Understanding security threats in consumer drones through the lens of discovery quadcopter family
Valente, J., Gardenas, A.A., “Understanding security threats in consumer drones through the lens of the discovery quadcopter family” 1st Workshop on Internet of Things Security and Privacy, IoT S and P 201717; Dallas; United States; 3 November 2017 through; Pages 31-36. https://www.scopus.com/record/display.uri?eid=2-s2.0-85037170675&origin=resultslist&sort=plf-f&src=s&st1=Drone+AND+privacy&st2=&sid=c5f18c4f77c303d21946d6694dba2da1&sot=b&sdt=b&sl=32&s=TITLE-ABS-KEY%28Drone+AND+privacy%29&relpos=10&citeCnt=0&searchTerm=
The paper addresses privacy, security and safety issues of using drones, and the paper recommend basic steps to solve these issues. The article focusses on the drone technology and how to take over drones. This isn’t useful for our project. What is important for our project is the following paragraph. The article states the general concerns that people have with consumers drones, but also delivery drones. These are the privacy that the drones can fly over your piece of land, make videos/photo’s without you even seeing the drone. There are security concerns, the drones can stop work and fall down, not everyone is capable of correctly handling a drone. Most people won’ t misuse the drones, however the article states that most drone types are easily hackable and give multiple examples how. Sometimes only Wi-Fi connection and using the app, easily obtainable from the appstore of google play, can be used to take over the drone. The hackers get complete access to the movememt and camera of the drone. And can use them to take pictures, and crash it into places they want. Drones can also get to places where the operator wouldn’t be able to see before. Therefore new restriction for drones need to be thought of. The idea was to restrict the drone from getting to certain GPS locations, but with hacks this was easily avoided. The key conclusions of the article is basically that the security of consumer drones need to be improved significantly. More specific conclusions for the system are listed here:
Securing drone access point with a strong password, and WPA2. Limiting the number of devices allowed to connect to the accesspoint. Also, enforcing user authentication, and denying income and outgoing traffic from and to unauthorized devices. Disabling ftp and telnet.We found that none of these services are needed for the normal operation of the Discovery drones. But if there must be an anonymous ftp user, then the device should not allow read and write access to the entire root directory. Sending network packets between app and drone over a secure channel. Upgrading the software running in the device. The Discovery quadcopters (released in 2016) use BusyBox 1.20.2 which was released in 2012. Since then, there has been 18 software updates to BusyBox, and these devices may be vulnerable to other known BusyBox vulnerabilities . (Unfortunately, it is not possible for users to update the firmware in Discovery drones).