I love the idea of unmanned aerial vehicles (UAVs) or drones. They can be much safer than having a human on board in some situations (e.g. military combat). They are generally smaller than manned aircraft so they can be harder to detect. They are generally more fuel efficient. Also, as a kid I wanted a remote controlled helicopter so I could fly it around the neighborhood. I never got one I could use outside, but I still wanted one. Today the military and civilians use them and private individuals and companies want to. The laws here in the US vary, though, and even some law-enforcement agencies can’t get permission to fly them. Hobbyists have been having fun with them, though, especially since the advent of the quadcopter, and example of which is in the picture.
The issue I’d like to address today from a cybersecurity standpoint is confidentiality. Let’s consider privacy first. Perhaps a bad guy could fly a drone next to an office building and peek into the windows. Most buildings are insulated enough, and most drones are quiet enough that such an observer might go undetected for some time. With a little effort, perhaps the drone could use a laser to sense glass vibration and listen in on meetings or other conversations. That wouldn’t even require the drone to be close to the building. It might even be able to fly to someplace nearby, listen in and then relay the detected audio back to an observer. This isn’t rocket science.
Another option would be for the drone to eavesdrop on wireless network signals from a building. Again the drone could land virtually anywhere and if it were well designed it could be very hard to detect.
Well-insulated windows often prevent the laser sound sensor from working, and many buildings have conference rooms without windows to prevent just such eavesdropping. Well encrypted Wi-Fi is important, too, and I’ve discussed that before. There are other countermeasures, too, but many businesses don’t see such confidentiality issues as a real threat. I think it is time to do so.
Then there is the actual communication with the UAV. Drones need to be “flown” (at least most do), and they generally provide real-time data of some kind – audio or video, say. That communication with the drone needs to be encrypted. Absent that, bad actors could compromise the drone control. They could compromise the actual flight controls, or the GPS navigation, for instance. They could also intercept the video or audio streams from the drone.
There are two important points here: first, every organization needs to consider confidentiality, and second, communication confidentiality generally requires encryption. Neither of these is specific to UAVs – they just provide a vehicle (pun intended) to compromise confidentiality, and to do so more easily.
Interception and confidentiality play a big part in Learning Tree Course 468, System and Network Security Introduction. There is a lot more to it than just drones, video, and audio. I hope you get the opportunity to take 468 and to think critically about confidentiality.
[Creative Commons license at https://creativecommons.org/licenses/by/2.0/legalcode]