Drones and security: where are we heading?

July 17, 2015

Recently I had the opportunity to attend the Changellenge Cup Russia 2015 student project competition. I was on the panel of judges for one of the sections. But today we will not speak of the contest itself, but of some of the problems we discussed at the engineering section.

Future UAV use cases and emerging security threats

The participants had to elaborate use cases for unmanned aerial vehicles (UAVs) in the business, defense and national economy. I think the outcomes would be good for us to know.
UAVs can be used in varied domains. Mainly there are three key categories:

  • Public administration: military services, state border surveillance, and disaster recovery assistance.
  • Businesses: monitoring and servicing of buildings, energy facilities, construction sites, agricultural objects, farms, geological exploration, and aerial footage.
  • Consumers: cargo delivery, advertising, guided tours, and games.

Currently, the UAV market serves mostly the needs of military and defense agencies, but that is not for long. In next 10-20 years UAVs, in one or another manner, will become an integral part of our life, remaining highly prone to vulnerabilities and security issues.

Naturally, this will fuel quick development of the respective industry and legislation. With these bright prospects, a usual issue of the drones’ technical hazards or vulnerabilities arises.

To put it shortly, any UAV consists of two major components – a drone itself and the ground control station, which can be either stationary or mobile.

A drone, in turn, consists of real-time operational system, control software; a front-end module to facilitate the data exchange, sensors bundled with firmware, and avionics. Optionally, a weapon control system (if applicable) or autopilot could be as well added to the mix.

A ground control station consists of control software, front-end modules and human operators. Here I should conclude that any of the components enumerated above can be a subject for an attack.

There are three major attack vectors:

  • A direct attack on a drone in case of getting physical access to the device. For instance, during the maintenance, one can purposefully or inadvertently infect a drone with malware or replace boards or ICs.
  • An attack carried out via a radio connection: a control channel can be obfuscated and data hijacked and decrypted – an approach which was, in fact, used for hacking American drones in Iraq. Curiously, the attackers used a Russian program called SkyGrabber.
  • An attack on sensors, including data spoofing — for instance, spoofing GPS coordinates.

Once hacked, the device can be used for any purpose; it might impact data generation and display and control of flight parameters (including velocity, altitude, direction, and programmable flight plans) or, as the last resort, bring it down, as high-end drones are expensive and would be a very costly loss to their owners.

In almost no time we will have to face those kinds of threats, so it’s time to get warned and prepared. There are fascinating reports on drone issues you can check out here, here and here.