Drones are becoming ubiquitous. They are sold as toys, used in industry, and as weapons of war, so the possibility of one becoming co-opted by a threat actor could result in severe damage, disruption of services, or data theft.
In response, CISA and the FBI released a notification and guidance on Chinese-manufactured unmanned aircraft systems (UAS) aka drones, that could have vulnerabilities enabling data theft or that could facilitate network compromises.
The People’s Republic of China (PRC) also recognized this possibility so back in 2015, it passed data privacy laws and regulations that require companies operating in China – including state intelligence services, to disclose any known vulnerabilities to the government prior to the service or device being released to the general public. However, this disclosure was only to be made to the PRC, and herein lies the problem.
This regulation applies to Chinese-owned UAS companies such as Shenzhen DJI, High Great, Shenyang Aircraft Company, and Shenzhen Damoda and essentially gives the PRC access to any data stored on these devices. This may also include complete unlimited access to customer data including possible sensitive recorded video and flight data (date, time, latitude and longitude, flight duration, pilot-in-command information, and more).
“The PRC’s collection of sensitive information and potential network access obtained from Chinese-manufactured UAS may result in significant consequences to critical infrastructure security and resilience,” the CISA document said, adding, “Acquisition of such data or network access has the potential to advance the PRC’s strategic objectives and negatively affect U.S. economic and national security.”
This can include:
As demand increases for commercial UAS have also grown, so have the requirements. In just the past 10 years, improvements in batteries, drone design, increased speed, distance, flight duration, and useful load have made UAS much more viable in the field.
This makes the UAS a practical platform for operations such as oil/gas pipeline patrols, agriculture, public safety, environmental protection, entertainment, building inspections, search and rescue, or even shipping of goods in and around cities and neighborhoods.
However, there are now legitimate safety concerns regarding the flight of commercial and hobby use of UASs that are developed and manufactured in China. It was discovered data from some drones are not encrypted, including serious vulnerabilities in the software that could allow bad actors to capture flight data, ‘live’ stream your video, and take flight control of the UAS.
Much like many Industrial Internet of Things (IIoT) devices, some UAS platforms have ‘built-in’ vulnerabilities that may never be patched, allowing bad actors access to the platform when the UAS is in-flight. These vulnerabilities can have serious consequences including jeopardizing a mission, to a kinetic attack leading to possible loss-of-life.
Cybersecurity diligence must be taken when operating an UAS.
CISA recommends a mitigation plan that includes:
Not taking proper precautions may lead to possible FAA, NTSB, and legal consequences. Trustwave’s (AMS CPS) can assist with developing the following:
As drone usage expands, it's imperative that organizations implement robust cybersecurity measures, including those outlined by CISA, to mitigate these risks and protect critical infrastructure. Ultimately, the future of drone technology hinges on addressing these security challenges and fostering trust in the supply chain.