Privacy and Security Issues for the Usage of Civil Drones
In December, Amazon.com, the world’s largest online retailer, announced that it is testing unmanned drones to deliver products ordered by its customers. The service was experimental, and it could probably take up to five years to start. In discussion is the possibility to adopt unmanned aerial vehicles (UAV) for civil use. As explained by the CEO of Amazon, Jeff Bezos, the introduction of UAVs in the supply chain of the company can bring many benefits, exactly as in many other sectors.
“We can do half-hour delivery… and we can carry objects, we think, up to five pounds (2.3kg), which covers 86% of the items that we deliver,” said Bezos.
The drone industry is growing at a rapid pace. Aerospace research company Teal Group has estimated that sales of military and civilian drones will total over $89 billion in the next 10 years. The possible fields of application for UAVs are unlimited. Some of the most interesting usages could be grouped in the following categories.
Protection of population
This category can include services like firefighting and wildfire detection, disaster relief, search and rescue. In all the above scenarios, drones could operate in risky areas or could be deployed to monitor specific areas to prevent incidents or to provide all the necessary support to the forces of intervention in the event of environmental disasters or accidents.
Using UAVs, supplies can be transported rapidly into critical areas requiring medical attention, or any other kind of support, including food rations and other medicines. Drones can also be used by firefighting squads to monitor the progression of fires in wide areas, avoiding the need to to involve civil personnel, or can be exploited to locate missing persons.
UAVs could be equipped with thermal sensors or night vision cameras, and they can be used to quickly inspect a wide area, providing detailed information on it to the control center.
Mineral prospection and mining
Drones equipped with specific sensors can cover in-flight large areas for mineral detection. UAVs can be used to build a map of the territory by analyzing the rock composition. Large areas with differing elevations could be inspected with high accuracy on a regular basis.
The agriculture industry is one of the sectors that most of all is benefiting of UAV usage, drones can rapidly map the fields, and could be also used to spray the crops with water or to fertilize the fields.
Construction and Infrastructure inspection
Drones could be used to monitor critical infrastructure in a large area, taking pictures of pipelines, bridges and power lines. The goal is to support maintenance activities and assess the structures. In the near future, drones could be used to also operate reparations to minimize the risk of any injury to human workers.
No doubt, drone usage will bring different benefits but also raise numerous implications under security and privacy perspectives. Amazon is just one of numerous companies that will use unmanned aerial vehicles for civilian purposes. The US Federal Aviation Administration (FAA) has approved their use for police and government agencies, issuing about 1,400 permits over the past several years, and it will authorize civilian air space use by 2015. The situation is quite similar in Europe, where the use of drones for civilian use is expected to start by 2016.
The principal risks are represented by the possibility that groups of criminals and cyber terrorists could hack unmanned aerial vehicles, with intent of harming the population. Drones could be attacked for several purposes, and hackers could be intentioned to interfere with the services they provide and could abuse them for cyber espionage or could hijack them for sabotage.
The difficulties of the commercial drone industry
The U.S. commercial drone industry is slow to take off, more than two years after President Obama signed into law a bill that authorizes the civilian use of unmanned aerial vehicles in the country.
The Federal Aviation Administration Modernization and Reform Act of 2012 authorizes the FAA to issue licenses for commercial drone use in the U.S, and at the same time, request to the agency to define rules for the usage of civilian drones by private entities and by law enforcement agencies.
While the central government approved the law for use of commercial drones, since it was passed in February 2012, nearly 43 states have proposed a total of 130 bills and resolutions seeking limits on drone use to avoid privacy and civil rights violations.
The technologies which equip the drones could be abused to spy on unaware individuals. Privacy and civil liberties advocates have raised many doubts about the legitimacy of facial recognition cameras, thermal imaging cameras, open Wi-Fi sniffers, license plate scanners and other sensors.
To better understand the limitation imposed by lawmakers, let’s consider the proposal originated in the states of Louisiana and Pennsylvania, which ban the use of UAVs in certain circumstances.
