Drones are more important than ever for enterprise companies, which means drone security is now more important too. Edmund Burke was the first person who said, “Those who don’t know history are doomed to repeat it.” Everyone in the security world is well aware of that mantra.
In the late 1990’s there was a rash of hacked websites because nobody knew how to secure a website properly. In those days, you could simply put a dot at the end of a Microsoft ASP web page, and it would give you the source code sitting on the server. Microsoft, Sun, Oracle and others in the industry gradually closed those holes. And, while there are still notable hacks on websites, it’s usually because the sites are not running the latest and greatest software. For example, the Experian website was using outdated Struts software, and in other cases people do silly things, like letting interns create passwords.
Over the last decade, we saw similar disruptions on the mobile platform. Hardly a week went by without some major hack that exposed an app on people’s phones. Developers were running so fast to get apps into the marketplace that they paid little or no attention to their app security. Often, it was much more important to get to market quicker than the competition. It was considered irrelevant if your dating preferences, credit card numbers and passwords were exposed. Eventually, enough bad press shifted the focus, and the basic fundamentals of mobile security became common practice.
Which brings us to today and the world of drones and drone security. As an industry, we are very similar to the mobile guys, in that we’re all focused on getting to market quicker than the competitors. Consequently, security is DJI’s problem, not ours. So, to help move the conversation forward in regard to drone security, here are five security items you should be thinking about as a drone manufacturer or software developer:
1. Don’t store anything on a phone you can’t afford to lose
Mobile applications are a huge part of the drone experience. They are very often the control center and the gateway to the cloud. Understand that hackers can reverse engineer, decompile or disassemble the code back into something readable. If you put any decryption or cloud keys in your source code, someone is going to find it. It’s also really tempting to store user passwords, tokens or other data on the phone to make things easier for the drone pilot. Don’t do it. And, while Android and iOS have both developed secure storage, we’ve heard that before. Eventually someone successfully hacks it and data is exposed. To learn more, read the OWASP top 10 mobile risks.
2. Frida is your frenemy
Back in the day when everyone was hacking mobile apps, they were mostly doing static analysis to reverse engineer the code or look at any saved data. However, there are lots of new tools, such as Frida, which will do dynamic code injection to rip apart any login or permission restrictions that you think are in place. Any username and password information stored in memory are also potentially up for grabs. See frida.re for more information.
3. “I’ve got an S3 bucket and I’m going to use it.”
A huge part of the explosion in the web was largely due to how easy Amazon made it to create a cloud application. Drone apps obviously generate a lot of video, which seems to be largely stored on Amazon S3 buckets or Azure. Amazon also has useful command line tools that automate much of the mundane work of uploading, downloading and searching S3 buckets. Man in the middle tools, such as Burpsuite, are very good at sniffing out the keys. Don’t store your Amazon keys or any other cloud keys in your mobile app or send them in cleartext across the internet, as they can be used together with these tools to download everyone’s videos. The OWASP cloud top 10 has this and many other suggestions to help secure your cloud data.
4. It’s the network, dammit
Are you using an encrypted signal for your video and telemetry? Great. But is it the same key for every drone? Can you shell into the drone? Are you using the same password for every drone? It’s important to secure your network using unique keys and tokens, otherwise you run the risk of someone else gaining access to the drone’s video feed or potentially, much worse.
5. Mr. Robot’s school of OSINT
Perhaps the least obvious aspect of drone security is OSINT or Open Source Intelligence. Don’t leave any traces of the developer’s names in the mobile app or on the drone. Names can be leveraged for more information about your app on developer sites such as github and stackoverflow. Developers often love to talk about their cool work and are often easy targets for social engineering. And don’t leave any traces of presentations, proposals or contracts on your website or on S3 buckets. Google indexes everything, and the right Google search can be very informative to the wrong people. To start, Google filetype:pdf site:yourdomain.comon your own website. Michael Bazzell’s book OSINT Techniques is also a great resource for the advanced user.
A last word on drone security
Undoubtedly, we’ll have to deal with similar issues with whatever technology platform comes next. It’s always this way. In fact, we can be fairly sure there have already been some major ML hacks that we haven’t heard about yet. If we work together and adhere to best practices, we can hopefully get to a point when we can we put drone security issues in the rear view mirror. Here’s to hoping that is in the not too far into the future.