Drones, unmanned aerial vehicles (UAVs), are a tool for commerce, a multi-purpose device for the military, and a new toy for hobbyists.
They can be a few feet in diameter and carry payloads like a small Raspberry Pi computer or a camera. In contrast, they can also have a 20-meter wingspan and carry Hellfire missiles or 500-pound laser-guided bombs.
Mostly, they are free-ranging IoT devices with wireless communications contained in a flying machine smaller than a lawnmower. Thus they are susceptible to all the cyber threats that face the Internet of Things and can be hijacked for unintended purposes.
Types of Drones
The drone market is booming- the technology has improved with excellent maneuverability and built-in cameras – and the price has dropped. The FAA predicts between 1.3 million and 1.7 million hobby drones in the US by 2023.
The fastest-growing market is commercial drones. The best-known examples include Amazon and Domino’s Pizza carrying cargo for deliveries. Regulations have delayed this application since many see drones as a danger, but those regulations may be relaxed over the next few years. A recent US Department of Transportation proposal allows drones to be flown at night and over people without special permissions or waivers, which could open up drone delivery services.
Military drones are also an expanding market. These drones allow an attacker to reach almost any target without risk to personnel. Their use cases are expanding. Drone technology is being developed to expand use from straightforward weapons into sophisticated espionage tools. Numerous third-party organizations are developing drones that can interfere with or tap communications systems, intercept data and self-destruct if captured. The US, Russia, Israel, China, and Iran are the major countries manufacturing weapons-carrying military drones.
Drones also have lesser-known but more specific applications. Camera-mounted drones monitor infrastructure, hard-to-reach parts of ancient monuments, wildfires, or livestock, while specialized sensors can be used for geological surveying.
All these categories of drones carry security risks. Military drones are relatively secure – the rest are subject to hijacking and misuse for sinister purposes like any other IoT device. Those purposes include threats to our privacy, cybersecurity, and even physical safety.
Common Commercial Use Cases and Challenges
Limited payload capacity and flight endurance
Today, drones can only fly for 15 to 30 minutes before having to recharge batteries. While there are drones that can carry payloads up to twenty pounds, five pounds or less is the norm. The inverse relationship between flight endurance and payload weight complicates matters further: increase the payload and get less flight time.
Even in emergencies like gas flares or forest fires, there are frequent interruptions due to batteries running out. Additionally, drones can’t even be considered for more extensive (payload) jobs.
Wibotic, a Seattle-based startup, has developed a system for autonomously charging drones and robots. When a specially-equipped drone touches down on a similarly-equipped landing pad, it is charged wirelessly. Combining wireless charging with a fleet of drones should minimize delays.
Competing solutions persist
Large corporations do not change how they handle mission-critical tasks without learning, testing, and planning. Thus, old methods are often preferred even when drones are the superior solution.
For example, drones enable precision agriculture, but satellite imaging systems and tractor-based sensors can perform similar functions. If a drone detects that a field needs more fertilizer or pesticide, a small plane may still be required to do the spraying.
The industry is focused on developing the ideal traffic management system
The drone industry is putting too much time and effort into a futuristic project: developing a comprehensive solution for managing airspace filled with drones. Because we don’t know when drones will become commonplace enough for such a situation, the traffic management system developed today will have become outdated.
Instead of integrating drones with the national airspace system, keeping unmanned and manned air traffic separate makes more sense. This is the basis of Amazon’s proposed drone airspace model. Today, there isn’t enough drone traffic to justify a highly complex and integrated system.
Alternatively, what’s needed today are simple technical solutions and tools for ensuring that drones don’t pose hazards to crewed aircraft. Planes at 30,000 feet don’t need to know the exact positions and headings of drones flying 300 feet. Still, drone operators must be aware of restricted airspace (such as near airports), temporary flight restrictions (for special events), and any nearby helicopters or small planes. Companies such as AirMap are addressing this need.
