Unmanned Aerial Vehicles, or UAVs (aka “drones”) are evolving – and fast. Just within the last five years, drones have morphed from stealthy and secretive military gear used for hunting down terrorists in the hills of Afghanistan and Yemen, to widely available consumer technology.
The “consumerization” of UAV technology has created a lot of opportunities for Cool! – like this video of a UAV flying over (and almost in to) Niagra Falls. But it has also led to some problems. In March, a UAV “quadrcopter” came within a couple hundred feet of striking an Alitalia flight trying to land at JFK Airport in New York. More concerning: the FAA is set to license tens of thousands of drones for use over the U.S., many by law enforcement or private security firms. That has prompted warnings about a huge breach of privacy for U.S. citizens.
But one security researcher warns that snooping drones are only part of the problem. The rapid growth of the drone market is taking place without proper consideration of information security, leaving the powerful devices subject to hacking and, potentially, compromise and data loss.
Speaking at The Security B-Sides event in Boston, Andrew Clare, a doctoral candidate at MIT’s Humans and Automation Lab (HAL), told an audience of security experts that the same economic pressures that drive UAV adoption will hinder the security of UAVs, themselves.
Clare said that UAVs are already being adopted aggressively outside of the U.S. Applications include UAVs that perform crop dusting in Japan, anti-poaching patrols in India and Nepal and searching for oil in Norway.
Those applications have been limited in the U.S. because of a confusing regulatory environment. For drones, the FAA sets the rules. But for automated vehicles, control is shared between Federal and state regulators, most of whom have not addressed the question of autonomous vehicles.
Still, the U.S. is the center for UAV research and development and the coming years will see many more civilian applications of drone technology in the U.S., Clare said. That will likely start with uses in agriculture, law enforcement and even retail. In the 10 to 20 year timeframe, unmanned vehicles may be performing cargo delivery or even ferrying passengers from coast to coast on unpiloted aircraft.
Still, the security implications of those uses are unclear, Clare said. Hardware sensors and software in current generation UAVs are prone to attack including GPS spoofing. There are few incentives for manufacturers to pour resources into hardening the devices.
In the long term, organizations may even need to consider UAVs and other unmanned vehicles as possible attack vectors on more traditional targets, such as networks and endpoints, Clare said.
The military is already looking into ways to secure drones from cyber attack – that following a string of embarrassing compromises, including the capture of (unencrypted) drone communications by Taliban miltants and a malware infection that hit the command and control center for the U.S. Army’s Predator and Reaper drones.