260 likes | 387 Views
UAV Integration: Privacy and Security Hurdles . Todd Humphreys | Aerospace Engineering The University of Texas at Austin Royal Institute of Navigation UAV Conference | February 12, 2013. Acknowledgements.
E N D
UAV Integration: Privacy and Security Hurdles Todd Humphreys | Aerospace Engineering The University of Texas at Austin Royal Institute of Navigation UAV Conference| February 12, 2013
Acknowledgements • University of Texas Radionavigation Lab graduate students JahshanBhatti, Kyle Wesson, Ken Pesyna, Zak Kassas, Daniel Shepard, and Andrew Kerns
2012 FAA Modernization Act • February 2012: President Obama signs an Act mandating that the FAA draw up a plan by 2015 to integrate unmanned aerial vehicles into the national airspace. • Key early milestone: By August, 2012,FAA must select 6 test sites in U.S. where integration exercises can begin. • Still waiting …
Hurdles to Integration • Privacy: Low cost, ease of use eliminate practical privacy protections • Security: (1) Secure navigation, (2) secure command and control, (3) secure sense and avoid, and (4) secure telemetry (e.g., video feed)
Privacy (1/2) • U.S. Supreme Court Precedent is fairly clear: No expectation of privacy in open fields (e.g. in backyards) that are naked-eye-visible from public airways (e.g., Florida v. Riley) • Surveillance of U.S. citizens from manned domestic aircraft is routine • But the news is abuzz with drones; citizens nervous; Virginia has passed a broad law against drones; Texas legislators trying • Why? What is new here?
Privacy (2/2) • Why? Because UAVs could change the balance • Could eliminate a practical privacy protection: high cost and inconvenience of manned surveillance aircraft • Growing realization that citizens do, in fact, have an expectation of privacy even when in public places: an expectation to not be continuously monitored • Decision and concurring opinions in U.S. v. Jones suggests that SCOTUS sympathetic to this expectation
Privacy Recommendations • No blanket injunction against imagery of private citizens on private land (bad for hobbyists and researchers) • Apply Peeping Tom/ Improper Photography laws • “Cone of transparency” for non-hobbyist UAVs: data on owner and purpose of UAVs above you should be readily accessible • If problem worsens, perhaps a Texas solution: authorize property owners to shoot at unidentified UAVs over their property
Hurdles to Integration • Privacy: Low cost, ease of use eliminate practical privacy protections • Security: (1) Secure navigation, (2) secure command and control, (3) secure sense and avoid, and (4) secure telemetry (e.g., video feed)
Commandeering a UAV via GPS Spoofing Target UAV Receive Antenna External Reference Clock Spoofed Signals as a “Virtual Tractor Beam” Control Computer Internet or LAN Transmit Antenna GPS Spoofer UAV coordinates from tracking system
Observations (1/2) • RAIM was helpful for spoofing: we couldn’t spoof all signals seen by UAV due to our reference antenna placement, but the Hornet Mini’s uBlox receiver rejected observables from authentic signals, presumably via RAIM. • 5-8 dB power advantage is required for clean capture: A matched-power takeover leads to large (50-100 m) multipath-type errors as the authentic and counterfeit signals interact. • The UAV’s heavy reliance on altimeter for vertical position was easily overcome by a large vertical GPS velocity.
Observations (2/2) • GPS capture breaks flight controller’s feedback loop; now spoofer must play the role formerly assumed by GPS. Implication: Fine control of UAV requires accurate radar or LIDAR UAV tracking system. • Seamless capture (no code or carrier phase unlock) requires target position knowledge to within ~50 m and velocity knowledge better than ~2 m/s. This is quite challenging for small UAV targets at long stand-off ranges (e.g., several km). • Compensating for all system and geometric delays to achieve meter-level alignment is challenging but quite possible.
Recommendations From testimony to House Committee on Homeland Security, July 19, 2012 • Requirenavigation systems for UAVs above18 lbs to be certified “spoof-resistant” • Require navigation and timing systems in critical infrastructure to be certified “spoof-resistant” • “Spoof resistant” defined by ability to withstand or detect civil GPS spoofing in a battery of tests performed in a spoofing testbed (e.g., TEXBAT)
Hurdles to Integration • Privacy: Low cost, ease of use eliminate practical privacy protections • Security: (1) Secure navigation, (2) secure command and control, (3) secure sense and avoid, and (4) secure telemetry (e.g., video feed)
Secure Sense and Avoid • Many in the aviation community believe that the only sense and avoid (SAA) technology that is broadly applicable to all UAV will be based on Automatic Dependent Surveillance-Broadcast (ADS-B) • ADS-B: Each aircraft periodically (e.g., 1 Hz) broadcasts an identifier, a position, and velocity Problem: FAA introduced no provision for authentication in ADS-B broadcast
ADS-B False Injection Attack Magazu, Mills, Butts, Robinson, “Exploiting the ADS-B System via False Target Injection,” JAAP, fall 2012
ADS-B False Injection Attack Magazu, Mills, Butts, Robinson, “Exploiting the ADS-B System via False Target Injection,” JAAP, fall 2012
Altering Live ADS-B Data Magazu, Mills, Butts, Robinson, “Exploiting the ADS-B System via False Target Injection,” JAAP, fall 2012 The ability to read live ADS-B broadcasts and generate slightly altered versions of these should be of significant concern to the FAA: How will ground radar pick out the right aircraft from within a “cloud” of nearby phantom aircraft?
Root Problem FAA’s organization and culture has historically targeted safety and efficiency, not security: 96-page NextGen Implementation Plan (2011) references safety over 100 times, efficiency at least 50 times, security less than 5 times.
Recommendations • Strongly consider re-designing ADS-B • Broadcasts still in the clear • Each broadcast signed using a public/private-key framework • Revised broadcast would need to be significantly lengthened to ensure digital signature strength • Update key database before flight • Use Iridium satellite constellation for en-route key management (e.g., key revocation) A re-design would set NextGen back years.
UAV Integration: Summary of Challenges • Privacy:Legislate privacy protections that are acceptable to the public without stifling nascent commercial UAV industry • Security: (1) Develop secure/robust navigation technology, (2) require encrypted command and control links (with master keys for law enforcement), (3) find a secure and broadly applicable sense and avoid technology (e.g., re-design ADS-B), and (4) encrypt telemetry (e.g., video feed)