Commercial Drones Will Soon be Everywhere, But How Secure are They?

The spectacular drone-based light shows featured in the opening and closing ceremonies of the 2018 Olympic Winter Games in PyongChang, highlight the rapid advancement taking place in unmanned aviation, particularly in commercial applications like sporting and public entertainment. The event, sponsored by Intel, featured more than 1,200 drones. Illuminated with high-intensity lights and synchronized in swarm formation, they portrayed a collection of images including the Olympic rings and a snowboarder in motion. While these celebrity drones clearly stole the show, other unmanned aerial platforms were also hard at work during the games, including “interceptor drones” equipped with nets that could be deployed to catch rogue devices posing a threat to athletes and audiences. Even before the games, many national teams and individual athletes, especially in events like ski jumping and snowboarding, made use of unmanned aerial photography to analyze and improve their performance.


These applications demonstrate the potential for commercial drone applications and show us that UAVs are here to stay. A whole host of potential uses are coming online, from agricultural and forestry applications to mesh networking, and potentially package delivery, as Amazon has occasionally teased. Airbus is even using drones to improve the safety of conventional aircraft.  By flying a camera-equipped UAV in a pre-programmed pattern around a passenger jet, an image-recognition and machine learning system is able to automatically detect and report cracks, scratches, and other defects, even in adverse weather conditions.

These drones will differ from military UAVs, which have been in development for decades and employ sophisticated electronics and sensing technologies at very high cost, and hobbyist drones, which have comparatively low costs, limited ranges, and offer high customization. Commercial UAV applications that occupy the middle space raise interesting questions for cybersecurity, especially since the security performance of popular drone platforms has been poor in recent years.  This is in part because, while commercial drones are subject to many of the same vulnerabilities as military UAVs and manned aircraft, they often follow software and hardware development practices more akin to consumer and hobbyist electronics products than to high-reliability or safety-critical systems.  A survey of recent vulnerabilities in drone platforms shows that they are vulnerable to a wide range of attacks.

The simplest, and most effective, of these attacks is often jamming the radio signal itself.  Drones that rely on radio for control surface actuation and telemetry to the operator can quickly become uncontrollable if the signal is lost, especially during a critical phase of flight. Though jamming is illegal in many countries, low-cost jammers for common frequencies such as 802.11, Bluetooth, and GPS are widely available on the internet.  An attacker may not need a jammer if the drone communicates via 802.11 (WiFi).  Sophisticated tools for sniffing, hacking, and hijacking WiFi developed for conventional computer networks can easily be applied against drones.  Additionally, drones may be subject to protocol and data format vulnerabilities such as buffer overflows, remote command injection, or traditional denial-of-service attacks.

Finally, the broad availability of commercial drones will make them much more susceptible to reverse engineering. The overreliance on hobbyist electronic platforms such as Raspberry Pi or Arduino in the development of command-and-control and application software within these drones leave them potentially subject to zero-day vulnerabilities in the larger software ecosystem.

A number of steps can be taken to harden commercial drones against cyber-attacks. Many of these attacks have already been experienced or anticipated by the avionics industry. Lessons learned from the certified software processes and built-in cybersecurity employed in manned aviation platforms and military UAVs can benefit the commercial UAV development. First, drones that use commercial wireless technologies such as 802.11 should employ the most sophisticated cryptographic systems, such as WPA2 with AES, and have safeguards against unauthorized access. Manipulation of the wireless protocols or other settings should be disabled inflight. Commercial embedded operating systems and application software, with full vendor support for security patches, should take the place of hobbyist platforms wherever possible. Finally, flight and safety-critical code such as control or sensor software should utilize secure development practices fundamental to the manned aviation industry. These include design simplicity, modeling of behavior and inputs, testability, and defense-in-depth.  These practices will safeguard that our skies continue to remain safe as drones take on an increasing role in the world of commerce.

To learn more about Performance Software’s cybersecurity services for drones and safety-critical systems, contact us today

Cybersecurity: Learn More