Tom Tuunainen
Unmanned Aerial Systems (UAS) – or more commonly drones – have become very popular in the public and private sector. Armed forces, agricultural industry, law enforcement, meteorological agencies, medical services, environmental companies, and oil refineries are but a few of the users. The use of human activity adds huge value to the evolution of Unmanned Aerial Systems, but it also increases the security risks. Imagine what could happen if smart and cheap drones become weapons at the hands of criminals. Are drones a major threat when it comes to security, and if they are, what measures should be taken to counter them?
Apart from flight safety issues, drones also affect the cyber domain and the security of data. Edwards (2021) points out that the malicious use of these platforms in the cyber domain is an inevitable fact, and it can no longer be pushed aside. In Christmas 2021, we witnessed the U.S. government posing export restrictions (Venable and Ries 2021) to one of the largest drone manufacturers in order to protect national security and foreign policy interests.
In the United States drones fall under the remit of the Federal Aviation Administration (FAA 2022) as UAS. That means, that you cannot take them down or jam their communication. These kinds of countermeasures apply only to the military sector, where different operational procedures are enforced when an unknown drone enters the perimeter of a military base.
I the European Union regulations 2019/947 and 2019/945 set out the framework for the safe operation of civil drones in the European skies. They adopt a risk-based approach, and as such, do not distinguish between leisure or commercial civil drone activities. What they consider is the weight and the specifications of the civil drone and the operation it is intended to conduct (EASA 2022).
Since drones are remotely controlled, they can be hijacked by bad actors. The Department of Homeland Security (DHS 2018) stated, “Given their rapid technology advancement and proliferation, the public safety and homeland security communities must address the fact that drones can be used nefariously or maliciously to hurt people, disrupt activities, and damage infrastructure.”
GPS spoofing
GPS spoofing is a method that is used to take control of the Unmanned Aerial System. When used, the attackers feed false GPS coordinates to the system and take full control of the platform. Security researchers have demonstrated how a hijacked drone can be used to hijack other drones (Albanesius 2013), ending in a drone swarm under the control of cyber criminals. It is easy to realize that in such a case, the threat potential increases hugely, and can be compared to the way the botnets perform Distributed Denial-of-Service (DDoS) attacks, taking over a significant amount of systems and Internet of Things (IoT) devices.
Downlink intercept
Downlink intercept gives access to all transmitted data between the drone and the controller. Since many of the commercial drone systems interact with their base station through unencrypted communication channels, they can be vulnerable to exploitation by an attacker. It is highly possible that an attacker can intercept and get access to sensitive data that the drone exchanges with its controller, such as pictures, videos, and flight paths, when unencrypted communication channels are used.
Data exploitation
All critical infrastructures are protected in the terms of digital and physical security. A tiny computer mounted on a small drone can however approach sensitive areas undetected, and carry out vicious operations. A drone can e.g. mime a wireless network in order to steal data, hijack Bluetooth peripheral devices, perform keylogging operations in order to steal passwords, and compromise unsecured networks and devices.
Securing the technology
In order to mitigate the security risks, posed by the drones, we need to consider how we secure the drone platforms and the data exchanged, and what countermeasures we can use.
Kaspersky (2022) recommends that one should keep the UAS software updated, and use an anti-virus software for the controller device, when possible. Kaspersky also recommends that one should use strong passwords for the base station, and subscribe to a VPN service in order to encrypt the connection between the drone and the base station. In addition, limiting the number of devices that can connect to the base station, and the use of Return-to-Home (RTH) mode, makes the possibility for hijacking the drones much more difficult, (Kaspersky 2022.)
Countermeasures should primarily focus on space protection. High frequency radars, thermal cameras, radio frequency scanners, acoustic sensors, and sophisticated artificial intelligence algorithms, can be used for this purpose. The small size of drones can, however, still make the task of detection challenging.
Other techniques for countering involve geofencing software, which creates a virtual border around an area, prohibiting unauthorized drone flight. The military sector makes also use of counter drone systems called effectors that are not available to the market (NATO 2021).
The future
Drones will continue to evolve. The Federal Aviation Administration believes that the big opportunity for drones is not in the leisure market, but in the market for commercial drones. FAA believes that, in the near future, the drones will dominate various commercial and public sector activities, such as making deliveries, surveying and mapping services, and monitoring crops. Given the possibilities, there will be more drones flying around, and that might create an even bigger threat from the security perspective. It is therefore crucial that security issues are properly addressed, in order to secure the Unmanned Aerial Systems properly, so that we can reap the benefits from their use. (Kaspersky 2022.)
References
Albanesius, C. 2013. ‘SkyJack’ Software Finds and Hijacks Drones. Available at: https://uk.pcmag.com/security-devices-2/8285/skyjack-software-finds-and-hijacks-drones. Referenced 1st December 2022.
DHS 2018. Snapshot: Countering Unmanned Aerial Systems in Urban Environments. Available at: https://www.dhs.gov/science-and-technology/news/2018/05/11/snapshot-c-uas-urban-environments. Referenced 30th November 2022.
EASA 2022. Civil drones (unmanned aircraft). Available at: https://www.easa.europa.eu/en/domains/civil-drones. Referenced 1st December 2022.
Edwards, B. 2021. Cybersecurity And Drones: A Threat From Above. Available at: https://www.forbes.com/sites/forbestechcouncil/2021/02/25/cybersecurity-and-dronesa-threat-from-above/. Referenced 30th November 2022.
FAA 2022. Drones. Available at: https://www.faa.gov/uas. Referenced 1st December 2022.
Kaspersky 2022. Security and drones – what you need to know. Available at: https://www.kaspersky.com/resource-center/threats/can-drones-be-hacked. Referenced 1st December 2022.
NATO 2021. NATO Agency holds exercise to improve counter-drone technology. Available at: https://www.ncia.nato.int/about-us/newsroom/nato-agency-holds-exercise-to-improve-counterdrone-technology.html. Referenced 2nd December 2022.
Venable, J. and Ries, L. 2021. DJI Placed on the Entity List for Human Rights Abuses, but Concerns About Data Security Should Not Be Overlooked. Available at: https://www.heritage.org/cybersecurity/commentary/dji-placed-the-entity-list-human-rights-abuses-concerns-about-data. Referenced 30th November 2022.
Tom Tuunainen
R&D Developer
Centria University of Applied Sciences
Tel. +358 40 681 7207