The author hopes to help the reader understand the potential impact of consumer UAVs in the hands of non-state actors as well as the technical and regulatory challenges present in the United States that we face so that they can make informed decisions about public policy choices, investments, and risk.
Our hypothesis is that Western nations are not prepared to defend civilian populations against the use of small UAVs by non-state actors. This can be proved false by:
- Identifying counter-UAV technology that can be deployed to effect a “win” against currently available UAVs that meet the UsUAS definition
- Identifying the regulations that allow the technology to be utilized within the borders of the United States and at sites not covered by “no fly zones”.
- Demonstrating that the solutions are capable of being deployed at sufficient scale to protect all possible targets, not just major events
The defenders are at a classical asymmetric warfare disadvantage – they need a nearly 100% success rate, and if they can demonstrate that success, even better. This is essentially an impossible victory condition to meet. If the scope is limited to critical infrastructure, and if the rules of engagement are adjusted, the odds increase dramatically for the defenders but are still daunting.
Attackers win if they can conduct a single terror attack using a UsUAS against any civilian target, one of thousands of Friday night high school football games for example.
A successful attack need not injure or kill civilians. It may not even make major headlines. It just needs to demonstrate enough capability to generate sufficient public outcry to slow consumer and commercial UAV sales and deployment. Lawmakers already show a great deal of interest in responding to requests for greater regulation and the industry has demonstrated little effective lobbying power to hold off these regulations. A notable hostile use of a consumer UAV could result in regulation that would have significant impact on the civilian industry predicted to be worth $2 billion by 2020.
Full text of my thesis is available here – David Kovar – GMAP 16 – Thesis
 B. I. Intelligence, 2016 Oct. 2, and 092 2, “THE DRONES REPORT: Market Forecasts, Regulatory Barriers, Top Vendors, and Leading Commercial Applications,” Business Insider, accessed February 15, 2017, http://www.businessinsider.com/2016-10-2-uav-or-commercial-drone-market-forecast-2016-9.
I presented a talk on UAVs, IoT, and Cybersecurity at the LISA conference in Boston on December 7th, 2016. The abstract for the talk was:
“Small Unmanned Aerial Systems (sUAS) aka “drones” are all the rage—$500 UAVs are used in professional racing leagues and major corporations are building $100,000 UAVs to deliver packages and Internet connectivity. UAVs are slowly working their way into almost every commercial sector via operations, sales, manufacturing, or design.
sUAS—emphasis on the final “S”—are complex systems. The aerial platform alone often consists of a radio link, an autopilot, a photography sub-system, a GPS, and multiple other sensors. Each one of these components represents a cybersecurity risk unto itself and also when part of the larger system. Add in the ground control stations, the radio controller, and the video downlink system and you have a very complex computing environment running a variety of commercial, closed source, open source, and home brew software.
And yes, there is already malware specifically targeting drones.
During this presentation, we will walk through a typical operational workflow for a UAV, all of the components of a representative system, and through a possible risk assessment model for UAVs. Even if you are not working with UAVs, you should consider that UAVs are an instance of “the Internet of Things”—a collection of sensors and computing devices connected to each other and to the cloud designed to gather, distribute, and analyze data in a semi- or fully-autonomous manner.”
The slides may be found here: https://www.usenix.org/conference/lisa16/conference-program/presentation/kovar
The DOI (Department of the Interior) agrees to buy UAVs from 3DR, a U.S. firm. No similar announcement from DJI, lending credence to my earlier reporting (here and here) on an apparent decision not to buy DJI products, possibly due to cyber security concerns.
The quoted post, below, appeared on the Facebook group “Commercial sUAS Operators” on July 7th. It was taken down very rapidly and no further discussion on the topic appeared. I spoke with Dennis Bosak SSA this morning and he confirmed the statement as written. Any further details must be requested in writing.
Another story is circulating that the DOI has either retracted the ban or it was never in place. However no copy of that memo can be made available and Mr. Bosak stood by his statement as of 0730 this morning.
To summarize, the Department of the Interior is banning any internal use of DJI products due to concerns about the product’s automatic uploading of telemetry and other information to DJI servers during firmware updates.
Last year I developed a presentation on cyber security and consumer/commercial UAVs. In that presentation I noted that we are self selecting areas of interest – test crops, critical infrastructure, disaster sites, … – and sending highly detailed information about these sites to often poorly understood cloud infrastructure.
Apparently, according to this post, the Department of the Interior has also identified this risk. Worse, it appears that DJI products are automatically sending sensitive telemetry information to their own servers. As the following announcement notes, DJI is a Chinese firm and some conclusions must be considered.
Many applications collect profile and debugging information for legitimate purposes. Most of those applications give the user an opt-in option. DJI could quickly defuse this situation by releasing an update that provides this option while also demonstrating that all such communication has been terminated. Regaining the trust of their clients, and of the U.S. Government, may be more difficult.
DJI is just one vendor. There are many others, hardware, software, and service. What are these vendors doing with the data you are collecting about your potentially sensitive sites?
OAM – Office of Acquisition Management
DOI – Department of the Interior
OAM had a telecom this morning with the aviation manager at DOI.
During that conversation we learned that they have banned the use of DJI products (which include the popular Phantom and Inspire aircraft) as they discovered that their products record telemetry information, to include routes flown, altitudes, etc., and send that recorded information to DJI each time the aircraft is plugged into a computer to perform a software/firmware update. As DJI is a Chinese company the security issue is readily apparent.
OAM highly recommends that, before choosing any particular aircraft, from any manufacturer, especially those that might be used for sensitive purposes, that your technical people fully understand what information may be transmitted, to whom it might be transmitted to, and whether it matters to your program.
Please distribute this information as widely as possible.
Dennis Bosak SSA
Department of the Interior
Office of Law Enforcement and Security
1849 C Street NW
Washington DC 20240
Working with Greg Dominguez and Cindy Murphy, we updated my UAV Forensics presentation from last year to address the Phantom P3, it’s additional data sources, some new tools for analyzing data, and our first pass at JTAG analysis.
Greg and I gave the presentation at Techno Security in June and a PDF version is attached here: UAV Forensics -TS16-final distribution
After consulting with a UAV lawyer and an FAA representative, I believe that:
- Public Agencies (PAs) still have to operate under a COA
- PAs can also operate non-Public Agency Operations (PAOs) under Part 107.
See pages 61-68 of the Rule for details
If a PA wishes to examine the roof of the court house for hail damage, a Part 107 operator working for the PA can perform the task.
If a PA wishes to conduct a SAR mission, or fly a UAV in support of fire fighting operations, they need a COA or to contract with a 333 exempt operator with the appropriate COA.