21 engineering is far more costly and complicated than including it in the early phases.” Hack our Drone Each workshop participant was provided with a drone, along with a smartphone-based controller, a laptop with Kali Linux either installed or with a bootable thumb drive from which to run it, tutorial guides, and a set of hand tools and cables. Kali is an open-source Linux distribution, based on Debian, which is focused on information security tasks such as penetration testing, security research, computer forensics and reverse engineering. It comes packaged with around 600 penetration testing programs, all set up and configured for a security professional to use immediately. The quadcopters that workshop participants subjected to their hacking attempts were based on the Beaglebone Blue single-board computer, while the GCS consisted of small handsets with joysticks and switches, with computing power provided by a smartphone. “I like the use of smartphones over most other operating system choices for ground-control systems,” Broberg says. “My personal opinion is that smartphones are the most cybersecurity-hardened device available off the shelf.” However, with physical access to both the smartphone GCS and the drone computer, passwords are likely to succumb to cracking tools such as John the Ripper, allowing access to and mapping of the network, operating system and firmware. These can then be analysed for vulnerabilities using other tools that come packaged with Kali, including Nmap for identifying hosts and IP addresses of all the devices, Binwalk for searching a binary image for embedded files and executable code, the Firmware Analysis Toolkit, plus Android-, Windows- and Linux-specific tools, and more. The next steps are discovery, in which the information gathered in the mapping phase is used to identify vulnerabilities, and exploitation in which those vulnerabilities are used to gain unauthorised access, escalate privileges or execute unauthorised actions. While these are beyond the scope of a short workshop session, they are covered in Dark Wolf’s full course. To protect against cyber threats that try to exploit vulnerabilities, UAS developers’ engineering teams must be aware of the cybersecurity requirements that their products will need to meet from both a regulatory and a due diligence point of view, anticipating them for their potential customer base, Broberg says. “Fortunately, they do not have to reinvent the wheel. For one common architecture, just applying baseline Linux security configurations to the UAV, Android security lockdowns to the GCS, reviewing their communication protocols and then documenting that security configuration will bring them a long way towards meeting any compliance requirements,” he adds. While the participants in Dark Wolf’s workshop have physical access to vehicles and ground-control stations, they can be hacked remotely, just like any computer system connected to a network. There are, for example, weaknesses in wireless communication protocols that can be exploited, especially weak or default passwords or encryption keys. Insecure firmware/software update processes can be compromised to inject vulnerabilities into UAS, and an increasing number of UAVs are monitored, updated or even controlled remotely, and those remote network services can be vulnerable to attack, Broberg says. UAVs have similarities to and differences from other networked Ronald Broberg | In conversation Unfortunately, the most common vulnerabilities are fairly wellunderstood weaknesses in poorly configured IoT systems Uncrewed Systems Technology | October/November 2024 During his Lockheed Martin career, Broberg worked on several key US military command-and-control programmes, including the Command, Control, Battle Management and Communications (C2BMC) system (Image courtesy of Lockheed Martin)
RkJQdWJsaXNoZXIy MjI2Mzk4