Today, drones are more important than ever for companies – and that means that the safety of drones is also more important. Here, mobile development expert and author Godfrey Nolan points out 5 points that drone manufacturers, software developers for the drone industry and users of the industry must consider in the development process. The following is a guest post by Godfrey Nolan, mobile app development expert and president of RIIS, LLC, a Michigan-based mobile development company.
Edmund Burke was the first person to say, “Those who do not know history are doomed to repeat it.” Everyone in the security world is aware of this mantra.
In the late 90s, website hacked rashes because no one knew how to secure a website. You could add a period at the end of a Microsoft ASP web page to show the web page’s source code on the server. Microsoft, Sun, Oracle and everyone else have gradually closed these loopholes. And while there are still notable hacks on websites, it’s usually because the websites aren’t running the latest and greatest software, such as: For example, outdated Struts software was used on the Experian website. or if someone did something stupid like having the intern create the password.
The same thing has happened on the mobile platform for the past decade. Barely a week went by without a earth-shaking hack that revealed an app on your phone. The developers ran so fast that they paid little or no attention to their app security: Getting to market faster than the competition was much more important. It didn’t matter that your dating preferences, credit card numbers, and passwords were exposed. Bad press shifted focus and eventually the basics of mobile security became common practice.
What brings us to drones. As an industry, just like mobile devices, we focus on getting to market faster than the competition. Security is DJI’s problem, not our problem.
To get the conversation started here, you should consider 5 safety issues that you as a drone manufacturer or software developer should be thinking about.
1. Don’t save anything on your phone that you can’t afford to lose.
Mobile applications make up a large part of the drone experience. They are the control center, the gateway to the cloud, and so on. Understand that hackers can reverse engineer the code, decompile it, or break it back down into something readable. If you add decryption or cloud keys to your source code, someone will find it. It is also very tempting to save user passwords, tokens or other data on the phone to make the drone pilot’s job easier. Do not do it. And while Android and iOS both developed secure storage, we’ve all heard of it and at some point someone hacked it and the data was exposed. Read the OWASP Mobile Top 10 Risks to learn more.
2. Frida is your enemy
Before, when all mobile apps were hacked, they mostly ran static analysis to reverse engineer the code or review stored data. However, there are many new tools such as: B. Frida performing dynamic code injection to remove any login or permission restrictions that you think may apply. Any user name and password information stored in memory may also be retrievable. More information is available at frida.re.3. “I have an S3 bucket and will be using it.”
Much of the explosion on the web was mainly due to how easy Amazon made it to build a cloud application. Drone apps obviously generate tons of videos, most of which appear to be stored in Amazon S3 buckets or Azure. Amazon also has really useful command line tools that automate much of the day-to-day work involved in uploading, downloading, and browsing S3 buckets.
Man in the middle tools like Burpsuite are very good at sniffing the keys. So don’t store your Amazon keys or other cloud keys in the mobile app or send them over the internet in clear text as they can be used together with these tools to download any video. The OWASP Cloud Top 10 contains these and many other suggestions for securing your cloud.
4. It’s the network, damn it.
Are you using an encrypted signal for your video and telemetry? Great. But is it the same key for every drone? Can you shoot the drone But – do you use the same password for every drone? It is important that you secure your network with unique keys and tokens. Otherwise, there is a risk of someone else gaining access to the drone’s video feed, or worse.
5. Mr. Robot’s OSINT school
Perhaps the least obvious aspect of drone security is OSINT, or Open Source Intelligence. Don’t leave any traces of the developer names on the mobile app or on the drone. Names can be used for more information about your app on developer sites like Github and Stackoverflow. Developers often love to talk about their cool work and are often easy targets for social engineering. Also, don’t leave any traces of presentations, proposals, contracts, etc. on your website or in S3 buckets. Google indexes everything, and doing a proper Google search can be very informative. First, try googling the file type: pdf site: yourdomain.com on your own website. Michael Bazzell’s OSINT Techniques book is also a great resource for the advanced user.
No doubt we will have the same problems with the next technology platform. I’m pretty sure there have been some major ML hacks already that we haven’t heard of. We hope that in the not too distant future we can put drones’ safety problems in the rearview mirror if we can.
Godfrey Nolan is the founder and president of RIIS LLC, a greater Detroit area mobile development company that creates amazing apps for the drone industry. He is a frequent speaker at industry events and the author of a variety of industry publications. He is also the author of Agile Swift and Agile Android on setting up agile testing for both mobile platforms using continuous integration (CI).