Military Embedded Systems

Can you trust that drone?


January 31, 2017

A U.S. Navy bouancy glider similar to one seized by Chinese forces. US Navy Photo

The recent activities in the South China Sea of the seizure and subsequent return by China of a U.S. unmanned underwater vehicle (UUV) ? also known as an ?ocean glider drone? - has once again brought drone security into the spotlight. Securing data collected as part of Internet of Things (IoT) environments is top of mind, and never more so than in military applications.

Collecting sensor data is one of many special communications requirements placed on drones. In many cases, sensor data collection is the very reason for the drone!

Securing that data is a challenge. Let’s look at why. First, the sensor data is able to be stored but, more commonly, the data is transmitted as it is gathered, leaving it vulnerable to interception. Second, while some drones are fully autonomous, most are semi-autonomous and use a combination of local and remote control, resulting in another weak link in the security chain. Adding to the challenge, drones are commonly deployed in hostile environments; others may attempt to recover data from captured drones.

The encryption all of communication between a drone and its ground station is vitally important. All command and control data, including high bandwidth video feeds, should be encrypted. Modern systems can perform encryption with little overhead, so it is reasonable to require manufacturers to encrypt all communications.

Encryption can provide three critical capabilities. First, it can protect the contents of data. Second, it can protect the integrity of data – any corruption of encrypted data or attempts to modify it are immediately detected. Encryption offers complete end-to-end protection of a data stream from both disclosure and tampering. Note that it's possible to have multiple types of encryption on a single system, using different algorithms and different encryption keys. For example, sensor data could be encrypted with a relatively short key and a fast algorithm for minimal overhead, while command and control data can be encrypted with long keys and robust algorithms.

Finally, encryption can provide secure identity. Public key cryptography can be used to prove the identity of a system. For example, to verify the identity of a drone, a base station would encrypt a message using the drone's public key. Assume that this message contains the base station’s public key. The drone would decrypt the message using the drone’s private key, giving the drone the base station’s public key. The drone would then use this key to encrypt a message containing the drone’s serial number. The base station would then decrypt this message with its private key and confirm the drone’s serial number. At this point, the drone and the base station have confirmed each other’s identity.

One potential flaw in this approach is that someone might be able to retrieve the key pair from the drone and clone it or use it in other systems. A pure software implementation can be compromised if a hostile party can obtain access to the hardware.

This can be addressed by using a hardware root of trust, such as a Trusted Processing Module (TPM). The TPM can both store encryption keys as well as perform crypto operations entirely inside the TPM. The encryption keys are never visible outside of the TPM, ensuring the identity and trustworthiness of the system in question. A TPM can be physically captured and used, but it can't be copied or cloned.

A TPM is designed to resist a wide range of attacks. In the case of a captured a drone, only that specific drone would be compromised. An attacker can't gain access to the secrets inside the TPM, and the drone can be securely isolated from the rest of the overall system by removing its public keys.

Use of X.509 certificates for key management - and this is strongly recommended! - can be effective for tasks such as certificate signing, delegating portions of roots of trust, key revocation, and key lifetimes. The combination of certificates, hardware root of trust (TPM), and an Identity Management System offers an effective and efficient infrastructure for maintaining the integrity, identity, and security of these mobile platforms and the distributed systems that use them.

Cryptography can be used in other ways. Blockchains, popularized by applications like BitCoin, are a powerful tool for verifying the integrity of data. A blockchain signature connected to a block of data can verify the integrity of that data as well as all data that precedes it. A related technology that can also aid in security is Perfect Forward Secrecy, which is used in applications such as the Linux journald logfile system to ensure that logfiles haven't been tampered with.

High value distributed systems such as drones need to ensure that they are trustworthy and that they cannot be turned against their users. Crypto technologies and hardware root of trust solutions are key tools for mission integrity.