The Louisiana state legislature is considering two separate proposals to ban the use of commercial drones. The first one to prohibit drones from flying over critical infrastructure (e.g. Chemical plants, water treatment facilities, gas and oil storage and delivery facilities, telecommunications networks). The second proposed bill aimed to prohibit private drone operators from capturing images of individuals or of private property without explicit permission.
The above proposal resumed the principal concerns related to the involvement of drones in civil and private activities. Overseas the situation also appears confused. In Europe, the use of drones is increasing for a wide variety of purposes, including crop monitoring, traffic management and news reporting.
The use of drones for civil uses is syndicated for two main reasons. The risk that these machines could be hijacked or can be subjected to failure, and for the fear that they could collect unauthorized data, violating privacy of citizens. The FAA has announced that one of its top priorities is to publish rules for small UAVs later this year.
“The rulemaking is very complex, and we want to ensure that we strike the right balance of requirements for small [drones] to help foster growth in this emerging industry,” an FAA spokeswoman said in an email.
The European Commission has recently proposed to set tough new standards to regulate the operations of drones for civil usage. According to the work of the Commission, the new standards must cover safety, security, privacy, data protection, insurance and liability.
The principal problem is the fragmentation of law across the EU. In Europe, basic national safety rules are applied and it is important to uniform them within a share regulatory.
“Civil drones can check for damage on road and rail bridges, monitor natural disasters such as flooding and spray crops with pinpoint accuracy. They come in all shapes and sizes. In the future they may even deliver books from your favourite online retailer. But many people, including myself, have concerns about the safety, security and privacy issues relating to these devices,” said Vice-President Siim Kallas, Commissioner for mobility and transport.
Europe is looking at the technology for civil drones as a business and economic opportunity that could bring operational advantages and job creation. The sector in the next 10 years could be worth 10% of the aviation market – that’s €15 billion per year.
“If ever there was a right time to do this, and to do this at a European level, it is now. Because remotely piloted aircraft, almost by definition, are going to cross borders and the industry is still in its infancy. We have an opportunity now to make a single set of rules that everyone can work with, just like we do for larger aircraft.”
The new standards requested by the European Commission will cover the following areas:
Strict EU wide rules on safety authorisations.
Tough controls on privacy and data protection.
Controls to ensure security.
A clear framework for liability and insurance.
Streamlining R&D and supporting new industry.
Privacy concerns, drones as a spyware tool
It is not difficult to imagine how to use drones for cyber espionage. These vehicles are very flexible and could be used to control targets remotely, but one of most interesting uses could be the usage of UAVs to interfere with target communications.
A couple of months ago, researchers at the London-based Sensepoint security firm designed a software that, once deployed on a drone, allow the vehicle to steal data from mobile devices surrounding it.
The potentialities of such applications are infinite. Imagine a victim walking around looking for an open Wi-Fi network while a UAV is flying over his head. The attacker is able to steal data from the victim’s handset.
The application, called Snoopy, runs on drones and looks for a smartphone signal while it is searching for a Wi-Fi network. The software is designed to trick a victim’s mobile device into thinking it’s connecting to a trusted access point to access data from the handset once attached.
Figure – Drone
Snoopy could be used by attackers to steal a victim’s data, including user credentials, credit card numbers and location data. The researchers at Sensepoint successfully demonstrated the ability of the Snoopy application to steal Amazon, PayPal, and Yahoo credentials from random citizens while the drone was flying over their heads in the streets of London.
The unique possibility that potential victims have to protect their data is to turn off any automatic connection process, including the Wi-Fi network-finding feature.
EU secret surveillance drone project
A document recently issued by rights group Statewatch, titled “Eurodrones Inc.”, reports that the EU is secretly investing into surveillance drone projects without knowledge of citizens.
“More than 315 million euro ($430 million) has so far been spent in EU research funding on drone technology or drones geared towards a specific purpose such as policing or border control,” states the report.
According the report, the EU is secretly promoting “the further militarization” of the region with a series of research funding “invisible” to the people and parliaments of Europe. The report claims the total lack of proper political oversight. It seems that many projects were financed with investments on the EU legislation on air traffic control for this year.
