Opinion by Dr Vishal Sharma.
Dr Sharma is a Senior Lecturer in the School of Electronics, Electrical Engineering and Computer Science (EEECS) at the Queen's University Belfast (QUB) with expertise in cyber defence, network and wireless security and a PhD in drone communications and security. He and his PhD students explore the technical aspects of drone security and investigate the associated laws and policies.
Introductions to Drones – from delivering packages to invading privacy
Drones, in general, are uncrewed vehicles which operate in 4D space (aerial, terrestrial, and under surface and water).
Many refer to drones when discussing aerial autonomous vehicles and tie these closely with autonomous planes or radio-controlled copters. Irrespective of the types of drones, the mode of communication would remain consistent for aerial and terrestrial but varies for underwater as our traditional Radio Frequency signals become insufficient due to high frequency. The mode of communication for drones depends on the deployment type, nature of applications, coverage requirements and payload capacity.
For example, operating a drone in a satellite (such as GPS) covered area is far more efficient than areas with satellite dead zones. In the last decade, aerial drones have become prominent with the range of applications these provide in the field of building unique supply chains in hard-to-reach areas, entertainment for drone shows, agriculture support, on-demand network formations, land surveys, future flight ecosystems (such as drone taxis) border surveillance and terrain exploration.
Dr Vishal Sharma
However, the reverse of the applications is increasing at an alarming rate, where these vehicles are used for cross-border infiltration, drug trafficking, prison supplies and breaks, sovereignty and space violations, spying, and infrastructural damages. Considering the use cases, the applications and challenges of drones are not two opposite sides of the coin; instead, these flip the coin, and the same use case can become a challenge to counter. Thus, changing cyber welfare to cyber warfare.
Recent news around the world
Focusing on the news from recent conflict zones, it is evident that drones can be built with low-cost hardware and software and can be catastrophic depending on their payload capacity. All these instances create a panic when we see a drone around us – there is a high possibility that our excitement can turn into anxiety depending on their use cases. Furthermore, their recent sightings near the airport and prisons are not new but have been a pain point for years.
Ownership and drone forensics
One bit that we miss in such circumstances is the potential hacks on these vehicles that can result in deadly scenarios where the burden of providing evidence lies on the owners. Such issues can arise irrespective of whether your drones are registered or not. Several examples are available where jamming attacks, de-authentication and spoofing resulted in the falling of drones during light shows. The potential impact of hijacking drones during shows or when operating in the swarm can lead to national-level disasters, and all are based on weak communication models, insecure hardware and software exploits.
It is to be understood that asking for 100% secure drone usage is a myth, and the focus must be on the robustness and damage control scenarios. Here, anti-drone solutions can come into play, but this side of technology is underdeveloped and would take more serious investigations.
Capturing a hobbyist drone is quite easy and requires a basic understanding of communications, which are no longer a secret, and writing exploits with available generative AI tools has never been easier. The use of reverse prompt and trick queries can lead to converting secure code into potential exploits that can expose both hardware and software vulnerabilities even before these are identified by the manufacturers or the users.
Tamper-proof hardware can be helpful to an extent, but this must be complemented by strong authentication features and additional channel support on drones to enhance their capabilities to cause the least damage if a capturing attempt is made. The presence of bad actors cannot be controlled, but using technology which is tested against at least a known set of vulnerabilities is extremely important. Here, the Common Vulnerabilities and Exposures (CVE) database must be tracked when writing software and calibrating drone hardware. Depending on whether one is using drones for commercial or individual use cases, identifying appropriate communication modes and prioritising security should be the primary focus. Additionally, using technology that can support evidence in the event of fateful incidents is of utmost importance.
Drones being notorious
Not just drones but any system with air-gapped components is most likely vulnerable to person-in-the-middle, spoofing, and jamming (such as GPS jamming and interference or selective jamming). However, the impact and likelihood of vulnerabilities in drones leading to these attacks are relatively high. For example, consider an attacker operating near drones connected over Wi-Fi. Here, frequency hopping can be used to avoid selective jamming, but channel identification can be used by the attacker with a loop and cause de-authentication at will, which means the legacy vulnerability of Wi-Fi becomes applicable to drones. Thus, the users must explore and identify hardware that can offer dedicated frequency bands to operate drones. There are several off-the-shelf drones that are available for commercial use but rely on FTP with client-server mechanisms to transmit video telemetry unencrypted, which is a recipe for disaster.
Need of the hour
It’s not just about the drones; the issue remains at large with governance and policies. The usability of drones comes with the risks posed by their wider out-of-control implications and the onus of accountability in the event of malicious use. Thus, more thoughtful and thoroughly explored guidelines are needed to ensure the safe operations of drones and focus on attaining several practical applications where otherwise sending manned missions is impractical and dangerous.
It is essential that these policies are driven by expert knowledge and not based on one-dimensional learning of legislation. It is required that drone developers, policymakers, manufacturers and users come together to ensure that the right set of products are utilised and the latest guidelines on their functionality are always followed – One simple example would be to ensure that firmware is kept updated and any new recommendations by the developers and manufacturers are applied at the earliest.
Taming the pitfall and solutions
Some critical observations based on the gaps in communications and the associated security of drones are aligned in the dimension of responsible governance, AI security and the need to unify the current threat management system. Using AI for intelligent drone applications raises critical questions about who takes ownership.
Would that be the algorithm's operator or developer in the event that drone hacks happen? How would you prove that the attack was because of vulnerability in certain parts of the drones? How would you ensure that the drone’s assembled sensors are not generating over-the-channel data that is uncontrolled and stored in places outside of jurisdiction – this can be the general data or the drone’s telemetry.
To summarise, drones are becoming an inevitable support system in building resilient supply chains in a wide range of activities. We must start looking into their use case with utmost responsibility and invest more into technological guidelines for enhanced safe and secure operations.
As part of NI Science Festival, Dr Sharma will be delivering a talk and demo on drone security on Friday 21 February in QUB’s Computer Science Building. For more information, or to register to attend, visit: https://nisciencefestival.com/events/dronevirus-what-made-my-drones-go-rogue
