Remote Sensors and Stuff

The "stuff" is doing a lot of heavy lifting.

Tag: Security

  • UAS Risk Assessment

    UAS Risk Assessment

    Featured image: Kazhan bomber hexacopter, 25th Airborne Brigade of Ukraine. Photo by Віталій Павленко, АрміяІнформ, is licensed under CC BY 4.0.

    If you’re reading this, by now you have likely heard about the LOCUST laser weapon system and its remarkable ability to acquire, engage, and destroy helium balloons. A sufficiently sarcastic reader might suggest that the same system could be used as a defense against a hostile or unidentified sUAS, and they might be right. Unfortunately, as anyone with as passing interest in security knows, there is no single solution that covers all possible threats. You can’t just lock your front door and call your home secure. An adversary could know their way around a lockpick, execute a RollJam-style replay attack against your garage door opener, or simply smash your window in with a brick. You could implement completely effective countermeasures against all of these, but a house with only blast-proof, interior-bolted doors and windows is expensive and frustrating to live in.

    An example of a risk assessment procedure. Each step is repeated concurrently with the steps following it. For example, while identifying vulnerabilities or their impacts you will likely discover new potential threat events or sources.

    Every individual and organization has a certain level of risk tolerance, but very few are actually aware of how much risk they’re taking on at any given moment. In order to determine what level of risk we’re being exposed to during normal operations, it’s helpful to conduct a risk assessment (NIST, 2012). During the risk assessment we can identify potential threat actors, threat events those actors could initiate, and vulnerabilities in our organization or procedures. Once we determine the likelihood of these threat events from occurring and potential impacts our vulnerabilities being exploited could have, we can create a ballpark negative expected value for each threat event. This is our assumed risk, and if the sum of our assumed risks is greater than our risk tolerance we must either take steps to mitigate them or exit the space entirely, forfeiting the benefits of operating within it.

    A side note about terminology: threat and risk are separate but related concepts. A threat is an actor or situation that has the potential to negatively impact a mission or entity, while risk is the negative impact adjusted for the probability of it occurring (Lawrenson et al., 2023).

    Threat Sources

    So what would potential threat sources for the UAS industry look like? The most obvious threat source at the national level is a foreign military, but many threat sources are domestic. Criminals (organized or otherwise), corporate adversaries, or the general public can be domestic threats external to an organization. Depending on the scope of our risk assessment, we may want to consider disgruntled, inadequately trained, or negligent members of our own organization as threat sources.

    Some threat sources are purely environmental or technological. Wildlife or meteorological phenomena can be considered threat sources, and we’re especially vulnerable to these in aviation. Unintentional hardware or software failures can also be considered threat sources, as many people are reminded every time they board a 737 MAX. While environmental and technological threat sources don’t act with purpose, their potential impacts can still be devastating and shouldn’t be discounted.

    Threat Events and Vulnerabilities

    While I’ve already written an entire post about UAS threat events and vulnerabilities, there are some that were out of scope of that post. UAS are uniquely vulnerable (and suited to) being targeted by (and carrying out) kinetic events due to their size, relatively low cost and non-reliance on onboard crews. Threat sources may attempt to physically intercept our drones, carry improvised explosive devices on their own drones, or purposely impact aircraft or vehicles. Depending on the scope of our risk assessment we may or may not need to consider all forms of kinetic events. Civilian organizations, for example, are unlikely to have adversaries dropping IEDs on their property, but are also unlikely to incur much additional cost by simply considering the possibility.

    Environmental or technological threat sources may cause kinetic-like threat events (for example, a bird or lightning striking an aircraft), but may also cause more unusual threat events. Meteorological conditions or hardware degradation can cause battery fires or motor failures. Software issues can cause loss of navigation or control. These events, however unlikely, must be accounted for during the assessment. If a battery failure causes a drone to suffer an in flight breakup and debris falls on people or vehicles, our organization will be held liable.

    Expected Values and Examples

    The last step of the assessment is to determine the odds of sources causing each event and the impact of each exploited vulnerability, then combine them to determine our risk. I like to use the term “expected value” here because it allows us to consider the benefits of avoiding an exploit as well, which lets us consider that a potentially risky action with a large payoff might still be within our risk tolerance. It’s not necessary to do this mathematically, but it can be helpful to do so for the sake of illustration.

    Consider a scientific organization like the OTUS Project, who carries out tornado intercepts with drones to gather sensor data. An obvious threat source is the tornado and an associated threat event is wind damage causing a loss of control, which we can assume happens 25% of the time. We can consider a potential vulnerability, that a destroyed drone will also destroy the sensor and its data, and say it will cost us around $10,000 to replace. The odds of our threat event (0.25) times the impact of our exploited vulnerability (-$10,000) is our assumed risk for each mission: -$2,500.

