Mike Monnik (DroneSec)
Talk Recording: https://www.youtube.com/watch?v=-zuJerGWTWs
The Global Drone Security Network (GDSN) is the only event of its kind focusing on Cyber-UAV security, Drone Threat Intelligence, Counter-UAS, and UTM security. Watch the full recording here: https://www.youtube.com/watch?v=vZ6sRr65cSk
Speaker: https://www.linkedin.com/in/mike-monnik-23026a75/
DroneSec is a cyber-uav security and threat intelligence company who hosted this second series of the GDSN community event.
https://dronesec.com/
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
The State of Drone Security – Analysing 1000+ drone incidents (Mike Monnik) - DroneSec GDSN#2
1.
2. “Let’s catch or shoot them down!”
> Drones are classified as aircraft
“Can we block their signal or jam them from entering
our property?”
> Illegal to interfere with an operating radio communications device
> It is not trespass, as you don’t own your airspace
“What about just detecting them….then sending the
police after the operator!”
> Even police have legal difficulty intercepting or tracing drones.
3. We are in a time where UAV threats to critical infrastructure, the legislation governing and actions taken
countering those threats with mitigation technologies, the response by law enforcement (and the technical skills
needed) are not an easy answer.
Most times, this just results in the finger being pointed towards physical security and the responsibility of the
manufacturer.
LUCAS
LE BELL
VICTOR
VUILLARD
KIM
JAMES
CHRISTOPHER
CHURCH
EVANGELOS
MANTASJACOB
TEWES
DAVID
KOVAR
ULF
BARTH
5. Resources in the Description (SHOW MORE)
● Schedule
● Presenter Slides
● Code of Conduct
DroneSec team during the event:
Masumi Arefune - Event Coordinator
Arison Neo - Content Moderator
John Rihanna - Commercial Contact
Mike Monnik - MC and Host
DISCUSSION AND Q’N’A
6. Global Drone Security Network #2
Aim:
To be a source of authority and standards for drone security around the world.
Mission:
Ensure safe and secure drone operations, enabling innovation and preventing restrictions.
Speakers:
Drone hobbyists and/or commercialists. This event is for the future of drones not against them.
Event:
No one paid to speak here.
No one was paid to speak here.
There are no sponsors or commercial deals.
All are live - no pre-recordings.
7. Running Agenda (UTC+10)
19:00 - The State of Drone Security – Analysing 1000+ drone incidents by (Mike Monnik)
20:00 - Drone Security & Law Enforcement by (Christopher Church)
21:00 - Securing High Value Assets from above while grappling with the cost/benefit equation by (Kim James)
22:00 - C-UAS against Swarms by (Ulf Barth)
23:00 - Security of a drone platform by (Victor Vuillard)
24:00 - Five next-gen UAV evolutions every sensitive site should open their eyes to by (Lucas Le Bell)
01:00 - The Need for Drone Forensic Investigation Standardisation by (Evangelos Mantas)
02:00 - Counter-UAS: Legal Challenges and Solutions for Research and Development by (Jacob Tewes)
03:00 - Keynote: UAV Threats to the Oil and Gas Industry by (David Kovar)
8.
9. The State of Drone Security
Mike Monnik
Presentation Length: ~45 minutes
15. Core Concepts – Drone Security
Protection of friendly
drones against attackers
Protection against
rogue drones
Protection of the
systems that support,
manage and counter
drones
>_
19. Vendor Server
Approximate Location (5-10km)
Hardware Information (serial #s)
Mobile/Controller GPS Location
Drone GPS Location
Flight data (optional)
NFZ codes
Profile Information / Username
2.4ghzcontrollink
5.8ghzvideolink
Controller
Drone GPS
Device/Application
Internet: 4G/LTE
How does a drone work?
20. DroneGPS
Approximate Location (5-10km)
Hardware Information (serial #s)
Mobile/Controller GPS Location
Drone GPS Location
Flight data (optional)
NFZ zones
Profile Information / Username
Telcom
Tower
Fleet
Management
Server
4G/LTE
control &
video link
How does an autonomous drone work?
