Drones and Autonomous Vehicle Security

01 June 2018


Whether you call them unmanned aerial vehicles (UAV), remotely piloted aircraft system (RPAS) or just “drones”, the use of the technology is growing at the same rapid pace as its complexity and scale. The first use of drones dates back to the First World War but over the last ten years we have seen a major shift in their use. Where once they were almost exclusively used by the military, they are now a major area of investment for businesses.

Today, organisations are starting to explore the potential of a range of drone-enabled services, including: aerial surveillance; express shipping; search and rescue; industrial safety inspections; and crop maintenance. PwC has estimated that drone technology has the potential to increase UK GDP by £42 billion (or 2%) and that more than 76,000 drones will be in use across UK skies by 2030. More than a third of these (36%) could be utilised by the public sector (including in areas such as defence, health and education).

The increasing adoption of drones also brings with it a more dynamic threat landscape. As organisations rush to develop their technology platforms, the number of exploitable vulnerabilities increases.The existing counter-measures to these are often complex and rarely seen in civilian applications. In some cases, drone products are being aggressively marketed despite not yet being ready for commercial sale. In cases where products are available, some have failed to work as advertised, or can be corrupted trivially by adversaries. For organisations looking to use drones as a business enabler this introduces challenges around privacy, safety and security. These challenges are amplified when a cyber-enabled threat vector is introduced.

A drone is a complex piece of engineering, made up of a number of critical components. These range from the onboard systems including the actuators and avionics; GPS receivers; sensors; propulsion units; internal measurement units; and supporting command and control infrastructure. These are all potential targets for threat actors but could equally be compromised accidentally. There is no requirement for direct human interaction with drones, so there is no easy way to monitor for, or correct, any errors that are introduced.

The GPS receiver is a key weakness in civilian drones as it is dependent upon, largely unencrypted, civilian GPS. Without secure authentication mechanisms, location spoofing is possible; a technique demonstrated in Iran in 2011 and again by US researchers in 2012. The internal measurement units rely on data from other sensors on the drone and measure direction of travel – if they are fed incorrect information, the drone’s course or altitude could be altered. In 2016, a security researcher developed a technique to achieve full control of a range of amateur and professional grade drones through injected commands. Another potential vulnerability is the functionality to configure a drone to ignore communications from the ground during flight. This is meant to be a safety control, but it could be attractive to threat actors looking to cause harm. A cyber-enabled threat could theoretically exploit any of these vulnerabilities, so it is important that end-to-end security is employed to secure any drone-enabled service.

Drones represent an opportunity to any industry looking to adopt them, but also a potential threat if security risks aren’t considered up front. Cultural and political attitudes, as well as regulation, stand in the way of the widespread uptake of drone technology at the moment, but as with all emerging technology, this sentiment will likely shift over time, and regulation and policy should be a vehicle to safely and securely encourage wider adoption of drone-enabled services. This way we can achieve the greatest benefit for society in a way that ensures our safety, security and privacy. PwC is currently helping our clients explore these opportunities, get in contact if you wish to know more.