At AirMap, we are helping make drones a part of everyday life to unlock the limitless potential for unmanned aircraft in our world. In doing so, we go to great lengths to ensure the security of the drone ecosystem.
The industry has seen several drone attacks and demonstrations of drone hacking in recent years including taking over control of a commercial drone, intercepting the video feed of a military UAV, and spoofing GPS navigation. Drone security failures like these could cause leakage of personal or private information. Drones could also be used to facilitate attacks on critical systems, both in the cyber realm and the physical realm, creating a potential risk to public safety.
Attacks of this type are avoidable, however. Drones can be made resilient to attacks when architected from the start with the right security in place.
In order to approach UAS technology with security in mind, we have to understand the full range of attack vectors, the paths or means by which an attacker can cause a malicious outcome, and cybersecurity best practices for drone manufacturers and developers.
Let’s review the basic architecture of a drone. There are many unique varieties of drones, but most have these core components:
- Main processor: control and sensor processing.
- Flight control firmware: code run by the main processor.
- Sensors: navigation and flight control like GPS, Magnetometer, and Airspeed/Altimeter.
- Command and Control (C2) data link radio: wireless communication to the ground control station like WiFi, Bluetooth, proprietary, or some combination.
- Power system: powering the drone.
- Ground Control Station: wireless control of the drone like a smart phone and remote control.
This list isn’t complete, but it’s a good place to start. For now we will ignore additional features like video feeds, Internet-enabled ground control station, etc., all of which could create additional vulnerabilities and should be analyzed for and protected against potential threats.
Attack vectors include direct physical access and remote access to either the drone or the ground control station.
Direct physical access attacks on a drone and on the ground control station can be difficult to defend against, as anti-tamper technology can be expensive. Moreover, with direct access to the hardware, attackers can more easily deny, degrade, destroy, disrupt, and deceive. An attacker can break hardware/mechanical components, upload bad firmware/software, modify sensors, or steal encryption keys if used.
Remote access attacks are often more scalable than physical attacks and, therefore, tend to be more common. These remote attacks on a drone’s basic core components include:
- Sensor spoofing: falsify sensor report data (e.g. GPS sensor reports false location)
- Sensor jamming: disable ability to report data (e.g. not allowing GPS sensor to get a location fix by jamming the RF frequency)
- C2 data link radio spoofing: sending a signal that appears to be from the drone or from the ground control station
- C2 data link radio jamming: radio is unable to receive communication
- C2 data link radio interception: the radio signal messages are able to be read by unauthorized parties
- C2 data link radio attack on the flight control firmware: sending malformed data to the radio in order to take advantage of a firmware vulnerability
- C2 data link radio attack on ground control station software: sending malformed data to the radio in order to take advantage of a software vulnerability
Security Best Practices
When securing against attacks, a layered defense strategy works best. The UAS industry will be well-served by multiple robust security practices in place to counter potential vulnerabilities.
While physical access attacks are difficult to defend against, there are some best practices worth observing. Having sensors onboard to monitor system health can alert an operator to unusual activity; removing any Universal Asynchronous Receiver/Transmitter (UART) or debug ports can make it more difficult for an attacker to tamper with drone internals; and having signed firmware/software updates and checking the signatures mitigates against the attacker uploading her own firmware/software. Ultimately, the drone owner should always exercise care in ensuring the UAS does not get into the wrong hands.
Security best practices for mitigating against remote access attack vectors on drones are:
- Sensor spoofing: The biggest concern is with navigation sensors. For most drones, GPS is used for navigation (with potential augmentation from additional sensors). Civil GPS (i.e., the type of GPS that is used by phones, cars, and running watches – different from the type used by military) is relatively easy to spoof, and has no mitigations in place. There are anti-spoof algorithms that can help with navigation system Integrity. The Institute of Navigation is a great resource to learn more about these algorithms. In addition, selecting directional antennas that face toward the sky can help mitigate spoofing attacks because they won’t easily be affected by ground based attacks.
- Sensor jamming: Jamming is a harder problem to solve than spoofing. As with mitigating spoofing, antenna selection and orientation can help mitigate jamming attacks. A high enough power signal from an attacker can easily drown out a legitimate signal. Drones need a fail-safe mode that allows them to safely navigate back home on their own or take other action to minimize risks following the loss of reliable location information.
- C2 data link radio spoofing: In order to mitigate the risk of radio spoofing, mutual authentication is important. This ensures that the correct drone is communicating with the correct ground control station. There are a number of ways that this can be implemented: One solution that will have long term viability and is already widely accepted is using Public Key Infrastructure (PKI) certificates from a trusted Certificate Authority for authentication –this is what websites use for authentication. This means one private/public key pair will be embedded on the drone and one key pair will be at the ground control station. While the public keys can be stored anywhere, private keys should be stored in a secure keystore – that is, a repository of security certificates. Senders can digitally sign messages with the private keys so that the receivers can verify that the correct party sent them.
- C2 data link radio jamming: Like sensor jamming, radio jamming (i.e., blocking communication of the drone/ground control station) is difficult to mitigate against. Implementing resilience measures and fail-safe mechanisms can help mitigate the risks.
- C2 data link radio interception: To mitigate the risk of radio interception, encryption should be used on the radio link. This will ensure that the communication between the drone and the ground control station is private. PKI private/public keys that are used for mutual authentication to mitigate radio spoofing can also be used for encryption using asymmetric cryptography.
- C2 data link radio attack on the flight control firmware: Following best software assurance practices and embedding them within the Software Development Lifecycle (SDLC) will help mitigate the risk of software vulnerabilities within flight control firmware. Microsoft’s Security Development Lifecycle (SDL) is an excellent framework that could be followed.
- C2 data link radio attack on ground control station software: Similar to using the SDL on the firmware, this framework will also help prevent vulnerabilities that will lead to successful attacks on the ground control station software.
Be sure to allow for modifications of firmware/software as new security algorithms are added and new vulnerabilities are found. Automatic updates of signed firmware/software on the drone and the ground control station create a nimble, adaptive environment well-suited to fast responses to new types of attacks in the future.
Setting a minimum security standard for drones will foster the UAS industry’s development to allow innovation to take flight.