Drone Safety and Cybersecurity – Frank Morris, Capita

[00:00:00] Frank Morris: We haven't seen, yet, in the press about drones being taken over and you used maliciously or hijacked, et cetera. But, my view is that that will probably happen and we'll get an extra focus, same way we did with WannaCry, and that brought cyber to the attention of everybody else.

[00:00:20] Andy Still: Hello there. Welcome back to the Cybersecurity Sessions, our regular podcast, talking about all things cybersecurity with myself, Andy Still, CTO and co-founder of Netacea, the world's first fully agentless bot management product. Now when we started this podcast, we wanted to try and talk about the full range of cybersecurity challenges from what people were actually facing in their everyday lives, to do some more kind of geek outs about some of the emerging security challenges. And this episode is very much on the latter end of that spectrum. And when brainstorming for topics, this topic came up and I was immediately fascinated by it. The topic we're gonna try and cover off today is how we can effectively secure drones for their own protection and for the protection of others, which is something that's very new to me. It's very, the cutting edge part of cybersecurity. So I'm very lucky to be joined today by a man who does know about this. Frank Morris, head of security architecture at Capita. Frank, thanks very much for joining us today.

[00:01:19] Frank Morris: You're welcome.

[00:01:20] Andy Still: Could you quickly introduce yourself for our listeners?

[00:01:24] Frank Morris: Yeah, sure thing. My name's Frank Morris. As you mentioned, I'm head of security architecture at Capita. I've been there for two years. Prior to that, I was a consultant, cyber consultant for one of the big, well known big four.

[00:01:41] Andy Still: So, and how did you get into the interest in the subject of drones then? It doesn't sound like it's something that's part of your day-to-day job.

[00:01:53] Frank Morris: No, definitely not. So what happened was, I saw drones as a sort of interesting subject and I saw, you know, some of these aerial videos and I thought, "Wow, that's amazing. I wanna try that." And, it ended up me with me trying to stick a camera to a model helicopter and failed dismally. And then I saw the DGI drones and I thought, "Oh, I'll buy myself one of those." And yeah, initially it was, just interested in the photography side, the video videography side as well. And then I got interested in what's known as first person view, FPV. And this is where you strap a camera to the quad and you basically fly it itself fully on manually. And I also had a go at creating my own sort of hexacopter as well because my other interest is Raspberry Pis. So I built a hexacopter with a Raspberry Pi as the flight controller and suddenly realized that. "Hmm, the data links and everything else. This is a flying computer basically." And obviously with my background in cybersecurity, I went, "How does one start looking at securing this?" And obviously that was a few years back. Now we've got to the book point where drones are more commonplace and you start thinking, "Hmm, these could be used for malicious purposes as well." So that got me thinking, and it's, it's something I've been interested in. I'm, you know, I've become a CA certified commercial pilot for drones as well. So, uh, you know, I do that. I've done small amount of work on the side. Just don't tell my employee that. No, they're good with it. And, yeah, so it's, it's, yeah, because I do the security for the day job, I'm always sort of looking at, how would you use this to protect these drones? What can you do with them? So, yeah, that, that's essentially how it all started.

[00:03:58] Andy Still: Excellent. And I guess there's a wide range of drones aren't there, from kind of personal, individual drones right up to military drones. And how does the, what would you say was the current state of security whilst across the range of drone products that there are?

[00:04:16] Frank Morris: Very poor. I would say. It's a fairly new up and coming market. Don't, you know, it's, I equate them to IOT devices, you know, internet of things. They're still in their infancy. We've got a love-hate as well between the public and drones and whether they're useful or not. We've got a lot of FOD around some of the videos out there about what drones can do. Just go have a look at YouTube for some of the science fiction or maybe fiction that these things can do. Yeah, the CAA are currently catching up as well. The CAA, I think it was back end of, yeah, about 12 months ago, they started introducing information security into their documents. There's a document called CAP 7 22, which is what all unmanned aircraft systems have to abide by. And that now mentions the security. And it's interesting as well that the CAA, they're also releasing now a cyber assessment framework. So you can actually assess your drones against this to see how safe they are. And it takes a very risk based approach. Which is what CAA have done, tend to do anywhere for normal flights. But I still think it needs to mature in terms of the detail perhaps, and understanding how we secure everything from, you know, the built drone, the hobbyist through to the commercial side. Although the commercial side, they probably, yeah, they do have more security surrounding their drones.

[00:06:09] Andy Still: So if you start thinking of it just from the, initially from the hobbyist side, is this something that if you are buying a drone, you need to be thinking beyond the levels of security that are put in place by the manufacturer? As in, is this a serious concern that your drone could eb taken over by a malicious actor if they put their mind to it?