21. Device/Application
(192.168.1.30)
Android or iOS
Vendor Application
USB, Bluetooth or WiFi link
Drone
(192.168.1.2)
OpenWRT Linux or similar
Internal and External Storage
2.4ghz – 5.8ghz antennas
The Drone Stack
Controller
(192.168.1.1)
OpenWRT Linux or similar
Embedded or external device
2.4ghz – 5.8ghz antennas
Vendor Server
(13.249.134.125)
Profile, flight logs, flight
data, No-Fly-Zone codes
Optional: Purchases, linked
accounts, country
registration information
24. Remote Hijack or Permanent Denial-of-Service
Bug Classes (Bug Bounty Program)
$30,000
Remote Access to data or Temporary
Denial-of-Service
$5,000Drones and
Hardware
https://security.dji.com/policy
Mobile Applications,
Websites, Servers and
Infrastructure
$30,000 Hijack Drone(s), Access to User Data, Underlying
issues
25. Common Security Risks
● Hardcoded
SSH/FTP/WiFi/Telnet
passwords
● Vendor control,
visibility and remote
patching
● Provide more focused
power/bandwidth
(deauthenticate)
● Open WEP,
Default/Weak WPA2
passwords
● Spoof controller
commands and hijack
drone control
● Prevent/lockout pilot
on-board linux tools
● Privesc to extract
data and video
● Hijack the video
stream to the
controller
● Access user
purchases, pictures,
video, audio
● Access user flight
records and telemetry
data
● Access flight controls
(automated drones)
Device/Application Controller Drone Vendor Server
26. Misconfiguration leaking drone vision and telemetry analytics
7
2020: In Numbers - DroneSec Offensive Cyber Security (Responsible Disclosure)
Total high-priority findings affecting UAS, CUAS and UTM
3 Vulnerabilities leaking customer and pilot information
1 Misconfiguration leaking police department drone purchases
1
2 Vulnerabilities resulting in access to CUAS and UTM control panels
31. Counter-Unmanned Aircraft System Techniques (ATP 3-01.81)
“Both reconnaissance and attack capabilities have
matured to the point where UAS represent a significant
threat to the army...”
“If UAS is observed over your position, you are already
compromised. Units must attempt to engage and destroy
the UAS using any organic means available”
US Army and Drones
36. Contact TracingThreat Intelligence
A: Investigate events, incidents and
the specific information. Categorise,
tag and analyse.
B: Use the information to inform
SOPs, compare to current results
C: Refine targeting systems and feed
detection information back to A.
D: Continue predicting and reacting to
rogue/malicious UAV with a view of
apprehending/tracking operators
Cross-Matching data and patterns
37. UAS Threat Actor Example (Snipped)
Recorded malicious drone use by member groups:
Khalistan Zindabad Force (KZF)
Ranjit Singh Neeta (Leader)
Motivation and Goals:
To conduct surveillance on security forces
To conduct reconnaissance for possible areas for landing and deliveries of contraband
To supply contraband to criminal groups for the conduct of acts of terror against nation states
Tactics, Techniques and Procedures:
Self-taught in engineering and modifying of drone parameter and hardware components
Recruiting local youths and elderly to conduct a significant number of regular border flights
Take-off and landing positions in close-proximity border villages and towns over Line-of-Control (LoC)
Recorded Use of Drone/Equipment:
Quadcopters, Multi-rotors, Fixed-Wing
DJI Matrice 600, DJ Mavic 2, DJI Phantom 4
“Low-Noise” propellers
Recorded Contraband/Crime:
Ammunition, Explosives, Counterfeit money, Firearms (AK-47 & M4 assault rifles, M67 grenades)
Communication devices (Radio devices, GPS device, batteries)
Recorded Area of Operations:
Kanzalwan (North western end of Jammu and Kashmir, India)
Satwal Sector along LOC (Pakistan)
38. Sources and Drag Net Approach
200+ Passive Sources
International Aviation Authorities
Academic Sources & University Agreements
Pilots – Commercial and Private Airlines
Commercial Partnerships
Information Security Sources
Newsletters and Email Lists
Law Enforcement
Subscribers & Community Contributions
Active Sources
TOR/Dark and surface web
communication channels
- Chat applications, Forums
Proprietary aggregation software
- Search Engines
- Social Media
- Government Sources
- News and Media
Live sightings and reports
Counter-UAS detection feeds
Keywords
Base: drone, uav, uas, rpas (Other language translations)
Variations: counter, anti, security, hacking, exploit, bypass
Additionals: Airport, Prison, Correctional Facility, Energy Facility, Nuclear, Electricity, Power, Runway
Custom: “JFK” “Tullamarine” “Michigan Stadium” “Bison Power” “
39. Social Media Example
Source
- Social Media (Twitter)
Keyword matches:
- “drohne” AND “airport”
Time & Date:
- 16:52 June 1st
Airport:
- ACME (Geo-match)
Database:
- ACME Airport
- NX1 CUAS System
(News Ref: May 3rd)
IMAGE IS FOR EXAMPLE PURPOSES ONLY
44. 2020: Narcotics and Prisons
28% of drones seized by authorities were due to operator crashes
● Weight of payload (control or battery loss)
● BVLOS, out of range or night-time flying
● Trees or wires
25% of operators apprehended, of that 10% through drone forensics
● Most launched within <5km of the prison, from vehicles or forests
● Most used drones under 2kg
Most common payloads:
● Narcotics
● SIM cards
● Shivs/Weapons
● Cash
45. Canary Drones
In two events, operators sent a smaller, non-payload equipped drone to fly over
the prison to assess CUAS or staff response.
