Edmund Burke was the person who first said “Those who don’t know history are doomed to repeat it.” Everyone in the security world is well aware of that mantra.
In the late 90’s there was a rash of hacked websites because nobody knew how to secure a website. You could put a dot at the end of a Microsoft ASP webpage and it would give you the webpage’s source code sitting on the server. Microsoft, Sun, Oracle and everyone else gradually closed these holes. And while there are still notable hacks on websites, it’s typically because the sites are not running the latest and greatest software, e.g. the Experian website was using outdated Struts software; or if someone did something silly, like letting the intern create the password.
Over the last decade, the same thing happened on the mobile platform. Hardly a week went by without some earth shattering hack that exposed an app on your phone. Developers were running so fast that they paid little or no attention to their app security: it was much more important to get to market quicker than the competition. It was irrelevant that your dating preferences, credit card numbers and passwords were exposed. Bad press shifted the focus, and eventually the basic fundamentals of mobile security became common practice.
Which brings us to drones. As an industry, just like the mobile guys, we’re all focused on getting to market quicker than the competitors. Security is DJI’s problem, not ours.
So to help get the conversation going here are 5 security items you should be thinking about as a drone manufacturer or software developer.
1. Don’t store anything on the phone that you can’t afford to lose.
Back in the day when everyone was hacking mobile apps, they were mostly doing static analysis to reverse engineer the code or look at any saved data. However there are lots of new tools, such as Frida, which will do dynamic code injection to rip apart any login or permission restrictions that you think are in place. Any username and password information stored in memory are also potentially up for grabs. See frida.re for more information.3. “I’ve got an S3 bucket and I’m going to use it.”
A huge part of the explosion in the web was largely due to how easy Amazon made it to create a cloud application. Drone apps obviously generate tons of video, which seems to be largely stored on Amazon S3 buckets or Azure. Amazon also has really useful command line tools that automate a lot of the mundane work of uploading, downloading and searching S3 buckets.
Man in the middle tools, such as Burpsuite, are very good at sniffing out the keys. So don’t store your Amazon keys or any other cloud keys in the mobile app or send them in cleartext across the internet, as they can be used together with these tools to download everyone’s videos. The OWASP cloud top 10 has this and many, many other suggestions on how to secure your cloud.
4. It’s the network, dammit.
Are you using an encrypted signal for your video and telemetry? Great. But is it the same key for every drone? Can you shell into the drone? But – are you using the same password for every drone? It’s important to secure your network using unique keys and tokens – otherwise you run the risk of someone else gaining access to the drone’s video feed or worse.
5. Mr. Robot’s school of OSINT
Perhaps the least obvious aspect of drone security is OSINT or Open Source Intelligence. Don’t leave any traces of the developer’s names in the mobile app or on the drone. Names can be leveraged for more information about your app on developer sites such as github and stackoverflow. Developers often love to talk about their cool work and are often easy targets for social engineering. Also don’t leave any traces of presentations, proposals, contracts etc on your website or on S3 buckets. Google indexes everything and the right google search can be very informative. To start, try googling filetype:pdf site:yourdomain.com on your own website. Michael Bazzell’s OSINT Techniques book is also a great resource for the advanced user.
No doubt we’ll have the same issues with whatever technology platform comes next. Pretty sure there have already been some major ML hacks that we haven’t heard about yet. Here’s hoping to when we can we put the drone security issues in the rear view mirror in the not too distant future.