New CS proposal: Drone Security

[godfreynolan]

What is the proposed Cheat Sheet about?

This drone security Cheat Sheet aims to ensure the safe and secure operation of unmanned aerial vehicles (UAVs) in various mobile, web and cloud applications.

What security issues are commonly encountered related to this area?

Insecure Communication Links, data transmitted can be intercepted Weak Authentication Mechanisms, default or weak passwords can allow unauthorized access Firmware Vulnerabilities, unencrypted firmware and vulnerable bootloaders can lead to unauthorized modifications Insufficient Physical Security, need to secure physical access to USB ports and other interfaces to prevent data theft or tampering Insecure Supply Chain, compromised components from suppliers can introduce hidden vulnerabilities Unsecured Third Party Components, third-party software libraries and components can compromise drone security Inadequate Logging and Monitoring, insufficient monitoring of drone operations can delay the detection of security breaches or operational anomalies Insecure Data Storage, sensitive data stored on drones can be accessed if not encrypted Spoofing and Replay Attacks, GPS or ADS-B data spoofing or command replay attacks could mislead or take control of the drone RF Interference and Jamming, drones can be disrupted or controlled through intentional RF interference or jamming Sensor Vulnerabilities, cameras, GPS and other sensors can be exploited to feed incorrect data to the drone systems. Cloud Storage and Data Management Vulnerabilities, inadequate security controls for drone data stored in the cloud (e.g., videos, logs, images) can lead to unauthorized access and data breaches End of Life Decommissioning Risks, inadequately secured decommissioning processes can leave residual data accessible, or hardware could be reused maliciously Interoperability and Integration Issues, integrating various systems and technologies without a cohesive security strategy can introduce vulnerabilities, e.g. web servers on cameras Third Party Services and API Security, external APIs used by drones or GCS might be insecure, providing a pathway for attacks User Error and Misconfiguration, incorrect configuration of drone systems by users can expose them to risks of unauthorized access or malfunction

What is the objective of the Cheat Sheet?

To provide developers working on mobile apps, websites, cloud systems and firmware for drones to understand the wide ranging risks.

What other resources exist in this area?

https://dronewolf.darkwolf.io/intro https://github.com/nicholasaleks/Damn-Vulnerable-Drone https://github.com/dhondta/dronesploit https://github.com/jezzab/DUMLdore