260 likes | 276 Views
This article discusses the privacy and security challenges faced in the integration of unmanned aerial vehicles (UAVs) into the national airspace. It explores the issues of privacy protection, secure navigation and control, and the need for spoof-resistant systems. Recommendations for addressing these hurdles are also provided.
E N D
UAV Integration: Privacy and Security Hurdles Todd Humphreys | Aerospace Engineering The University of Texas at Austin Royal Institute of Navigation UAV Conference| February 12, 2013
Acknowledgements • University of Texas Radionavigation Lab graduate students JahshanBhatti, Kyle Wesson, Ken Pesyna, Zak Kassas, Daniel Shepard, and Andrew Kerns
2012 FAA Modernization Act • February 2012: President Obama signs an Act mandating that the FAA draw up a plan by 2015 to integrate unmanned aerial vehicles into the national airspace. • Key early milestone: By August, 2012,FAA must select 6 test sites in U.S. where integration exercises can begin. • Still waiting …
Hurdles to Integration • Privacy: Low cost, ease of use eliminate practical privacy protections • Security: (1) Secure navigation, (2) secure command and control, (3) secure sense and avoid, and (4) secure telemetry (e.g., video feed)
Privacy (1/2) • U.S. Supreme Court Precedent is fairly clear: No expectation of privacy in open fields (e.g. in backyards) that are naked-eye-visible from public airways (e.g., Florida v. Riley) • Surveillance of U.S. citizens from manned domestic aircraft is routine • But the news is abuzz with drones; citizens nervous; Virginia has passed a broad law against drones; Texas legislators trying • Why? What is new here?
Privacy (2/2) • Why? Because UAVs could change the balance • Could eliminate a practical privacy protection: high cost and inconvenience of manned surveillance aircraft • Growing realization that citizens do, in fact, have an expectation of privacy even when in public places: an expectation to not be continuously monitored • Decision and concurring opinions in U.S. v. Jones suggests that SCOTUS sympathetic to this expectation
Privacy Recommendations • No blanket injunction against imagery of private citizens on private land (bad for hobbyists and researchers) • Apply Peeping Tom/ Improper Photography laws • “Cone of transparency” for non-hobbyist UAVs: data on owner and purpose of UAVs above you should be readily accessible • If problem worsens, perhaps a Texas solution: authorize property owners to shoot at unidentified UAVs over their property
Hurdles to Integration • Privacy: Low cost, ease of use eliminate practical privacy protections • Security: (1) Secure navigation, (2) secure command and control, (3) secure sense and avoid, and (4) secure telemetry (e.g., video feed)
Commandeering a UAV via GPS Spoofing Target UAV Receive Antenna External Reference Clock Spoofed Signals as a “Virtual Tractor Beam” Control Computer Internet or LAN Transmit Antenna GPS Spoofer UAV coordinates from tracking system
Observations (1/2) • RAIM was helpful for spoofing: we couldn’t spoof all signals seen by UAV due to our reference antenna placement, but the Hornet Mini’s uBlox receiver rejected observables from authentic signals, presumably via RAIM. • 5-8 dB power advantage is required for clean capture: A matched-power takeover leads to large (50-100 m) multipath-type errors as the authentic and counterfeit signals interact. • The UAV’s heavy reliance on altimeter for vertical position was easily overcome by a large vertical GPS velocity.
Observations (2/2) • GPS capture breaks flight controller’s feedback loop; now spoofer must play the role formerly assumed by GPS. Implication: Fine control of UAV requires accurate radar or LIDAR UAV tracking system. • Seamless capture (no code or carrier phase unlock) requires target position knowledge to within ~50 m and velocity knowledge better than ~2 m/s. This is quite challenging for small UAV targets at long stand-off ranges (e.g., several km). • Compensating for all system and geometric delays to achieve meter-level alignment is challenging but quite possible.
Recommendations From testimony to House Committee on Homeland Security, July 19, 2012 • Requirenavigation systems for UAVs above18 lbs to be certified “spoof-resistant” • Require navigation and timing systems in critical infrastructure to be certified “spoof-resistant” • “Spoof resistant” defined by ability to withstand or detect civil GPS spoofing in a battery of tests performed in a spoofing testbed (e.g., TEXBAT)
Hurdles to Integration • Privacy: Low cost, ease of use eliminate practical privacy protections • Security: (1) Secure navigation, (2) secure command and control, (3) secure sense and avoid, and (4) secure telemetry (e.g., video feed)
Secure Sense and Avoid • Many in the aviation community believe that the only sense and avoid (SAA) technology that is broadly applicable to all UAV will be based on Automatic Dependent Surveillance-Broadcast (ADS-B) • ADS-B: Each aircraft periodically (e.g., 1 Hz) broadcasts an identifier, a position, and velocity Problem: FAA introduced no provision for authentication in ADS-B broadcast
ADS-B False Injection Attack Magazu, Mills, Butts, Robinson, “Exploiting the ADS-B System via False Target Injection,” JAAP, fall 2012
ADS-B False Injection Attack Magazu, Mills, Butts, Robinson, “Exploiting the ADS-B System via False Target Injection,” JAAP, fall 2012
Altering Live ADS-B Data Magazu, Mills, Butts, Robinson, “Exploiting the ADS-B System via False Target Injection,” JAAP, fall 2012 The ability to read live ADS-B broadcasts and generate slightly altered versions of these should be of significant concern to the FAA: How will ground radar pick out the right aircraft from within a “cloud” of nearby phantom aircraft?
Root Problem FAA’s organization and culture has historically targeted safety and efficiency, not security: 96-page NextGen Implementation Plan (2011) references safety over 100 times, efficiency at least 50 times, security less than 5 times.
Recommendations • Strongly consider re-designing ADS-B • Broadcasts still in the clear • Each broadcast signed using a public/private-key framework • Revised broadcast would need to be significantly lengthened to ensure digital signature strength • Update key database before flight • Use Iridium satellite constellation for en-route key management (e.g., key revocation) A re-design would set NextGen back years.
UAV Integration: Summary of Challenges • Privacy:Legislate privacy protections that are acceptable to the public without stifling nascent commercial UAV industry • Security: (1) Develop secure/robust navigation technology, (2) require encrypted command and control links (with master keys for law enforcement), (3) find a secure and broadly applicable sense and avoid technology (e.g., re-design ADS-B), and (4) encrypt telemetry (e.g., video feed)