Public Concern about safety, security, and privacy
While people approve of law enforcement using drones to track down fleeing suspects, they still think governments might use drones to spy on them. Terrorists using drones to deliver explosives or scout out targets is also a valid concern.
Drones interfering with helicopters during firefighting operations or commercial airplane takeoffs are also common. There should be severe penalties for drone users who endanger crewed aircraft. There are also technical solutions like geofencing to prevent drones from flying where they should not pass.
Naturally, the biggest concern is safety. To develop highly reliable drones that can make soft landings in the rare event of an equipment failure, they need to be used in public spaces so that manufacturers and operators can gain much-needed experience.
Threats to drones
Hijacking
Commercial drones can be hijacked relatively easily. Security expert Jonathan Andersson made a device called Icarus in 2017 that enabled him to tune into drones’ communication frequency. Though the communication channel changed every 11 milliseconds, Icarus waited on one channel and hijacked the device by hacking the drone’s encryption within that time.
Supply chain
Drones are primarily manufactured abroad (in China) or assembled from components manufactured abroad. Thus, there is concern that such devices might contain a hidden backdoor for overseas governments with geopolitical tensions.
Also, today’s hobby drones almost invariably come with a video camera. Hackers could obtain recorded data by hijacking the device and stealing the data. But many drones automatically upload recorded data in real-time for storage in the cloud.
This raises concerns for even innocently obtained images – if a drone pilot accidentally records something sensitive, that data is immediately online and vulnerable to theft if the storage service is improperly secured. The US government is also concerned about the storage of drone data. The US Department of Homeland Security recently issued an alert that Chinese-made drones could be sending flight data back to their manufacturers.
Threats from drone misuse
Breach of Privacy
Drones can record images and audio from places inaccessible to a human eavesdropper. Law enforcement could link them to facial recognition systems and silently monitor pedestrians, crowds, and open-air meetings. Militant activists could use them for mapping out targets. Lastly, voyeurs would have a field day.
When used by the police, drones offer a new level of civil control. But used by civilians, they are almost impossible to police. The civilian data is likely stored in the cloud without the users’ knowledge and adequate security.
2. Cybersecurity Threat
Even personal drones can carry small Raspberry Pi computers. These can be programmed to detect Wi-Fi signals. White hat researchers have used them to test the security of remote critical infrastructure establishments like power stations that cannot be accessed directly from the internet.
They are used legitimately by penetration testers who conduct controlled attack simulations. A research company once tested the cybersecurity of an offshore inaccessible oil rig. A Raspberry Pi was programmed to detect Wi-Fi signals, flown over the oil rig, and the researchers could listen in to the rig’s communications.
If researchers can do this, hackers and nation-states are doing it. The targets do not have to be unattended remote installations either –attacks could be targeted anywhere. And with their growing popularity, the sight of a hobby drone close to offices will probably not raise concerns.
3. Compromise of Physical safety
Accidental harm can result from the legitimate owner losing control, a hacker losing control, or a hardware or software malfunction within the device. Whatever the reason, a drone hitting a human being will cause damage –the bigger the drone, the greater the damage.
Targeted attacks with the intent to harm humans are likely to increase over the next few years. The goal can be personal or ideological. So far, actual damage to humans from hobby drones has mainly been accidental and not too serious. A hobby drone or hijacked commercial drone hasn’t yet been purposely aimed at a specific person. For instance, a fleet of “military” drones targeted Saudi Arabian oil production facilities.
Drones- Compromising Data Security
As commercial drone usage becomes a societal norm, there should be an emphasis on how they affect the cyber field and personal, commercial, and industrial data security.
Security professionals must consider drones when assessing risk and developing operational policies and procedures. Henceforth, security programs should include a drone emergency response plan (DERP), a technical survey and reconnaissance of the airspace, and a drone vulnerability and risk assessment (DVRA).
How does a drone access data? Commercial drones can be fitted with small computing devices called microprocessors which execute spoofing techniques to exploit unsecured devices and networks. A drone’s network system can be exploited as a conduit to the network of the target’s service provider. Local networks are not the only target; these platforms can also attack smart devices through Wi-Fi and Bluetooth connections. A drone can easily follow a target down the street and access its data.
