Better drone security needed in industry, urges researcher
By Edwin Yapp November 7, 2019
- Drone uptake is expected to grow significantly in the next few years
- The ubiquity of drones means security must be by design
AS DRONES become more mainstream in the marketplace, they are increasingly being exploited by cyber-criminals in a bid to advance their nefarious activities, according to an expert in the field.
Speaking at the Cyber Security Nordic conference, Martti Lehto (pic), professor of cyber-security at the faculty of information technology, University of Jyväskylä in Finland, said there are a variety of ways in which cyber-criminals are exploiting weaknesses in drones today.
The former Colonel with the Finnish Air Force said commercial drones can be used as a “target in the sky” or “spy in the sky”.
“Target in the sky means cyber-attackers can exploit unencrypted communication over wireless media to implement eavesdropping, signal jamming or other electronic warfare operations.
“It could also include denial of service (DOS), GPS spoofing and software hacking or component corruption,” he said.
As for spying in the sky, Lehto explained that drones are low cost and simple devices, which can be used to gather information.
“An off-the-shelf drone can capture video, photos and audio from different sources and devices,” he pointed out. “With a few modifications, a drone becomes an electronic surveillance tool.”
Held annually in Helsinki, Finland, Cyber Security Nordic is northern Europe’s cyber-security event attracting executives, leading decision-makers and government officials. The conference presents keynotes and panels by international and Finnish experts aimed at discussing problem solving strategies and solutions for cyber-security professionals.
Lehto said the United States Joint Air Power Competence Centre (JAPCC) classifies cyber-threats against drones according to an attacker’s intention.
“There are three ways it categorises this. The first is intelligence, where attackers could intercept and monitor unencrypted data or information a drone transmits to the ground.
“The second is the disruption of a drone, where there is intentional modification of computer systems by the use of malicious code, viruses, trojans, or worms to take advantage of familiar weaknesses of commercial operating systems.
“Finally, the takeover of the drone, by taking over the communication layout and exploiting the system bugs or by way of ‘smart entry’ into the ground control station and its computer system or avionics.”
Lehto said an example of this happened in 2009, when Iraqi militants used an inexpensive software called called ‘Skygrabber’ to intercept video feeds from high-tech US Military Predator drones. Another example was when a Lockheed Martin RQ-170 Sentinel UAV used by the United States was captured by Iranian soldiers without suffering any damage, he noted.
Drones as attackers
Another concern flagged by Lehto in his research is the use of the drone to attack. Lehto argued that because drones are now low-cost and easy to use, they can deliver a “payload” to carry out surveillance and capture data or disrupt networks. Making matters worse, drones are hard to detect and defeat, he added.
“A drone can deliver a sniffing device, mounted as a payload, which is used to intercept data by capturing network traffic,” he explained. “It could be used as a spoofing device, in which a person or programme successfully identifies itself as another by falsifying data to gain an illegitimate advantage.”
Citing an example of the ‘Danger Drone,’ a US$500 (RM2,068) custom-built device that carries a Raspberry Pi equipped with hacking software, a hacker could just fly a special drone over unsuspecting targets.
Drones have also been used to disrupt commercial operations. Last December, Gatwick Airport came to a standstill when unknown parties flew drones over its airspace, disrupting an estimated 110,000 passengers on 760 flights, the BBC reported.
The news portal quoted Sussex Police as saying that the incident was not terror-related but a “deliberate act” of disruption, using “industrial specification” drones.
Sussex Police have since said that at least two drones were involved having interviewed multiple credible witnesses. The policing operations during the disruption and subsequent investigation has cost £790,000 (RM4.2 million) so far, TechCrunch reported.
As with other cyber-security mitigation methods, Lehto said there is no foolproof method of protection but there are areas which those involved in drone security must look into.
The first he says is for humans operating drones to receive mandatory training so as to raise the awareness of cyber-security threats and how they can operate drones safely. Next up is to ensure that software suites are patched and come from a trustworthy source.
“Then look into your data security. Aviation data will be used by drone operators to plan flights. So to prevent intentional corruption of the data, safeguards must be assured.
“Next is to look at the hardware supply chain and secure this chain. Only procure hardware from trustworthy supply chains for commercial-off-the-shelf hardware components rather than source from unknown sources.
“Finally, ground-based electromagnetic communications controlling and monitoring the drones are subjected to varying degrees of vulnerabilities such as jamming, spoofing and interference. There needs to be a system of high integrity, secure data links between the aircraft, the ground control stations and air traffic facilities.
Counterpoint Research analyst Satyajit Sinha noted that the global drone shipment is expected to grow at 40% (CAGR) between 2019 and 2025.
“In Southeast Asia alone, global drone shipment is expected to reach 3% by 2025,” he told Digital News Asia (DNA) in an email. “Furthermore, the future drones will be 5G-enabled, which will represent almost 40% of global cellular drone shipments by 2025.”
Asked what else must be done to address drone security, Satyajit acknowledged that drone security is a major concern, especially in the two major frequency bands – 2.4GHz and 5.8 GHz.
“Drones need to be secured from the hardware level by secure elements or by the use of physically unclonable function (PUF) technology, he argued. “Apart from an embedded OS, an additional layer of software security needs to be added and cellular connectivity should include 3GPP architecture security.
“Additionally, network security and cloud security will secure the data at motion and rest respectively.”
Satyajit also noted that original equipment manufacturers (OEMs) will need to apply all four layers of security – hardware , software, network and cloud – to optimise the security for drones.
Edwin Yapp reports from Cyber Security Nordic, Helsinki, at the invitation of Business Finland, Messukeskus Events & Expo, Finnfacts and F-Secure. All editorials are independent.
Previous stories from Cyber Security Nordic