“The EU’s emerging drone policy has come about following years of successful lobbying by defense and security companies and their associates,” said co-author of the report Chris Jones in a statement on Statewatch’s website.
The projects referred to in the document would engage in civilian surveillance activities, such as border patrols, and the possible use of drones in the fight against illicit activities. The Statewatch group is mainly concerned by the secret nature of the program that could hide further purposes in the development of drone program, like a “further militarization” of the European Union.
The report also highlights that none of the civil organizations, including the European Group on Ethics, the LIBE Committee of the European Parliament or the European Agency for Fundamental Rights and Data Protection Supervisor, were involved in a public debate on the issue.
“Yet none of these bodies have been involved … Their absence from policy debates means that many of the conversations the EU should be having about drones – such as what they should and should not be used for, and how to prevent further militarization and the deployment of fully autonomous weaponized drones – have been all but ignored,” is reported in the document.
It’s important to highlight that the authors of the report are not averse to the use of drones in the research into a new generation of unmanned aerial vehicles, but they do stress the fact that the current investments are covert to the EU population for “the interests of the big defense contractors.”
The group is very concerned for civil liberties. The uncontrolled development of drones for civil use could lead to “unwarranted state surveillance and repression”.
The fear of sabotage
Civil drones could be abused not only for surveillance purposes, they could be hijacked or destroyed by attackers, causing the interruption of the service they provide. Drones can obviously be killed, but one of most fascinating concerns is related to the possibility that they can be hacked.
In the last months security expert Samy Kamkar designed a software dubbed SkyJack to allow an attacker to gain control over a drone while it’s still flying.
Kamkar published the details on his website, the researcher defined SkyJack as the “Zombie drone”, and the software runs on a Parrot AR.Drone 2 and is able to scan for wireless signals of other UAVs in the vicinity.
The choice of this specific drone is not casual, it has been estimated that 500,000 Parrot drones were placed on the market since 2010. Theoretically anyone can create its own UAV to hunt down other drones and control them.
SkyJack was presented in the same period Amazon announced its intention to use drones for shipping its products and Kamkar referred to the critical aspect of security for civil usage of UAVs.
“How fun would it be to take over drones, carrying Amazon packages… or take over any other drones and make them my little zombie drones … Awesome.” Kamkar asked rhetorically in his blog post.
Kamkar also published a video, Proof of Concept, on YouTube: (http://www.youtube.com/watch?feature=player_embedded&v=EHKV01YQX_w )
Figure – Video Proof of Concept Skyjack
To demonstrate how SkyJack works when it finds other drones nearby, Zombie drone interferes with the target drone’s wireless connection in attempt to disconnect it from its control center. Once it has disconnected the targeted drone from the base station, Zombie drone takes the operator’s place, gaining full control of the victim UAV.
As explained by Kamkar in his post, SkyJack uses a radio-controlled Parrot AR.Drone quadcopter equipped with a Raspberry Pi circuit board, a small battery, and two wireless transmitters.
The Zombie drones run a custom software designed by the hacker and also off-the-shelf applications that are used to scan wireless connections of nearby UAVs. SkyJack analyzed the media access control (MAC) addresses of all Wi-Fi devices within its radio range. Once he detected a MAC address belonging to a block of addresses used by Parrot AR.Drone vehicles, he exploited the open-source Aircrack-ng app for Wi-Fi hacking to issue a command that disconnects the target UAV from the mobile handset currently being used to control and monitor it. Now the attacker is able to gain control of the drone.
“Using a Parrot AR.Drone 2, a Raspberry Pi, a USB battery, an Alfa AWUS036H wireless transmitter, aircrack-ng, node-ar-drone, node.js, and my SkyJack software, I developed a drone that flies around, seeks the wireless signal of any other drone in the area, forcefully disconnects the wireless connection of the true owner of the target drone, then authenticates with the target drone pretending to be its owner, then feeds commands to it and all other possessed zombie drones at my will,” said KamKar.
Figure – Parrot drone
Another interesting attack scenario hypothesized by Kamkar is include a version of SkyJack that runs on grounded Linux machines that is able to hack drones within radio range without need of any drone.
