A Remotely Piloted Aircraft or RPA is, in general, an aircraft able to fly autonomously. The aircraft is controlled by a pilot on land or by an on board computer. The fact the pilot is not on the aircraft compel us to make available another different technical mechanisms to supply that need, such as communications link or a navigation system. These two systems are the main vulnerability of RPAs.
Many media have published different news bringing to light those RPAs vulnerabilities. In 2009, a group of Iraqi insurgents hacked a video from an American UAV using SkyGrabber, a Russian commercial software to download satellite video. RQ-170 case is another example of UAVs cyber-attacks, an American drone captured in 2011 while overflying the Iranian airspace. Iranian state television broadcasted a video showing how some Iranian military commanders were checking the RQ-170 Sentinel drone, meaning the RPA had been captured without having knocked it down. Despite it is not a proven fact, specialized sources has pointed out that a “GPS Spoofing” attack was used to capture the RQ-170. The anecdote goes a year later, in 2012 Iran claimed that they had been able to replicate the RQ-170 Sentinel by using reverse engineering.
Basic principles of UAS
Before analysing UAS vulnerabilities, it is important to understand that unmanned aerial systems (UAS) are not only formed by the platforms (UAV) but also the ground segment where the control station is located. The figure below, shows a common model of standard UAS components.
The aerial segment (UAV) is composed by three main parts:
- The platform includes the structure, engines, servomotors, landing gear, etc.
- The avionics is formed by all the electronic systems that allow the UAV’s autonomous flight: the communications link, the flight controller or the navigation system.
- The payload is made by one or several sensors needed to carry out the UAV’s mission. The most common payloads are cameras, but it can exist some different such as radars, lidars, environmental sensors, etc.
General model of standard UAS components.
Avionics in turn is made by:
- Navigation system, allowing the autonomous flight of the UAV, defining both position and flying attitude according the pre-established route.
- Communication links enable the wireless communication between the UAV and the ground control station. It is common to exist different communication links both for command and control (commonly known as C2 – Command and Control connection) and for the payload. It is also important to highlight that those communications can be ground-to air (direct) or satellite (indirect).
- Flight control is responsible for controlling the active elements of the UAV (engine/s, spoilers, rudder, stabilizer, etc.) to follow the trajectory demanded by the navigation system.
- Examples of flight sensors are: GNSS receiver, inertial sensors, altimeters, pressure sensor, etc.
Another important aspect to consider is the flow of information between the UAV and its environment. The two most important operational connections from a safety point of view are: 1) the bidirectional connection between the communications system and the ground control station and 2) the flow of information from the environment to the sensors.
Security vulnerabilities based on the component model presented above are assessed below. This review provides information on the susceptibility of each component to different types of threats. The main threats are communication links, sensors and data storage.
Virtually all UAS need at least one data link to communicate the UAV with their control centre; this link is usually used to receive commands, access positioning corrections, transmit telemetry or transmit the information captured by the sensors in real time. These communication channels usually consist of radio-frequency links, the usual bands being 433 MHz, 869 MHz, 915 MHz, 2400 Mhz and 5800 MHz. When UAS have satellite links, dedicated C-band or Ku-band links may be included.
Communications links may be susceptible to classic cyberattacks such as repetition attacks, eavesdropping, man-in-the-middle or denial of service (DoS) attacks if they present any kind of security vulnerability (e.g. absence of encryption). This type of attack is more likely when communications links are based on standardized technologies such as WiFi. Apart from cyber-attacks, wireless links are especially vulnerable to electromagnetic interference (jamming), especially when combined with large amounts of power and directive antennas. Finally, it is important to bear in mind that the mere existence and use of wireless links (by UAVs) can present a vulnerability, as electromagnetic radiation can be detected and thus discover the presence and location of the UAV.
It could therefore be concluded that a good encryption of the communications link is essential, despite the latency introduced and processing overload, however the practical reality is that this is not enough. It will also be necessary to add security in the lower layers of the communications stack to make the link robust and difficult to detect (these characteristics can be satisfied using techniques such as spread spectrum).
An example could be the SINDA project, developed by Gradiant’s Advanced Communications team. It is a robust and secure ground-to-air communications system that has two radio interfaces in different frequencies with the capacity to balance the load according to the interferences present in the spectrum. The knowledge acquired about UAS communications links is being used in Counter UAS by Gradiant, both for detection (using signal intelligence techniques) and neutralization (performing denial of service attacks).
UAS usually contain different sensors depending on their application such as cameras or GPS systems. The sensors can be classified according to whether they are used for internal measurement (battery voltage) or external measurement (air pressure). From a security point of view, external sensors are more vulnerable as external parameters can be manipulated by the attacker. GPS sensors deserve special attention, as many commercial drones use this system for navigation, making it a critical system. The GPS system, especially the one known as “civil GPS”, is susceptible to jamming and GPS Spoofing attacks. In the first case, the attacker generates interference in the L1 band of the GPS, making the UAV unable to receive the legitimate signal. In the second case, the attacker generates and transmits a “fake” GPS signal, with this technique the attacker can divert the UAV from its original route.
In conclusion, in order to alleviate the vulnerabilities of the security of the sensors, it is recommended to use redundancy mechanisms to validate the data of different sensors. An example could be to combine GPS information with that of inertial sensors to determine the absolute position or, as an alternative and even complementary mechanism, to use GNSS navigation systems with signal authentication capability.
Data storage vulnerabilities are associated with storage type, encryption, and protection against unauthorized access.
The type of storage selected for a drone can pose a critical risk to the integrity of stored data. For example, volatile memories such as RAM or SDRAM are not recommended to prevent data from becoming corrupt (integrity). Magnetic storage devices are also unsuitable, as they are easily susceptible to magnetic fields.
Something common in today’s drones is the absence of data encryption mechanisms. This can cause a total loss of confidentiality if unauthorized people access them physically or even remotely. In the same vein, it is not worth encrypting data if unauthorized access cannot be prevented. To prevent this risk, a signature mechanism must be implemented.
If we speak in terms of security, it is clear that the drones’ storage devices are not having the importance they deserve. That’s why from this point of view, security mechanisms like encryption and signing are being forgotten by most manufacturers.
However, as we have already mentioned, the critical points in terms of security are present throughout the model of components that make up the complex UAS systems. Therefore, it will be necessary to pay attention to each component that integrates it in a particular way, since these may be exposed to different types of threat according to their nature.
Autores: Jorge Munir, Advanced Communications director; e Iago Gómez, head of UAS at Gradiant