Public security threats and controls with IoT


Recently drones are seen on Aiports and other sensitive areas. Drones are driven by IoT. What do you think about security threats because of IoT ? What should be done to avoid them ?

IoT Security
Hitesh Mathpal
16 months ago

3 answers


Yes indeed. Most of the drones used do not have a trusted platform module, so it is easy to hack them with a fake firmware, and the communication between the controller and the drone is not encrypted especially in cheaper models.

Shahram Mehraban
16 months ago
Thanks Shahram. What are the controls do you think ? - Hitesh 16 months ago

Hi Hitesh, drones are indeed used to support sensitive services such as surveillance, search and rescue operation, or medical delivery. They are considered indeed IoT devices since they are formed by a piece of Hardware and Software and are equipped more often with sensors, GPS, Camera, Audio interface and of course they have a wireless communication to the ground control station or a remote control.

So like any IoT device, security threats could arrive from one of the following 4 domains (1- the IoT device itself (HW & SW) through physical or software attacks, 2- the communication/network (MiTM, sniffing, etc.), 3- the server collecting and analyzing the data (if applicable) and 4- the Application/remote control).

So the security controls or countermeasures must be implemented on all the levels to reduce the risks of a successful attack. As mentionned by Shahram above, a Trusted platform module could help in mitigating some Physical and Software attacks on the Software/Firmware side of the Drone, implementing a secure channel (integrity and confidentiality) could mitigate some attacks on the network, etc.

But as you can see these are still generic controls and you should understand that there is no one-size-fits-all solution which means vulnerabilities could be very specific to the protocols (e.g. MVLink), OS, Software, Crypto Library, etc. used and therefore a dedicated security risk analysis is the first thing to start with.

We, at Red Alert labs generate (to our customers) what we call a "Security Profile" including product type specific security controls adapted to the operational environment - An efficient way to avoid spending effort on a detailed security risk analysis.

I hope this helps !

Roland Atoui
16 months ago
Thanks Ronald for this detail. I agree Trusted Platform is one potential option. However, do you think design guidelines or protocol can help ? - Hitesh 16 months ago
Hi Hitesh, sure. That's what I mean by a Security Profile. It's a set of security requirements that is supported by guidelines on how to implement and evaluate each one of them. - Roland 16 months ago

Or some rules on the locations and areas where you can NOT FLY drones.
Also, kids of a certain age should not fly drones etc.

Maya Kharkwal MA, BEd
16 months ago
I think rules are there but yes with kids this is required. - Hitesh 16 months ago
Yes, thanks Hitesh Mathpal - Maya 16 months ago

Have some input?