[00:06:35] Frank Morris: We've already seen that with the, some of the DGI products, in fact that they can be hacked. I think as a consumer, you know, hobbyist, drone pilot, then I don't think you need to be as concerned. You know, the CAA have a whole load of requirements about how far you can fly from people or uninvolved objects, et cetera. They reduce the risk of these devices potentially being taken over. And, you know, one of the things at the moment is the battery life. You know, that's a limiting factor, especially, you know, for the smaller quads. Battery life's getting, you are now looking at well over 30 minutes for some of these DGI products. For the FV1s though, in comparison, they tend to be three, four minutes tops. So there's a, you know, you can't really fly far with those. Yeah. And there's a lot of restrictions in place as well. So, you know, if they lose the signal, the DGI products will return to home, which is typical of these sort of consumer drones. And you also get limited in how high and how far away you can fly them. So they've got these ideas around security, and one of the things the CA is doing at the moment is, what have done, is they have restricted the weight and stuff as well. So the harm they can do as well is, you know, less, due to kinetic energy.

[00:08:11] Andy Still: Okay. So basically from a CAA point of view, the what they're doing to mitigate the risk of the security of these drones is actually minimize the damage that can be done if control were to be lost.

[00:08:25] Frank Morris: Yeah, exactly.

[00:08:27] Andy Still: I mean, thinking about, you know, a few years ago, the entire of Gatwick being closed down because there was a drone allegedly flying in the area of it, would only take someone to be taking over a few drones to be causing chaos.

[00:08:43] Frank Morris: Exactly.

[00:08:44] Andy Still: And has other action been taken by the CAA to kind of prevent that from happening again?

[00:08:52] Frank Morris: Yeah. So we're now looking at things like, all future drones will have beacons on so the other aircraft can see them. You can see where they are, et cetera. And that's one area they're doing. There's companies out there that are looking at anti drone techniques, which, you know, if the drone comes within a certain distance of the airport or you know, controlled airspace, it will stop it entering. But you know, for me it's the more dangerous ones, I mean, is where you get the... we're now getting to a point where we are looking at using drones more commercially, we are looking at using them for, well, I dunno if you've seen, there's a recent article regarding the Orkney Islands where they're using it for delivering mail. And we've also seen use cases where they used for light displays at night where you've got hundreds of drones. Now, for me, that's starting to represent more of a threat because it's not just one drone, it's many drones. And if you can take control of a swarm of drones, that's a lot more of an impact against infrastructure people, you know, et cetera.

[00:10:17] Andy Still: Well, I mean, it strikes you as a very effective potential weapon.

[00:10:20] Frank Morris: Oh yes.

[00:10:21] Andy Still: Hundreds of drones under your control.

[00:10:25] Frank Morris: Yeah.

[00:10:25] Andy Still: When we're talking about the commercial drones, how is the level of security on those compared to obviously the, you would expect it to be better than that in the hobbyist, but in your experience, how is it?

[00:10:58] Frank Morris: Not much better? A lot of them aren't as robust, shall we say, as the commercial products out there. They're still made from hobbyist parts, and this is why I think the CAA have taken this step of sort of producing a cybersecurity oversight document their framework and forcing companies to go down this route of looking at how they are protecting themselves against a cybersecurity attack.

[00:11:30] Andy Still: Okay. And from the point of view of companies, so, and we've heard a lot of, pardon the pun, pilot schemes about using drones as delivery mechanisms, so the likes of Amazon and other companies. You mentioned the one about the Royal Mail using them. And in your experience or your knowledge, are the companies using this taking the security of the drone itself seriously enough to keep those services safe for themselves and for others?

[00:12:09] Frank Morris: I'll equate that to what we typically see in cybersecurity. Some companies are better than others. As I said earlier, for me, this is still an immature area of growth and we haven't seen yet in the press about, you know, drones being taken over and you know, sort of used maliciously or hijacked, et cetera. But again, my view is that that will probably happen and we'll get an extra focus. Same way we did with WannaCry and that brought, you know, cyber to the attention of everybody else. But obviously the danger is that with drones and being able to take them over, you've got something in the air that can potentially do a lot more damage.

[00:12:57] Andy Still: Yeah. I mean that... what I thought, it was interesting when I was thinking about this, the challenge of this for eCommerce type companies, meaning if there's any kind of fraudulent buying going on, the high risk point for anyone doing that is, is there has to be at some point a handover of goods.

[00:13:14] Frank Morris: Mm-hmm.

[00:13:15] Andy Still: And generally speaking, when you're asking for a delivery, you know where that's going to go. So there's a point at which you can follow the person. As soon as you've got a drone involved in that, you can essentially order your product to be delivered anywhere. You then hijack the drone and deliver that to a point at which is untraceable.

[00:13:35] Frank Morris: Mm-hmm.

[00:13:35] Andy Still: So it, it's a whole new way of getting hold of the last point of the high risk, large scale fraud that's going on. So it feels like it's a whole new avenue for fraudsters. And I was just wondering how much that is a consideration for these companies who are running these pilot schemes of drone deliveries?

