08.28.2019
Government agencies continue to acknowledge the advantage of using drones in a variety of situations, from land management to emergency disaster response and infrastructure inspection. Like many emerging technologies, however, United States government users of drones have raised concerns about the security of the technology, especially given that the manufacturers of many drone platforms are not domestic companies.
In 2019, PrecisionHawk established its Unmanned Aerial Intelligence Technology Center of Excellence (UAS COE). The UAS COE is designed to help government agencies replace costly and inefficient data capture methods with aerial intelligence, and assist government clients in conducting risk assessments, identifying vulnerabilities, and developing mitigation strategies to increase the government’s confidence in securely using drones. The UAS COE is backed by the cybersecurity expertise of leading government technology firm Booz Allen Hamilton, who draws on their decades-long experience to help ensure that both current and emerging drone technology platforms are secure, and shares findings to allow manufacturers to document and patch vulnerabilities that are found.
It is important to note that it is generally assumed in cyber security testing that vulnerabilities will exist to some degree regardless of the drone platform or its manufacturer and that peer reviewed security assessments are a best practice in this marketplace. These peer reviews allow for a stronger and more trustworthy system for all users, allowing for any vulnerabilities found to be mitigated using a trusted and controlled methodology.
BFD Systems SE-8
The UAS COE’s first analysis of a drone platform was in 2019, when we evaluated the BFD Systems SE-8 drone for cyber vulnerabilities. In our most recent exercise, the UAS COE assessed three specific drone models manufactured by DJI. The assessments, conducted by Booz Allen, were focused on ports of entry and attack vectors, specifically targeting interface points of data to and from the drone platform, as well as areas for potential transfer of data over network connection points, which is a key recent concern.
Booz Allen conducted risk assessments to identify vulnerabilities and recommend mitigations. The details on the processes, tools, and mitigation strategies developed during this testing were collected in a full report for PrecisionHawk’s use in the operations we conduct for government clients. Today we are releasing an Executive Summary of this analysis so that others can benefit from the findings.
DJI Government Edition Mavic Pro and Matrice 600 Pro Drones
The Booz Allen testing covered DJI’s Government Edition Mavic Pro and Matrice 600 Pro drones, as well as the Mavic 2 Enterprise. This security-focused testing did not identify data connections made by the drone platforms to DJI or Chinese servers. The testing did identify potential vulnerabilities associated with one or more of the three drone platforms that could be exploited or triggered by a threat source. Nearly all of those vulnerabilities require physical access to the drone itself, or for the attacker to be within direct radio range during specific operations. When drones are operated and managed by trusted and trained personnel, allowing for a trusted chain of control to be incorporated into standard operating procedures (SOPs), vulnerabilities requiring physical access can be significantly minimized.
Download the Summary
The downloadable Executive Summary of the report describes each of the risks identified and provides a summary of the mitigation measures that can be undertaken by the user and/or manufacturer, as further detailed in the full analysis by Booz Allen. Similar vulnerabilities could exist on other platforms and are not specific to any individual manufacturer. The UAS COE shared this information with DJI, who responded to us that they have already mitigated several of these vulnerabilities and plan to address the remainder shortly in a guidance document to their customers.
We believe that finding a provable, secure, and scalable way to empower the use of these inexpensive, yet powerful tools, while concurrently helping to ensure data security and reliability, is essential to the successful adoption of this emerging technology. By applying our cyber assessment framework and sharing the results publicly, we are hopeful that these findings will help drone manufacturers and users understand how drones can be used securely and with confidence in government operations, and enable the industry to build additional platforms that meet the needs of government customers.
