We’ve written about drones and corporate security twice before and we’re already past due for an update: while most tech developments in the security industry are gradual evolutions, the changes we’ve seen in the drone space are downright revolutionary.
The threat is real. Drones are showing up in all kinds of places that they shouldn’t be, impacting security and privacy in new ways month by month. Incidents are on the rise everywhere. No other new technology has had such a disruptive impact on the security landscape, and nothing indicates that this trend will slow down anytime soon.
We’ve experienced several firsthand ourselves. In Xian, China, where the photos are from, a drone suddenly appeared over a large public/private event and no one – least of all the local police – seemed to have the slightest idea what to do about it.
Our previous blog posts in 2014 and in 2015 provided an overview of what drones are all about and how they affect corporate security. They also discussed legislation and the kinds of countermeasures that can be employed to mitigate threats from drones. In this post, we’ll give a brief update on the key laws governing drone use, and then focus on the recent advances in drone technology and their implications for security.
US drone legislation in 2016
Governments around the world are hustling to keep up with the proliferation of low-cost drones that can do more and more – and are the cause of increasing concern for everything from personal privacy to civil aviation, event security and prison perimeters.
Here are the key legislative developments in the US:
- As of January 2016, ALL drones – also the small recreational ones – had to be registered in the U.S. through a simple online registration process
- New FAA ruling: In a long-awaited ruling that was announced in June 2016, the United States’ Federal Aviation Authority made clear that recreational drone pilots can pretty much continue flying as previously. Life just got simpler for US companies and for-profit entities, however. Whereas they previously needed FAA permission to operate, they now just have to adhere to a set of new guidelines. Key among these are that drone operators for devices weighing less than 25 kg (55 lbs.) must pass a drone certification exam and complete a UAV ground operator’s course; drones must stay within the line of sight and may not fly at night, over 100 miles per hour, or higher than 400 feet from the ground. Should a business wish to bypass some of these guidelines, they must request a waiver/permission from the government. Importantly, this new ruling does not apply to autonomous flight, so companies like Amazon can’t automate deliveries just yet, and security companies can’t have drones “patrolling” areas without an operator/pilot on duty.
- No-fly zones are becoming more common, and while drone software may not take regulations into account, the pilots have to. This is taken care of thanks to NOTAMs (Notice to Airmen) and local charts (knowledge gained from courses and test prep.)
Rules and legislations are still somewhat chaotic in Europe
The European Aviation Safety Agency (EASA) has announced that they’re working on new rules and amending previous ones in 2016 and 2017, but there’s nothing too concrete quite yet.
As in the past, pan-European legislation remains weak, and drone legislation is still very much a country-by-country affair.
The corporate threats posed by drones we mentioned last year are still a major issue—and new drone technology is not helping
Drones are increasingly used to spy on celebrities, executives and others. Sensitive locations (private properties, offices, etc.) are still very vulnerable to scouting and surveillance via drones. Drones spying on Wi-Fi/Bluetooth signals and engaging in “rooftop packet sniffing” – which allows suitably equipped drones to fly into a Wi-Fi or Bluetooth zone in order to capture data packets – has become easier as the software and tech needed are easily obtained.
What’s made the situation worse is, simply put, advances in technology. Better cameras, better microphones, longer deployment ranges and cheaper UAVs mean that nefarious parties have better flying tools than ever.
The vast majority of new drones are equipped with decent-to-great cameras. They can provide live feeds of least 720p, with 1080p quickly becoming the norm; when it comes to recording, expect 1080p and up – all the way up to 4K in some cases.
As for pictures, expect 12MP or more. Some UAVs are either pre-equipped with cameras on Gimbal mounts, or have mounts for cams such as GoPro. All of this is combined with greater storage capacities, allowing for hours and hours of footage or data to be acquired and stored. Automated flight features (return to home, orbit, waypoint, follow) are also pretty much standard. Prices have dropped across the board. Even “high-end” models can be found for $2000. Entry-level UAVs with 1080p recording can be had for $500 or even less in some cases.
Two new threat types that drones pose for corporate security
There are two types of threats we didn’t mention previously that now deserve mention:
- Stolen or “repurposed” drones: As storage solutions expand, more and more data can be stored on the drones themselves: video footage, audio footage, passwords, and more. What happens if a corporation or other organization decides to use UAVs, and then loses one of them? Does the drone carry sensitive data? How secure is that data? If the drone gets snatched by hostiles, what could they extract from it? When it comes to security, drones used by corporations become, at this point, not unlike laptops or mobile devices. Both the physical and cyber- security of the device must be taken into account, and response plans should be put into place in case anything happens to it.
- Insider threats: Similarly, how do corporations protect themselves from rogue employees acting as corporate spies who illicitly capture and share data collected by corporate drones?
Anti-drone technology: Where do we stand?
Drone neutralization (disabling or destroying the device) is a very delicate topic, and case law in the U.S. and most European countries limits the ability to use drone neutralization capabilities.
Why? Well, for one thing at least in the U.S, the FAA considers drones to be like other aircraft when it comes to blasting them out of the sky: shooting them down could put the public at risk. Liability for the damages a falling drone might cause rests on the neutralizing party, not the drone owner.
Additionally, whether you think the drone is bothersome or not, it is still the property of the remote operator. Lower courts have ruled both for and against the “drone killers” who see drones as trespassers and blow them out of the sky with shotguns. Law enforcement agencies have limited ability to enforce local drone regulation—whether by perception, limited resources, or a lack of clear guidance.
As of now, early warning systems are the best defense for most organizations…
Early warning systems all have pros and cons, primarily relating to the operational environment. The three primary ways of detecting drones are sight (cameras), sound (mics), and radio frequencies.
Detecting drones with RF is more difficult in the urban areas where most people are. There are more birds and radar ghosts due to signal bounce–ultimately leading to false reporting. RF works better in rural areas as it has greater reach, and most systems provide direction finding capabilities and utilize cameras for rapid visual identification. Sound works better in urban areas, but it’s highly recommend that sound systems be complemented with a camera sub-system.
In short, there’s no “one size fits all” solution when it comes to warning systems. Organizations need to weigh the pros and cons of each solution and consider their location(s) in order to deploy the most effective defense.
…but there is one general fix that will work for many corporations and estates: heliports
As we mentioned above, the FAA recently changed its rulings, simplifying where “recreational” drones may fly. At first glance, it might seem that small drones can fly pretty much anywhere in the country, as long as they stay below 400 feet, stay within visual line of site and keep away from airports. Take a closer look at the rules, however, and you’ll notice another important exception that rarely gets mentioned along with airports: heliports.
This doesn’t mean that you can paint an “H” on your lawn and claim you’re a heliport. It does mean that corporations and estates, for a relatively small investment, can ensure both that helicopters can land on the property – and that drones can get nowhere near it.
We expect the future of drone-related security to be impacted by several factors.
They’ll become more quiet as motors improve and rotor blade technology gets better. This is great if you’re the one deploying the drone, but not great if you’re defending against them.
They’ll get smarter, too. Look for even better autonomous operation technology in commercial drone systems as they incorporate video manipulation technologies and algorithms for facial recognition, ground mapping, change detection and predictive insights.
And of course, all of this will of course be combined with what we come to expect in almost every other area where tech meets transistors: better, faster, cheaper. Expect further improvements on everything we mentioned above – better performance, cams, mics and storage capabilities – and all at a lower price.