Why civilian drone use is a risky business

The use of Unmanned Aerial Vehicles (UAVs), also known as drones, is increasing in both the military and civilian sectors. Although we are used to the concept of military drones, commercial and civilian use of the technology is still evolving.

Potential drone applications are unlimited, from law enforcement, to agriculture, construction, and infrastructure inspection.

Clearly, the drone industry is growing at a rapid pace. The aerospace research company Teal Group estimates that sales of military and civilian drones will total over $89 billion by 2023.

In the U.S., the foundations for commercial drone use were laid three years ago.  The Federal Aviation Administration Modernization and Reform Act of 2012 authorized the FAA to issue licenses for commercial drone use, but at same time it urged the agency to define rules for the usage of civilian drones by private entities and law enforcement agencies.

In Europe, the use of drones is increasing for several civilian purposes, including traffic management, crop monitoring, and news reporting.

But the use of drones for civilian applications raises serious questions regarding security and privacy. A number of high profile incidents in recent months have highlighted these issues, such as the drones which appeared over central Paris and the quadcopter drone that crashed into the White House lawn.

In the commercial space, businesses are constantly looking for new ways to deploy drones.  Last month, for example, marketing specialist AdNear launched a test to collect wireless data using drones.

The experiment, in L.A.’s San Fernando Valley, did not capture conversations or personally identifiable information, according to VentureBeat. The company used a fleet of quadcopters equipped with cellphone tracking systems to deliver targeted advertisements to the users.

“We only collect signals passively and do not record videos or photos,” noted AdNear, on its blog, adding that the company’s technology can precisely locate devices without the need of GPS or operator assistance.

Of course, UAVs are fuelling the ongoing debate about consumer privacy and security. Security experts fear that drone technologies could be abused for cyber espionage or sabotage. Privacy and civil liberties advocates have raised many doubts about the legitimacy of facial recognition cameras, thermal imaging cameras, open Wi-Fi sniffers, license plate scanners and other sensors commonly used by drones in the civilian sphere.

Small drones are compact, easy to carry, and can be concealed in a bag or a backpack. The UAVs are easy to acquire on the Internet - bad actors can easily buy off-the-shelf products that transform these vehicles into dangerous spy machines or weapons.

Many experts speculate that small drones don’t present a real security threat because their capability to harm people is very limited. However, this is not true, because commercial drones could be used by terrorists to monitor a target as well as to spread biological weapons. Small UAVs also represent a serious threat for the user's privacy - they can be used, for example, to collect information on individuals by snooping on their mobile devices or aerial communications.

Drones are certainly becoming part of the cybersecurity debate. Security researchers at Sensepost, for example, generated plenty of buzz after creating a software, dubbed Snoopy, which could turn a drone into a spying device.

In December 2014 I also wrote about the Wireless Aerial Surveillance Platform, a small DIY drone that has the capability to crack Wi-Fi passwords, eavesdrop on cellphone calls and read text messages.

Given the potentially dangerous uses of UAVs, the drone industry needs to be regulated urgently. The modern legal framework that regulates the scope of drone use is unfortunately still jagged and has many gray areas.

Drone technology for civilian use represents a business opportunity that could bring operational advantages and job creation, but also poses big challenges. On the other side of the Atlantic, the European Commission has already called for tough standards to regulate civil drones, a sentiment has been echoed by security experts and privacy advocates. The principal issues that need to be urgently addressed are flight authorization, privacy and data protection control, liability and insurance.

In the coming years UAVs will be used in a growing number of industries for different purposes. These powerful vehicles will crowd the sky and will be equipped with even more sophisticated technologies that could be open to abuse. How will data collected by drones be managed? What security measure will be adopted to prevent cyber attacks?  Within this context, the importance of security and privacy requirements is clear.

As drones proliferate, cyber threats will increase in complexity and frequency. For this reason it is necessary to make a special effort to secure drones.

In order to ensure the safety of the flight and security data managed by UAVs, a joint effort of drone manufacturers, security firms, and governments is needed.

Pierluigi Paganini is the author of the book “The Deep Dark Web” and founder of the Security Affairs blog.