    Between this and my previous post we’ve collected a good sample of threats and vulnerabilities. So what, in my opinion, poses the greatest risk? Ultimately, I believe the greatest risks are posed by electronic attack and network security threats. The state of UAS cybersecurity is improving, but is still far behind the standards set by the rest of the cybersecurity industry. On top of that, the potential impacts of cybersecurity events are staggering; grounded or destroyed fleets, theft of sensitive telemetry or intellectual property, and even kinetic attacks on allied forces or civilians. News coverage of drone-based combat in Ukraine may have put the kinetic threat of drones in the forefront of the discourse, but I believe it’s ultimately electronic and cyber threats that have the unique combination of high impact and high likelihood to give them the top spot in my risk rankings.

    Countermeasures

    We can make decisions based solely on risks, but that’s not our only option. As I mentioned earlier, if the sum of our risks exceeds our risk tolerance and we don’t want to exit the space entirely, it’s time to start talking mitigation. I already mentioned some potential countermeasures to electronic, cyber, and supply chain attacks in my previous post, so today I’ll focus on kinetic threats.

    Until now I’ve been assuming that the goal is to protect our drones and the data and physical payloads they carry. But what if the goal is to protect us from drones? Unfortunately, we have a microcosm of the evolution of UAS and counter UAS operations playing out in Europe over the last few years that we can draw inspiration from.

    Drone in the Nets” by mikecogh is licensed under CC BY-SA 2.0.

    There’s no shortage of photos of so-called “cope cages” on armored vehicles and fishing nets draped over key supply lines, which have proven themselves to be effective low-tech solutions to protecting specific targets. GPS and radio control link jamming have been proven to counter low tech drones, but now have their own countermeasures in the form of fiber optic control links and AI-based visual navigation systems.

    A Ukrainian fiber optic drone designed to defeat control link jamming. Photo by Олени Худякової, АрміяІнформ, is licensed under CC BY 4.0.

    Of course, drones are themselves vulnerable to kinetic threats. Old reliable airburst munitions, the bane of low and slow aircraft before the advent of BVR missile systems, have made a comeback as a defense against drone swarms. Drones can engage their own kind thanks to AI-based counter-drone drones. And of course, as you may have guessed from the beginning of this post, the LOCUST laser weapon system can in fact also be used to destroy drones.

    References

    Lawrenson, A., Rodrigues, C. C., Malmquist, S., Greaves, M., Braithwaite, G., & Cusick, S. K. (2023). Commercial aviation safety (7th ed.). McGraw-Hill.

    National Institute of Standards and Technology. (2012). Guide for conducting risk assessments. Special Publication 800-30r1. https://doi.org/10.6028/NIST.SP.800-30r1

  • UAS Threat Modeling

    UAS Threat Modeling

    When asked to imagine a potential vulnerability of any piece of robotics, most people will immediately envision a scene straight out of a cyberpunk novel where a hacker in a black coat and mirrorshades remotely seizes control of the system with a few keystrokes, turning it on its owner. While reality isn’t usually so dramatic (or stylish), UAS operators do have a number of potential threats that they must be aware of.

    Attacks on the Control Link

    Most UAS operate within the bounds of some type of control link. Depending on mission scope and the capabilities of the system, an individual drone may either be operated directly through a control link, or operate primarily autonomously but respect control link inputs in case of emergency. Both setups provide a potential attack vector that can be exploited by an adversary.

    Small black electronic component with an antenna
    Example of a common ExpressLRS receiver. This device translates radio signals (2.4 GHz in this case) into pulse width modulation signals used to directly control electric motors or LEDs, such as those on a fixed wing drone. These are simple, cheap, insecure, and common on low cost or home-built fixed wing drones.

    The most obvious goal of an attack on the control link is to seize control of the drone, either as simple theft or in order to use its onboard sensors or weapons against personnel that may be unaware that the drone is compromised. While this scenario is unlikely, it’s not impossible. For example, researchers have demonstrated that ExpressLRS, a common control link solution for low cost drones (including ones used in the ongoing conflict in Ukraine), was vulnerable to being overridden and hijacked by a dedicated attacker with relatively common equipment (NCC Group, 2022).

    The second most obvious goal of an attack on the control link is to “mission kill” it by removing an operator’s ability to direct it manually. Most drones are programmed to return to a predetermined location or make an emergency landing if they don’t receive packets from their ground control station for a certain amount of time, and lower cost systems may instead simply continue on their present courses indefinitely or cut power to motors and fall to the ground. This goal can be accomplished by much more simple methods of attack such as radio jamming, which has its own set of countermeasures such as automatic frequency/band hopping or hardwired fiber optic transmission systems seen in Ukraine (Doodle Labs, 2024).

