No device – whether it is a drone, smartcar, phone, or computer – is 100% secure.
The Federal Trade Commission convened their Fall Technology Series on drones last week. I sat down with Jared Ablon, one of the foremost experts on drone security and my colleague at AirMap. As Chief Information Security Officer, he is charged with ensuring the company, its products, and the drone industry
[This is a condensed version of the interview.]
Q: The drones in the FTC’s demonstration were all under $200. Are all drones vulnerable to these kinds of attacks?
A: Any device is a potential target for an attack, especially devices that send and receive data remotely. This is true for the smartphone in your pocket, the garage door opener in your car, and the laptop in your office. Drones are no different.
Q: Can the operator tell that a drone has been compromised? What happens when a drone is attacked?
A: Not always. It’s just like when someone hacks into a computer: sometimes people know because the attack affects performance, or the hack can be invisible to the user. The scope and severity of an attack can range from gathering data about the drone’s location and video feed to taking complete control of the drone.
Q: What can we do to reduce the risk of attack for drones?
A: A first step is for the industry is to begin aligning around some common-sense, specific security standards that will allow drone innovation to take off. This would give us clear baselines for protecting the C2 data link, encrypting data channels, mitigating navigational sensor (such as GPS) attacks, hardening applications, and securing against physical access attacks. Standards alone are not enough; as an industry, we can also start security more seriously and develop very specific security controls that mitigate the major types of attacks. It is possible to come up with a short list of security controls that could mitigate the majority of
Q: What creates a culture of security?
Jared: It is far easier to make security part of company culture early than it is to change culture later on. Making an early security hire, and making that person part of strategy conversations at the executive level, is critical. It ensures that security and business objectives are aligned from the beginning, and it sets expectations for how employees can work securely and how engineers can tackle challenges and innovate to secure solutions.
Members of the public can share their comments regarding drones and cybersecurity directly with the FTC through a public comment process that is open until November 14, 2016.
I was very pleased to find this interview – there is a lot more to it. I ran it by db.c security expert David Kovar who gave it two thumbs up, noting that the one thing that was missing from the discussion was secure software development. Yes, it’s gotten that bad.
As I keep saying over and over again, privacy is a “deal killer” issue for the entire industry. That makes paying attention to cyber security critical. The more complete the integration into the NAS – autonomous, high-altitude, high population density etc. – the bigger an issue C2 security becomes.
If this is a new concept to you, C2 means command and control. The issue here is will your device do what you tell it to do, or can it be taken over by some sort of evil-doer… From the FAA’s perspective, this is important because it means that the aircraft can be controlled and does not represent a threat to other aircraft.
The traditional aerospace/defense side of the drone business knows this stuff and knows how to manage it. Doing so has direct implications on any number of factors including size, expense, maintenance and power.
Scaled down to the prosumer $1-2K sweet spot, all of this goes away. Yet the need for organizations to secure their mission data will not. This is one of the major challenges ahead. It is good to know the FTC is involved, the FCC is key.