Come Spy with Me: Drones and Info-Sec

Written by

Unmanned aircraft systems (UASs) or drones, as they are known in common rather than legal parlance, can easily cross physical barriers. As drone use increases, both for commercial applications and for recreational purposes, new challenges are emerging with regard to privacy and information security.

Millions of drones are estimated to have already been sold worldwide; tens of millions are expected to be out-there by 2020. As with any easily available new technology, criminals are early innovators, for example getting drugs across borders and mobile phones into prisons; here existing laws are being broken. However, drone operators who wish to remain within the law, need to be aware of evolving rules.

The basis for existing UK law lies with the Civil Aviation Authority’s (CAA) and its Air Navigation Order (ANO) and the European Air Safety Agency (EASA). These bodies have been around for years to regulate commercial aviation as well as dealing with traditional model aircrafts. Today they are having to adapt to the rising use and potential of drones.

Section 166 of the ANO (V4.1, republished in 2015) deals with small-UAS. The rules are most lenient for aircraft below 7 KG in weight (heavy enough to cause injury, but not big enough to carry a significant bomb); any heavier and things start to get more restrictive. There is an operating limit of 400 feet above ground level (aviators stick with imperial for altitude) and UAS must be piloted by a human, albeit remotely, with visual line of sight (VLOS), which in practice is about 500 M. So, for all the blather, the concept of delivering goods by drones is not legally practicable, regardless of technological issues, until the rules change to allow beyond-VLOS (BVLOS) operation.

There are two areas where information security issues overlap with the use of drones. First, the drones may be used for industrial espionage or to breach privacy. Second, drone operation may be interfered with, either to change the instructions sent or to intercept the data stored and/or transmitted.

Many current applications are in well-defined airspaces, for example farmers flying over their own fields which are of little interest to anyone else and inspection of infrastructure which, to all but those responsible, are often already no-fly zones designated by the CAA.

Other no-fly zones include the regions around airports and military installations. There can also be temporary no-fly zones, for example during the visit of a dignitary to a given area. It is incumbent on the operator to know about and obey restrictions; but in practice has been hard to find out the current status.

This is where a newly launched service from a UK start-up called Altitude Angel helps, a kind of air traffic control system for drones. The basic service is free and anyone can go to and check on restrictions. The aim is to help operators be safer, legal pilots. It also allows users to register for alerts about manned aviation activity in an area of interest to them and has plans to add in information about UAS activity.

Altitude Angel provides real time updates to operators and property owners; the service is dynamic and able to react to short-term and long-term changes. More advanced services are chargeable.

It is all well and good for governments and the military which can get no-fly zones set up. However, today there is nothing to stop someone flying a drone near commercially sensitive sites, nor are there any privacy restrictions per se around gardens etc. Ideas have been mooted about changing the default position, making all residential areas no-fly zones, that would protect privacy but make it harder to use drones for building surveys by builders or estate agents.

There could be a future scenario where new restrictions can be applied for to protect certain locations or, in more controlled circumstances, temporarily lift them. Such dynamic changes would only work in practice if the information is readily available to drone operators via services such as Altitude Angel.

Of course, criminals will just ignore the rules and currently there is little control over this. Small-UAS do not have to be registered and cannot always be uniquely identified. This is starting to change, the USA and Ireland are putting in place registration processes. Furthermore, drones are quite capable of capturing and storing telemetry data, for example, GPS coordinates. This could even be required via a black-box style process, which, alongside registration, would make non-repudiation harder; you could not deny when challenged, that your drone had not been a given location.

As commercial use increases, criminals could try and interfere with the systems that control drones, diverted aircraft and stealing goods or data. The data sent back to operators by surveillance drones (for which the ANO already has additional rules) could be intercepted. Ground to air communication is in many cases still via unencrypted short distance radio. That is changing as more drones carry 4G mobile receivers/transmitters and many are controllable from smartphone applications. Altitude Angel is working on secure protocols for the 4G exchange of data with drones.

For those who have thought about the problem of the growing number of drones the obvious concerns are about one dropping on your head or crashing into a commercial airliner. The first of these would be bad luck, perhaps no riskier than the branch of a tree falling on you, the latter should not be possible if existing controls are observed. However, with the number of drones set to grow 20-fold in the next few years, better systems and rules are going to have to put in place to protect operators, businesses and consumers.

What’s hot on Infosecurity Magazine?