    Attacks on Sensors

    There are two broad categories of sensors used by UAS platforms currently on the market: those used for navigation, and mission-specific payloads (Sabins & Ellis, 2020). While mission-specific payloads may be vulnerable to attack (e.g. by pointing a powerful laser at a camera or lidar sensor), attacks on navigational sensors are much larger threats.

    As drones typically lack radio navigation systems and have few if any traditional instruments onboard, they rely heavily on some combination of GNSS, magnetometers, cameras, lidar, and ultrasound for navigation. These sensors are all vulnerable to external interference and disabling them can easily cripple the drone. Some, but not all, of these sensors have built-in mitigation strategies, such as OSNMA or Chimera for GNSS systems (Rusu-Casandra & Lohan, 2025).

    Example of a common Remote ID broadcast module. This device provides GPS and magnetometric data to the drone while broadcasting a unique identifier and the drone’s location. This component allows a drone to be easily tracked and provides a single point of failure while operating BVLOS.

    Sensor attacks can be executed on their own (e.g. jamming a camera feed or lidar sensor to cause a crash), or they can be executed in tandem with other attack vectors (e.g. spoofing a GPS location while disrupting the control link, causing the drone to “return home” to a location the adversary controls). A more sophisticated adversary is less likely to rely entirely on a sensor attack, and sensor attacks vary wildly in both threat level and barrier to entry.

    Attacks on the Network

    Many drones have some form of WiFi or cellular modem onboard. These may be used for programming and maintenance tasks (e.g. changing settings on a flight controller or retrieving saved video) or as a transmission method for the control link. A network connection offers huge benefits, but also increases the UAS’ attack surface considerably.

    Network-based control links may be vulnerable to a deauthentication attack, which exploits malformed packet handling or standard commands to cause the target drone to terminate its own control link (Branco et al., 2024). They may also be vulnerable to a replay attack, where an adversary captures packets containing authentication data and retransmits them to send conflicting instructions to the flight controller.

    Network connections for other components vary in application. The Bluetooth or WiFi connection of a Remote ID broadcast module is useful to an adversary who wants to identify or track the drone or its operator. The WiFi connection of a flight controller may allow an adversary to get a shell on the device, giving them direct access to control surfaces, settings, and firmware of the drone.

    Any type of network connection that relies on infrastructure the operator doesn’t control, such as a control link operating over a cellular connection, is further vulnerable to more traditional network attacks such as denial of service or man-in-the-middle attacks.

    Network attacks are extreme threats to any UAS vulnerable to them, and can often be executed with common hardware and freely available software.

    Attacks on the Supply Chain

    One final note: a more abstract threat that an operator should still be at least aware of is the supply chain attack. The same way that you must assume that a system an adversary has physical access to is compromised, you must assume that equipment provided by an adversary is also compromised.

    Unfortunately, you can’t always tell who the adversary is until they make their move. This is the nature of so-called “advanced persistent threats,” which may silently compromise systems well in advance of the event that triggers detection (referred to as “dwell time”). In a supply chain attack, an actor can use their access to manufacturers or shipping services to compromise a system, potentially undetectably, before it ever reaches the end user.

    While supply chain attacks are difficult to detect and mitigate, an operator can consider their risks when deciding what equipment to use for what tasks. The more sensitive the payload or information onboard the drone is, the more resistant the drone should be to supply chain attacks. Drones used for sensitive tasks may require NDAA-compliant components, more trusted vendors, or (in extreme cases) documentation and certification processes for each component.

    References

    Branco, B., Silva, J. S., & Correia, M. (2024). D3S: A drone security scoring system. Information 15(12), 811. https://doi.org/10.3390/info15120811

    Doodle Labs. (2024). SENSE – Interference avoidance configuration. Doodle Labs technical library. https://techlibrary.doodlelabs.com/sense

    NCC Group. (2022). Technical advisory: ExpressLRS vulnerabilities allow for hijack of control link. https://www.nccgroup.com/research-blog/technical-advisory-expresslrs-vulnerabilities-allow-for-hijack-of-control-link/

    Rusu-Casandra, A., & Lohan, E. S. (2025). Experimental assessment of OSNMA-enabled GNSS positioning in interference-affected RF environments. Sensors 25(3), 729. https://doi.org/10.3390/s25030729

    Sabins, F., & Ellis, J. (2020). Remote sensing: Principles, interpretation, and applications. Waveland Press.