There is one drone manufacturer that is stepping up and providing secure UASs for the American market and that is ANZU ROBOTICS announcing their new ANZU RAPTOR with Air Control. Air Control is an application special to the Anzu Raptor that provides security for the user. ANZU robotics contracted with White Knight Labs to perform a pentest. A static test was performed on the code along with a dynamic test marking the drone’s behavior in several areas of operation: real-time behavior, data traffic interface, communication with the Aloft Air’s servers. Anzu feels their new commitment to security is a significant milestone for UAS design and security.

Assumptions:

It is my opinion that this pentest was geared more toward solving privacy issues concerning remote ID, and not delving into designing new hardware or software applications. The company admits licensing DJI firmware. Not taking anything away from ANZU, this is still a step in the right direction. Here in America, I think we still have development work to do.

 

References

Mortimer, G. (May 2024). sUAS News. Anzu Raptor: Saviour for US Drone Users, or Wolf in Sheep’s Clothing? https://www.suasnews.com/2024/05/anzu-raptor-saviour-for-us-drone-users-or-wolf-in-sheeps-clothing/

Ziering, J. (2024). Ensuring the Security of the Anzu Raptor: A Successful Penetration Test by White Knight Labs. https://www-aloft-ai.cdn.ampproject.org/c/s/www.aloft.ai/blog/ensuring-the-security-of-the-anzu-raptor-a-successful-penetration-test-by-white-knight-labs/amp/

 

DJI products and components, do they pose vulnerabilities and are they a risk to American security?  Since 2018 the Department of Defense has raised concern over drones or UASs built in countries that are not America allies and pose a threat to American interests. To put it bluntly, in 2018 the DOD issued a ban on all drones regardless of the country where they were manufactured. Later that year congress redefined the ban to only those UAS products manufactured or developed in what they termed a covered foreign country which really means The Republic of China, The Russian Federation, the Islamic Republic of Iran, and the peoples republic of Korea.  A direct quote from the Department of Defense reads, “The Department of Defense (DOD) position is that systems produced by Da Jiang Innovations (DJI) pose potential threats to national security (DOD)”.

I think most drone users in general just want to keep flying their drones, and in good faith they purchased the products from reputable US vendors. However, there is a common vulnerability and exposer (CVE) which is CVE-2022-29945. The vulnerability broadcasts unencrypted information about the drone operator’s physical location. The common weakness enumeration CWE-319 which transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. An information packet can traverse many different nodes in their destination path; a bad actor with privileged access to that network interface and channel could sniff and see the underlying data.  That is not something you want from a covered foreign country. A possible scenario is a country with bad intent could sniff certain information gaining access to other networks, personal id information, accounts, or worse, locations within the United States that are mission critical.   

The list of components:

Flight Controllers

Radios

Data transmission device

Camera

Gimbals

Ground Control System

Operating Software

Network Connectivity

Data Storage

 

The list covers everything that is needed for a UAS control system, so it would mean your drone would be useless if you are using DJI products. Just on a personal note, I know someone who works for the DOD, and I do not see those people wanting to limit Americans from using a product if they did not think there are some vulnerabilities or possibly have some attack surfaces. If America finally bans products from these countries listed, as an American do you really want to support these countries.  I think this will open the door for American Companies to develop UAS technology.

 

References

CWE. (2024). CWE-319: Cleartext Transmission of Sensitive Information. https://cwe.mitre.org/data/definitions/319.html

Defense Innovation Unit. (2024). UAS Policy Guidance. https://www.diu.mil/blue-uas-policy

Department of Defense. (July 23, 2021). Department Statement on DJI Systems. https://www.defense.gov/News/Releases/Release/Article/2706082/department-statement-on-dji-systems/#:~:text=The%20Department%20of%20Defense%20%28DOD%29%20position,pose%20potential%20threats%20to%20national%20security.&text=The%20Department%20of%20Defense,threats%20to%20national%20security.&text=of%20Defense%20%28DOD%29%20position,pose%20potential%20threats%20to

NIST. (2024). CVE-2022-29945 Detail. https://nvd.nist.gov/vuln/detail/CVE-2022-29945

 

The Future of Unmanned Aircraft Systems

If you have just discovered this blog, it is about aviation cybersecurity in all areas but focusing on drones or better termed UASs. This page intends to post the facts surrounding aviation cybersecurity, new associated technology, and what the future is for those industries. It is my opinion that the FAA and the DOD want to change how you operate UASs in America. It is my assumption that currently the FAA is opening the door for the part 107 which is a commercial drone pilot license. In the coming future I think we will see big changes in commercial aviation mainly in the area of product transport. I think this will enhance the safety of traditional manned flight for human transport. The adoption of UASs and the use of AI assisted software will allow for a better managed airspace. This results in safer air travel. Below are some photos of how UASs have developed over the years.