[00:14:01] Frank Morris: So I'm currently working with a company called Sky Fairer in Coventry. They are very concerned about this and I've got a meeting next week with them to discuss that very subject. Not so much about the fraud, but how they do the overall security approach to stop these kind of attacks so that the likes of fraud can happen. Because what they are looking at doing is delivering medicines, you know, they're looking at initially at the UK but Africa is one of the other countries they're doing, and obviously if you look at countries like wider Africa, then medicines are an item that are probably of high value to other people. They're worth trying to hijack, basically. So, you know, this is one of the things they're gonna need to consider. So yes, that's a conversation next week. But again, what I'll be talking about is, you know, this similarity between sort of drones and IoT devices. I mean, for me, as I say, I treat drones as basically a computer in the sky. It's... communicate... it's got its own operating system, its boot loader. It still requires software updates and it has links back to a computer. There's protocol called mavlink, which connects the drone typically with a computer backup base and provides telemetry. But you can also control the drone from the computer. And again, you think, okay, if I can take over that computer as well, or take over that link, that communications link, then you've got control of the drone completely.

[00:15:52] Andy Still: Yeah. And is that a connection that can be initiated from the computer or does it have to be initiated from the drone back to the computer?

[00:16:02] Frank Morris: It's initiated by... there's two, the telemetry devices that you put on initiate the connection between them. It is encrypted, but my understanding is not that well. So again, this is something that needs to be looked at in terms of, you know, is it gonna be suitable long term? And you know, is it something that you need to consider. Likewise, you can have wifi on the drones as well. One of the areas I considered, you know, doing a bit of testing and, when I built that, hexacopter was putting a wifi hotspot... well, a pineapple, wifi pineapple, which emulates other networks, and the thought was, well, could we use that, put that near a building, you know, top floor with the execs, and capture all that information. So, you know, as I say, that's just from using it from a sort of pen testing point of view. But again, with the, I mentioned the drone swarms earlier. You've also gotta look at machine to machine connections as well because with the swarms, they have a certain amount of AI in them to know where they should be in relation to the others. So again, that needs to be secured as well. So it, you know, it's very much like the approach we take for IoT and general cybersecurity. You look at the different layers of different attack vectors of what can be.

[00:17:40] Andy Still: Yeah. So I mean the swarm aspect is a really interesting one. Could, I mean, you could potentially take over a swarm there with one rogue machine.

[00:17:52] Frank Morris: Mm-hmm.

[00:17:53] Andy Still: Is that, is that something that's theoretically possible?

[00:17:56] Frank Morris: Theoretically I've not looked into drones enough to comment on that, I'm afraid.

[00:18:01] Andy Still: Okay. So, I mean, I think if you were to give any pieces of advice too, particularly, I guess, companies looking to get into this area, thinking of trying drones for part of their business, and maybe slightly worried after this conversation. What would you... what piece of advice would you give to them?

[00:18:25] Frank Morris: So look at the CAA documents for a start. You have, let me just get this CAP1753, CAP1850, and CAP1849, which are particularly good as a starting point. But in terms of the hardware and thinking about what you need to look at, OWASP do a Internet of Things security verification standard. And a lot of the stuff in there can be applied to your drone ecosystem, you might wanna call it. And if you look at all the areas within that, that would give you a good idea of how to perform risk assessments, how to look at your entire, you know, sort of drone infrastructure from a security perspective and look at how to mitigate the risk of it being compromised. IoT security foundation's another one. They do a very good sort of framework for, you know, IoT in terms of how to secure it and what to consider. That's where I'd start.

[00:19:33] Andy Still: Okay. And before we wind up, is there anything that you think the authorities should be doing at this point to improve the general safety for drone operators and people in general in this area?

[00:19:56] Frank Morris: I think continue doing what they're doing. As I say, for me, the CAA are doing really well. They're getting involved with the NCSC. They are working with the various, you know, sort of companies out there to further the maturity and you know, I think it's, I like the SCA cos they typically work in partnership with people and they are pushing this, and as I said, it's still immature, but it's heading in the right direction. So, you know, for me it's any companies will need to be involved or people involved should read those documents or, you know, just find out what's going on or get in touch with me.

[00:20:39] Andy Still: Yeah. Thank you very much, Frank. And thanks for sharing that. If, hopefully everyone has found that as, fascinating and slightly worrying as I have today. So thank you very much, Frank for joining us today.

[00:20:54] Frank Morris: You're welcome. Thank you.

[00:20:55] Andy Still: Hopefully everyone has enjoyed that. If you have, please subscribe, leave a review, tune into our other editions of this show. Or follow us @CyberSecPod on Twitter. Thank you very much and we will see you back on the next edition of the Cybersecurity Sessions.