I presented a talk on UAVs, IoT, and Cybersecurity at the LISA conference in Boston on December 7th, 2016. The abstract for the talk was:
“Small Unmanned Aerial Systems (sUAS) aka “drones” are all the rage—$500 UAVs are used in professional racing leagues and major corporations are building $100,000 UAVs to deliver packages and Internet connectivity. UAVs are slowly working their way into almost every commercial sector via operations, sales, manufacturing, or design.
sUAS—emphasis on the final “S”—are complex systems. The aerial platform alone often consists of a radio link, an autopilot, a photography sub-system, a GPS, and multiple other sensors. Each one of these components represents a cybersecurity risk unto itself and also when part of the larger system. Add in the ground control stations, the radio controller, and the video downlink system and you have a very complex computing environment running a variety of commercial, closed source, open source, and home brew software.
And yes, there is already malware specifically targeting drones.
During this presentation, we will walk through a typical operational workflow for a UAV, all of the components of a representative system, and through a possible risk assessment model for UAVs. Even if you are not working with UAVs, you should consider that UAVs are an instance of “the Internet of Things”—a collection of sensors and computing devices connected to each other and to the cloud designed to gather, distribute, and analyze data in a semi- or fully-autonomous manner.”
The slides may be found here: https://www.usenix.org/conference/lisa16/conference-program/presentation/kovar
Rowland Johnson developed an excellent tool, DatCon, for analyzing DJI Phantom 3 log files in Java. I arranged to have it ported to Python because I am far more adept with Python and wanted something that I could extend to support newer file formats and potentially other UAVs.
The result can be found here:
It is my hope that others will build on this, adding support for other DJI products as well as adding visualization capabilities.
Feedback, suggestions, etc are always welcome.
The DOI (Department of the Interior) agrees to buy UAVs from 3DR, a U.S. firm. No similar announcement from DJI, lending credence to my earlier reporting (here and here) on an apparent decision not to buy DJI products, possibly due to cyber security concerns.
On Friday I wrote a post entitled “Dept. of Interior Bans use of DJI products due to national security concerns.” DOI did not ban anything, but it is a) clear that DJI can collect sensitive information and b) that it is reasonable to assume that the DOI is unlikely to buy any products that have the ability to send telemetry about their sensitive sites to servers in China.
DJI has completely legitimate reasons for wanting to collect telemetry information from as many of its products as possible for sales, marketing, and most importantly, product support and development reasons. I agree with and support this desire.
Lest you think that DJI does not collect such data, the following is from a DJI legal document that a user must sign to unlock geofences:
The Recipient further understands and agrees that his data including, but not limited to, flight telemetry data and operation records could be uploaded to and maintained on a DJI-designated server under certain circumstances.
Can we agree that DJI would not include such language if they didn’t have the ability to collect the data?
When you choose to self-authorize or “unlock” flight operations on DJI hardware control applications (including DJI Go (the “DJI Go App”)) in locations that are categorized by DJI’s Geospatial Environment Online system as raising safety or security issues, we collect and retain geolocation information relating to your decision.
The two documents appear to be out of sync on what is, or may be, collected. I think it is time for some forensic analysis.
As I mentioned in the earlier post, DJI could add an “opt in” mechanism as many other products do and also fully document what is collected and when. Relatively easy to do, and would set a very good example.
DOE and corporate
DOE, and private companies, have completely legitimate reasons for not wanting telemetry information, particularly around sensitive areas, sent to servers in China owned by a Chinese corporation. China, and many other countries, uses commercial data as part of its intelligence programs. Why hand them such data on a platter?
A partially redacted email message appeared on Twitter supposedly refuting the email message from Dennis Bosak SSA. Here is that message:
So, “banned” was not the correct word. DOI does not ban products.
Please note – in a letter specifically addressing my original post the author ignores the two most important issues – do DJI products collect and send telemetry to China, and is the DOI concerned about the cyber security implications of such practices. The author is strangely silent on these points.
I think it is safe to assume that DOI will not buy products that send potentially sensitive data to servers in China.
If DJI wants to sell to DOI, and other government agencies, they will need to address this issue. Further, they must address this issue for everyone because commercial users certainly would prefer that information about their sensitive sites isn’t shared with potential competitors and intelligence agencies.
DOI didn’t ban DJI products. DJI does have the ability to collect information you might not want to share with them or with intelligence services. This is not unique to DJI by any means and many other firms face similar challenges. Addressing them in the design phase is more expensive up front but in the long run saves money on development, legal, PR, and sales. Bake security into the products, don’t bolt it on later when you have an issue.
In this case, if you want to collect sensitive information, do so via in country servers with appropriate legal protection for the owners of the data. And don’t argue semantics while avoiding the tough questions about cyber security.
For some additional thoughtful insight on the matter, I refer you to Christopher Korody’s reporting on the matter. Very much worth reading, in this specific instance but on UAV matters for many years.
The quoted post, below, appeared on the Facebook group “Commercial sUAS Operators” on July 7th. It was taken down very rapidly and no further discussion on the topic appeared. I spoke with Dennis Bosak SSA this morning and he confirmed the statement as written. Any further details must be requested in writing.
Another story is circulating that the DOI has either retracted the ban or it was never in place. However no copy of that memo can be made available and Mr. Bosak stood by his statement as of 0730 this morning.
To summarize, the Department of the Interior is banning any internal use of DJI products due to concerns about the product’s automatic uploading of telemetry and other information to DJI servers during firmware updates.
Last year I developed a presentation on cyber security and consumer/commercial UAVs. In that presentation I noted that we are self selecting areas of interest – test crops, critical infrastructure, disaster sites, … – and sending highly detailed information about these sites to often poorly understood cloud infrastructure.
Apparently, according to this post, the Department of the Interior has also identified this risk. Worse, it appears that DJI products are automatically sending sensitive telemetry information to their own servers. As the following announcement notes, DJI is a Chinese firm and some conclusions must be considered.
Many applications collect profile and debugging information for legitimate purposes. Most of those applications give the user an opt-in option. DJI could quickly defuse this situation by releasing an update that provides this option while also demonstrating that all such communication has been terminated. Regaining the trust of their clients, and of the U.S. Government, may be more difficult.
DJI is just one vendor. There are many others, hardware, software, and service. What are these vendors doing with the data you are collecting about your potentially sensitive sites?
OAM – Office of Acquisition Management
DOI – Department of the Interior
OAM had a telecom this morning with the aviation manager at DOI.
During that conversation we learned that they have banned the use of DJI products (which include the popular Phantom and Inspire aircraft) as they discovered that their products record telemetry information, to include routes flown, altitudes, etc., and send that recorded information to DJI each time the aircraft is plugged into a computer to perform a software/firmware update. As DJI is a Chinese company the security issue is readily apparent.
OAM highly recommends that, before choosing any particular aircraft, from any manufacturer, especially those that might be used for sensitive purposes, that your technical people fully understand what information may be transmitted, to whom it might be transmitted to, and whether it matters to your program.
Please distribute this information as widely as possible.
Dennis Bosak SSA
Department of the Interior
Office of Law Enforcement and Security
1849 C Street NW
Washington DC 20240
Working with Greg Dominguez and Cindy Murphy, we updated my UAV Forensics presentation from last year to address the Phantom P3, it’s additional data sources, some new tools for analyzing data, and our first pass at JTAG analysis.
Greg and I gave the presentation at Techno Security in June and a PDF version is attached here: UAV Forensics -TS16-final distribution