General security

Beware of the drone! Privacy and security issues with drones

Susan Morrow
April 23, 2019 by
Susan Morrow

Drones, or “unmanned aerial vehicles,” (UAV) have flown into our lives both for the consumer hobbyist and as commercial and military devices. The market for drones used across all sectors is expected to reach $141 billion by 2023, with the commercial drone market size making up at least $17 billion of that.

Drones are useful, as in really useful, hence the massive market for the devices. The applications for drones in an industrial setting are vast: industrial monitoring; aerial surveillance; aerial imaging which, linked to AI, offers computer vision; even smart agriculture is flying in on the back of drones. And who wouldn't want a drone, just for the fun of it?

Drone technology is interesting in the cybersecurity field on a number of levels. The “flying eye in the sky” has obvious privacy implications. But drones are also a type of connected device, collecting and sending data for analysis, and this creates implications for the safety and hackability of the devices. This article will look at some of these privacy and security issues that gives the drone a bad name.

A drone's-eye view of you

In 2013, then-FBI Director Robert Mueller admitted that the FBI was using drones to carry out surveillance on U.S. soil. In an interview about the scope of this exercise, Mueller said: "We have very few.'' That was then.

Now drones are routinely used by governments all over the world. In 2018, Bard College published a report of a study that showed 910 law enforcement agencies and emergency services in the U.S. had purchased drones.

The use of drones in law enforcement is not necessarily a bad thing, of course; if it helps the police to do their job, that can only be good. However, a look at drone use by the FBI from ACLU found that the FBI used drones for more than just catching criminals. The ACLU obtained evidence showing the use of drones during the protests held in Baltimore over the death in police custody of Freddie Gray. These drones were surveilling citizens who were taking part in protests — civil liberty suppression 101.

Concerns about state use of drones in surveillance are being raised by civil rights and liberties groups such as the Electronic Frontier Foundation (EFF). These groups and others are asking for tightened controls on the use of drones in order to uphold the right to privacy of the individual. The drone laws in the U.S. crafted by the Federal Aviation Administration (FAA) are, like the data protection laws in the U.S., on a state-by-state basis. Other countries are also addressing the use of drones and including privacy protection clauses in legislation. But this is a moving target (pun intended) and keeping legislation up to date with technology is always a challenge.

And what about the privacy implications in the use of drones for state surveillance? Ann Cavoukian, ex-privacy commissioner for Ontario, looked at the implications of the misuse of drones by state actors in her treatise “Global privacy and security, by design: Turning the 'privacy vs. security' paradigm on its head.” She summed it up by saying that “privacy and public safety can indeed co-exist, resulting in greater efficacy for both.”

Hacking a drone

Privacy isn’t the only thing at risk with drones. During RSA 2016, security consultant Nil Rodday gave a talk showing how to use a Wi-Fi attack against a drone. The attack was a classic Man-in-the-Middle, remediated by using strong encryption and changing default passwords.

The hack was used to show the vulnerabilities in not the cheaper hobby drones, but very expensive drones as used by law enforcement agencies and emergency services. The drone used a known weak encryption mode called Wired Equivalent Privacy (WEP). This, coupled with a few pieces of cheap hardware and knowledge, allowed Rodday to hijack the drone.

The moral of this story is to use known and robust encryption modes and algorithms.

A drone hijack

There have been a number of password-related drone hacks showing how even basic security hygiene is amiss in some drones. In one drone hackathon, the Federal Trade Commission (FTC) was able to show several vulnerabilities in commercial drones. This included an unsecured Wi-Fi connection allowing access to the camera feed of a drone. It also included similar unencrypted data connections as mentioned above, making the drone vulnerable to attack.

Conversely, the Department of Homeland Security issued the report “Cybersecurity Risks Posed by Unmanned Aircraft Systems,” which showed how drones themselves could be used to compromise vulnerable systems. An example of this type of cyberattack was demonstrated by Israeli researchers who used a drone to compromise smart light bulbs in an office. The researchers updated firmware and took control of the light bulbs by flying in the equipment needed to do so using a drone.

Consumer drones and safety

The FAA saw 1.1 million drones registered with the organization in 2017, and they predict the numbers to increase to around 3.1 million by 2022. These drones are used for all sorts of reasons, including real estate images, industrial inspection and agriculture. The fact that drones can be easily hijacked not only puts drone-generated data at risk but also the safety of citizens.

In 2018, Gatwick airport was closed down for three days. Hundreds of flights were canceled, and innocent people arrested. The chaos was caused by “drone sightings,” which were disputed. The end result was the introduction of drone detection systems in the UK.

The Gatwick incident was likely not a deliberate attempt to cause a plane crash or even disruption. However, drone safety is an issue. Even with laws in place to prevent the flying of drones within a given distance from airports, if a drone is hijacked by a person with criminal intentions, laws alone will not contain the problem.

Drone wars

With any new technology, we have to design it with privacy and security in mind. But like many technologies, these two remits often get lost in the rush to market needed to compete in a very competitive world.

Legislation to control the security issues that can creep into drones during manufacture is ongoing. However, this is not something that legislation alone can address, especially in a fast-paced tech environment. Users of drones need to insist that certain basic security criteria are met. This includes using robust encryption. Other areas, like password hygiene and firmware updates, should be part of the general ownership routine that a responsible drone owner performs.

Sources

Susan Morrow
Susan Morrow

Susan Morrow is a cybersecurity and digital identity expert with over 20 years of experience. Before moving into the tech sector, she was an analytical chemist working in environmental and pharmaceutical analysis. Currently, Susan is Head of R&D at UK-based Avoco Secure.

Susan’s expertise includes usability, accessibility and data privacy within a consumer digital transaction context. She was named a 2020 Most Influential Women in UK Tech by Computer Weekly and shortlisted by WeAreTechWomen as a Top 100 Women in Tech. Susan is on the advisory board of Surfshark and Think Digital Partners, and regularly writes on identity and security for CSO Online and Infosec Resources. Her mantra is to ensure human beings control technology, not the other way around.