“SkyJack also works when grounded as well, no drone is necessary on your end for it to work. You can simply run it from your own Linux machine/Raspberry Pi/laptop/etc and jack drones straight out of the sky.”
At the moment, SkyJack is designed only to attack a small range of drones having their MACs fall inside an address block reserved by Parrot AR.Drone vehicles, but it could be easily adapted to target other families of drones.
Preventing this kind of attack is not difficult. In this specific case, it is possible to use a secret key to provide mutual authentication between the controller and the drone, and using the key each command message sent could be enciphered.
The athlete injured by “hacked” camera drone
A few weeks ago, a drone operated by a film company crashed onto the course of an Australian triathlon, injuring one athlete, Raji Ogden. The operator reported that suddenly he lost control of the vehicles because someone deliberately jammed his wireless control link.
The operator of the drone, Warren Abrams of New Era Photography and Film, reported that an attacker using a “channel hop” attack succeeded to gain complete control of the drone. He also referred to having suffered other anomalies in the drone control in the same day.
The above incident is the result of a typical attack against the communication link of the drone. Wi-Fi Jamming is a possible attack that could cause the loss of control of the aerial vehicle with serious consequences for nearby people.
The concerning aspect of such attacks is that they can be carried out with off-shelf products. In some cases, just a simple mobile is enough if the drone was operating on an unsecured Wi-Fi network.
Flying drones can be easily crashed using cheap tools available on the market. An attacker could use them to interfere with UAVs. These tools include GPS jammers and do-it-yourself high energy radio frequency guns that could be used to destroy the communication link with the drone, and in the best case, to force the secure landing of the vehicles.
New Zealand security researcher Stuart MacIntosh told delegates at the Kiwicon 7 conference in Wellington last year that some vulnerable drone technology designed in the hobby space had trickled down into use by police and commercial operators.
“It meant a variety of drones were open to attacks that could destabilise or crash the aircraft.”
“You can walk all over [the Parrot AR Drone] with frequency-hopping spread spectrum … you can fly a radio plane near an AR drone and it will very quickly get packet loss… A lot of these UAVs (unmanned aerial vehicles) were not really designed with security in mind apart from some that may be destined for law enforcement use or military use … You can build your own [GPS] jammer or buy one off eBay for $100 with free shipping,” said MacIntosh.
One of principal problems in the approach to cyber security for civil drones is the great confusion in emerging government regulation. The terms “drone” and “unmanned aircraft system” (UAS) are often confused and are used in imprecise ways. The FAA, for example, use the term “UAS” to refer both armed military aircraft and toys including model aircraft. The FAA agency has made little distinction between possible uses of uses UAS and the categories of users authorized to deploy “drones” for their activities. Actual trends seem to suggest that any commercial activity is considered illegal.
“In response to this growing demand for public use unmanned aircraft operations, the FAA developed guidance in a Memorandum titled “Unmanned Aircraft Systems Operations in the U.S. National Airspace System – Interim Operational Approval Guidance” (UAS Policy 05-01). In this document, the FAA set out guidance for public use of unmanned aircraft by defining a process for evaluating applications for Certificate(s) of Waiver or Authorization (COA’s) for unmanned aircraft to operate in the National Airspace System. The concern was not only that unmanned aircraft operations might interfere with 3 commercial and general aviation aircraft operations, but that they could also pose a safety problem for other airborne vehicles, and persons or property on the ground.” (PDF)
The various attack scenarios against civil drones described in this paper highlight the importance of cyber security for these complex vehicles. Foreign governments and cyber terrorists could exploit the technology to hit a country and its infrastructure. It is necessary to set a maximum level of alert for UAV manufacturers. In the next years these technologies will be largely used for different purposes. UAVs will crowd the sky and security must be the first requirement to ensure safety and privacy of the population. It is a hard challenge to face with cyber threats growing ever more complex, that’s why it is absolutely a joint effort of manufacturers, industry, and security firms, government, private companies and of course of the common people to be aware of abilities and risks of the technology.