An even more problematic issue concerns data centers, especially cloud computing services. For example, a thermal camera attached to a drone can easily map the inside of a data center from the air using thermal imaging technology. Other potential threats include contraband delivery, corporate espionage, data theft with raspberry or snooping, and airspace conflicts. While flying a drone over private data centers(ex. Amazon) is a violation of Federal Aviation Administration(FAA) rules, it is still not a criminal activity, which can cause legal concerns.
GPS spoofing can be used to thwart malicious drones. It is a technique hackers can use to send false GPS coordinates to the drone’s receiver. As a result, the operator may think that the drone is following the right flying pattern, but it is being steered to a different location. The hacker can crash the drone deliberately or navigate it to the location of their choice to access the data.
This approach is not very practical though. As stated by NASA, one of the FAA’s drone requirements is the ability to navigate in the event of a GPS outage because GPS signals can often be degraded at low altitudes in urban areas—exactly where the highest precision is needed. Thus, GPS spoofing would not work on GPS-denied drones, which can operate even without a GPS system.
Largest Drone Manufacturers Currently
DJI- DJI is the biggest player in the civilian drone market. The company’s drones are renowned for their easy-to-use designs and innovative features. It also pioneered the obstacle avoidance system for consumer drones. DJI currently manufactures drones best suited for aerial photography, industrial applications, recreational purposes, and racing.
Parrot- Parrot is one of the earliest drone manufacturers. It has introduced many new features such as geo-fencing, automatic takeoff and landing, and FPV (first-person view), making it beginner-friendly.
Yuneec- Yuneec is evolving to be the foremost in technology and innovation. It has just been granted patents for designs of uncrewed helicopters in both the United States and Europe. The new line of drones from Yuneec is expected to breach into the military sphere and compete with DJI’s drones in technology and innovation.
Kespry- Kespry manufactures drones explicitly for capturing, viewing, and analyzing aerial imagery and survey data. Their customers include aggregates, mining, construction, and surveying companies.
Autel Robotics- Autel Robotics has been delivering solutions for new aerial exploration through the market-leading quadcopter and camera drone technology. They emphasize transforming complex technology into simple solutions and creating easy-to-use aerial devices for photography /filming and imaging.
Drone Regulations
There are no global drone regulations, as every country makes its own rules.
In India, for example, two types of permits are offered: Student Remote Pilot License and Remote Pilot License. The minimum age to apply for both licenses is 18 years, and the maximum age at which you can obtain a permit is 65 years. Under India’s new drone rules, neither a license nor security clearance is necessary to operate nano(less than 250 gm) and mini drones for non-commercial use. All other drone operations in India require a license, i.e., a Unique Identification Number(UIN) and Unmanned Aircraft Operator Permit(UAOP).
The Civil Aviation Ministry will display an interactive airspace map on its website showing the three zones — green (no permission required), yellow (controlled airspace), and red (flying not permitted). These zones tell drone operators where they can and cannot fly their unmanned aircraft systems.
Online registration for all drones is mandatory on the digital sky platform. The process to deregister drones will also become more straightforward.
The new maximum penalty for drone-related non-conformity is Rs 1,00,000 in India.
Conclusion
Drone development is still in its early phase. They will evolve substantially; law enforcement and society need to be aware of their potential threats. Devices developed for legitimate functions can be misappropriated for sinister reasons.
China is developing a solar-powered drone that will soon be capable of permanent flight. Add to this facial recognition and modern high-powered camera technology, and we have a drone that can fly around indefinitely until it recognizes a pre-defined target. With a small warhead, that wouldn’t require a military-quality drone. The specific target could be located and automatically eliminated. It may sound like science fiction, but it will be possible in the near future.
The biggest single problem is that drones are not sufficiently regulated. No single agency has yet claimed overall authority to deliver the regulation necessary to prevent drones from becoming a severe threat to society.