At this year’s NAB (National Association of Broadcasters) Show, one of the themes focused on drones and the important role aerial robotics are beginning to fill during video content production. Intertrust participated in this year's NAB Show with a booth presence and appearances from our Chief Product Officer Tim Schaaff. At our booth, we had a bit of fun with the drone theme and gave away a drone to a lucky attendee. Yet, with all the fun and excitement surrounding drones, there are still serious concerns as to the security of these flying robots. So, we are following up with some technical information on just how two of Intertrust's products, whiteCryption and ExpressPlay, could improve the security environment of drones.
Attacking the Control App
While drones are a type of aerial robotics, the majority of the products on the market are remotely controlled to a greater or lesser extent by a human pilot. Many drone manufacturers use a mobile app for controlling their drones that the pilot downloads to their smartphone or tablet. These apps typically allow the pilot to do such things as plan the flight pattern, send control commands to the drone and view the video stream coming from the drone.
As with any other mobile app, if not properly protected these control apps are vulnerable to hacking techniques such as reverse engineering, side channel attack or improper access to internal secrets when run on a "jailbroken" or "rooted" mobile device. If a bad actor uses these techniques to access an app, some of the potential consequences could include injection of malware into the app or theft of intellectual property. Also, while strong encryption of the link between the mobile device and the drone is not universal (which can be a great concern), there are apps that encrypt communications between the drone as well as view an encrypted video feed. Again, if the app developer doesn't take precautions, the private cryptographic keys for the encryption (as well as other security features on the device such as controlling access to the mobile data feed) could be revealed in the source code of the app or in memory of the device.
None of these attacks are unique to an app controlling a drone. What is unique is that the drone is a kinetic device which, for filming work, can weigh about 25 kilograms (approximately 55 pounds) and fly up to 72 kilometers per hour (45 miles per hour). Should a control app be compromised in some fashion, there are potentially serious risks to property or human health (i.e., the drone could crash into something or somebody).
The video feed from the drone is also considered valuable intellectual property and could be intercepted by an unauthorized actor if hacked. The threat to the video feed also doesn't stop after transmission from the drone. Typically, a video feed from a drone is sent to a server from where it could be transmitted live for a news show or sporting event. Once the video is transmitted to the server, if it had been encrypted from the drone, it should be decrypted before it is distributed, making it yet again vulnerable.
Intertrust's whiteCyrption technology helps protect apps such as control apps for drones in a couple of ways. First, the software uses hardening and obfuscation techniques at the source code level to protect the app software from reverse engineering and other attacks. It also employs white-box cryptography techniques to hide cryptographic keys from unwanted eyes. whiteCryption's white-box cryptography technology is the only such technology on the market rated FIPS 140-2, meaning it is acceptable for U.S. Federal Government use. whiteCryption is already used in mission-critical applications such as protecting apps used with major European automobile manufacturer's cars as well as in software for medical devices so, it is well suited for drone apps.
For protecting video distributed from the server, ExpressPlay, Intertrust's cloud-based DRM (digital rights management) service, plays a role. Used in protecting premium video distributed by major OTT (over-the-top) video service providers around the world, ExpressPlay offers a set of tools for video distributors to simply and cost-effectively add DRM at scale.
News and sporting event production crews working with drone video can benefit from the same features that OTT video distributors are already using such as a) ability to handle live video, b) support of all major mobile and desktop platforms so collaborators can use their device of choice, c) a simple sign-up process, and d) usage-based pricing that can scale up or down with the service. ExpressPlay makes it easy for a production team to use the same technology protecting finished Hollywood movies to control and protect distribution of this valuable drone video.