They are easy to be controlled with the help from improved technologies and features such as self-stabilizing, automatic take-off and landing, and auto-homing. Miniaturization of components like motors, gimbal, gyroscope, and GPS allow drones to fly farther and longer. Mass production of drones also results in an affordable price to many. Sounds attractive, right? But you might not be aware of the dark side of drones. So, let's visit some of the issues here from IT security's point of view.

Drones and Information Security

 

Unencrypted radio broadcasting

Obviously, drones are controlled using remote controllers through radio signals. Limited by the processing power of drones and remote controllers, radio signals are usually unencrypted. This means they are openly broadcasted and eavesdroppers can capture all videos sent from the drone to your remote controller over the air. This happened to military drones as well [1][2].

Hijacking

What's even worse, your drone could be hijacked. While it is easy to intercept the communications between your drone and remote controller, it is not difficult to create a signal with the same frequency and channel, and then jam the channel and make your drone uncontrollable. It is also possible to customize a remote controller, which has a stronger signal output and takes control over your drone. Someone also claimed to have installed jamming device on a drone, flew it and took down other nearby drones [3][4].

GPS spoofing

Drones also use GPS to locate themselves and fly. Many of them also use waypoints to plan for routes, such that the owners can set waypoints on maps, transfer the route to the drones, and allow the drones to fly by themselves. Many drones also come with an auto home function, which records the starting point of flight and helps the drone to fly back to the starting point if it loses communication with the remote controller. However, civilian GPS signals are unencrypted and could be spoofed. In other words, your drone could be fooled, and it could be driven away from the original route [5][6].

Malware

Malware is also a concern. After all, drone is equipped with a microcomputer, which is designed to receive control signals, read data from sensors, calculate and adjust the motors. As a rule of thumb, there are vulnerabilities in all computers systems which can be hacked. It was claimed malware had been developed for attacking drones. It was also reported that there are plans to use drone as a platform to spread malware [7][8].

What to do?

All the above is just a tip of the iceberg, to draw your attention that drones can leak privacy, be taken down or even hijacked. So what shall we do? Our recommendation is to go back to the basic risk management strategy:

Avoidance: eliminate the risk by refraining from buying and playing drones

 

Transfer: buy an insurance which covers the loss for yourself and third parties, so that you don't have to bear the full burden of a total loss. Such insurance plans are not yet available on the market, however, this could come anytime, so, keep an eye.

 

Mitigate: reduce the likelihood of occurrence, such as playing in a safe zone, keeping the firmware of your drone up-to-date, monitoring the trend of risks and regulations related to drones, etc.

Acceptance: understand the risk and accept what might happen.

You could also derive a mix of the above to manage. Whatever risk management approach you adopt, please be reminded that you will also have to bear the consequences.

Without a doubt, safety is of utmost importance and please bear in mind that drone is not a toy. It could also be a life hazard when it falls down from just a few meters and hits someone, or its propellers hit somebody. Therefore, before flying any drone, please be familiar with all the safety instructions and acquire proper trainings.

Finally, please notice that if you plan to use drone, you must be fully comply with all applicable local laws and regulations, and you must also obtain proper approval from the landlord or approving authorities in advance.

Further readings

[1] Wired (2012), Most U.S. Drones Openly Broadcast Secret Video Feeds
retrieve from http://www.wired.com/2012/10/hack-proof-drone/

[2] NBC Chicago (2015), How a Drone Could Spoof Wi-Fi, Steal Your Data,
retrieved from http://www.nbcchicago.com/investigations/drone-public-wi-fi-302649331.html

[3] Dutch News Design (2015), Alert: your drone data is intercepted by hackers and security,
retrieved form http://www.dutchnewsdesign.com/dronejournalism/drone-data-intercepted-by-hackers-security-data-thieves-governements/

[4] Computerworld (2013), Hacker-built drone can hurt, hijack other drones
http://www.computerworld.com/article/2486491/mobile-wireless/hacker-built-drone-can-hunt--hijack-other-drones.html

[5] Forbes (2015), Watch GPS Attacks That Can Kill DJI Drones Or Bypass White House Ban,
retrieved from http://www.forbes.com/sites/thomasbrewster/2015/08/08/qihoo-hacks-drone-gps/

[6] The University of Texas at Austin (2015), Todd Humphreys' Research Team Demonstrates First Successful GPS Spoofing of UAV
retrieved from http://www.ae.utexas.edu/news/features/todd-humphreys-research-team-demonstrates-first-successful-gps-spoofing-of-uav

[7] The Hacker News (2015), MalDrone � First Ever Backdoor Malware for Drones
retrieved from http://thehackernews.com/2015/01/MalDrone-backdoor-drone-malware.html

[8] PC Magazine (2015), Forget Phishing: Malware Now Coming for Your Via Drones
retrieved from http://asia.pcmag.com/security/4587/news/forget-phishing-malware-now-coming-for-your-via-dr