● This occurred both 24 hours before and just 10 minutes before
● A larger or payload equipped drone sent afterwards
Pseudo-Swarm Drones
In one event, operators flew three separate drones over the facility. Guards
were alerted, drones continued to operate for 7 minutes.
● Only one drone is suspected of dropping the payload
Anti-Forensics
In some cases: Removing SD card, disabling caching, disabling RTH functions,
serial information and purchasing systems and batteries 2nd hand, custom apps
2020: Narcotics and Prisons - Scenarios
46. Where mitigation is not possible, detection will be key
● Detection-only systems with quick-response SOPs
● Physical security, deception techniques and netting
Drone capabilities for heavy lift and carry will increase
● ~$80,000 for a 25kg lift/carry is affordable to organised crime groups
● Drone manufacturers will seek hardware and software identification
● Second-hand drone sales may see vehicle transfer registration
Prisons will consider drones as Hostile Vehicle Mitigation
2020: Narcotics and Prisons Forecast
49. 2020: Borders
High number of drones seized by authorities Low due to CUAS
● Most are one-way flights
● Heavier payloads are easier to shoot with small arms fire
● Some have payloads removed
Extremely low number of operators apprehended
● Most launched from border towns, extended range near borders
● Many flown by unsuspecting recruits not connected to crime
● Many drones over 2kg (more funding? different payloads?)
Most common payloads:
● Narcotics
● Ammunition/explosives/weapons
● Communication devices
50. Enable large operations
● Used as distractions to pull responders away from key chokepoints
● Live-stream vision across-borders to assess positions: human trafficking
● Used to guide planes to land in black-out jungle areas
Camouflage and Deception
● Observed using low-profile noise reduction propellers
● Being painted sky-blue or cloud-white, lights taped over
Proxy weapon of choice by military - attribution
● COTS drones have the price point and appearance of being civilian
● Capabilities allow military supplies or remote weaponisation
● Hard to determine if rogue drone was nation state, rebel or hobbyist
2020: Borders - Scenarios
51. CUAS will require larger footprints
● Usual radius of detection/mitigation is 5km-10km range
● Detection features will be built into Telecommunication or Physical assets
● Careful geo-positioning to only control ‘this side of the fence’
Countries may seek border/country No-Fly-Zones
● Goefencing and Remote ID may change NFZ from airspace to per-country
Borders will require hard-stop CUAS
● Compared to prison, airport and critical infrastructure incidents, border
drones continue to carry weaponised or ordnance payloads.
2020: Border Forecast
52. Most incidents included:
1. Battlefield (Syria, Ukraine)
2. Borders
3. Prisons
4. Sporting Stadiums
5. Emergency Services
6. Critical Infrastructure
7. Aviation/Airports
2020: A year in review and looking to 2030
Law Enforcement
● COVID19 uptik
● Emergency response
● Public Privacy Issues
● Lack of legislation for CUAS
● Lack of SOP for DFIR
Cyber and Data Security
● Mobile Application Security
● Privacy from manufacturers
● UTM and C-CUAS as a target
CUAS Systems
● Splitting detection and response
● Integration with UTM/UAM
● Lack of legislation for
private/commercial customers
● Jamming and signal
manipulation increasing
Threat Intelligence
● Nationwide sharing for LE
● ADSB + ATM + UTM Integrations
● Inform CUAS product development
53. End-to-end Drone Security includes many components:
Manufacturers, Physical Security, Counter-UAS, Laws & Regulations, Forensics, Threat Intelligence…
Working groups are required between:
● Counter-UAS
● Law Enforcement
● Aviation (ATM/UTM)
● Law makers
● Hobbyists
Drones make up three quadrants
• Electronic
• Kinetic
• Close-proximity and air-space
Drones require a new joint-capability of traditional and emerging threat intelligence, risk analysis
and embedded security to foster innovation and safely prevent restrictions on the industry.
Summary
55. THANK
YOU.
SPEAKERS
Christopher Church
Kim James
Ulf Barth
Victor Vuillard
ORGANISERS
DroneSec
Privasec
Masumi Arefune
Arison Neo
Mike Monnik
Lucas Le Bell
Evangelos Mantas
Jacob Tewes
David Kovar
SPECIAL MENTIONS
Jill Taylor
Philippe Rouin
Daniel Ting
All the attendees!