This post is a quick recap of Global Drone Security Network (GDSN) #3.
We are honoured to host presentation from Victor Vuillard from Parrot. If you haven't watched his talk "Parrot, from Cybercrime by Design to Bug Bounty" please visit our YouTube channel.
Parrot, from Cybercrime by Design to Bug Bounty
Hello, everybody. And nice to be at GDSN again, it's a real pleasure for me. And I talk to you today about cyber security at Parrot and what brought us to bug bounty. So just before starting, I don't know if you see my slide. Yes you do. It was quite important to explain the whole journey to the bug bounty, because at the end of the day, bug bounties, I would say is kind of an accomplishment. But it is there because we are a few steps before and it makes sense, because we did a lot before that. So just before I begin on cyber security, just a few information concerning Parrot for those that don't know us. So we design and manufacture small drones. And our latest product is ANAFI USA, which is an awesome drone. Really, it's quite small, and it can be unpacked in less than a minute. It's really quiet. But still, it has an awesome capability. And it can zoom 32 times, which means that you can basically see someone at two kilometers away and see if people have a gun, or have a precise view of what's happening there. And, of course, cyber security and trust is also quite important because this drone is made in the US and we had careful choice of components so that it's NDA compliant. So there is basically what's about ANAFI, it's an awesome small drone, but very powerful. And of course, secured. So first, let's talk about security by design. It's not quite easy to define security by design, because there can be a lot under this definition. But first, it's important to mention that, for us, security by design begins with people. People are quite important because it's them that design the product, develop and implement what's in the product. So security awareness at Parrot is not just a matter of the security team it's really a concept. It's a awareness that is spread across the whole organization, from the CEO, to product managers, to developers. And basically everybody is aware of cybersecurity. And to me, that's one of the main point, it's quite important that people get involved, that people understand what are the security need, and understand that it's important to protect your clients' data. So for me, it works first, because people are there. People with really wide range of skillsets at Parrot. And among those skillsets, they get better and better at adjusting the security and implementing security. So that's the first point. And this allows us to implement security from the beginning of projects. You notice many produce for which cybersecurity is kind of an add on. It's an afterthought, sometimes at the end of the development of a product or even from time to time after it's out on the market. And it's quite different at Parrot because cybersecurity is there from the beginning. And when we start a project we wonder what is a real need and what we have to improve into that project compared to previous ones. So as far as it's a priority for Parrot, we define it just the same ways that we would define that a drone would have to fly for this amount of time, and would have to see with this amount of zoom, or thermal capability and so on. So cyber security is there, and it's there from the beginning. And cybersecurity is not just a matter of implementing it in-house at Parrot, it's important to have this broad view and global view, and to include all suppliers and especially, all the supply chain that provides some components or from time to time able to implement part of the software. So concerning this supply chain, we've seen in the past a few products in the electronic consumers parts that might be backdoored, or may have huge vulnerabilities. So it's quite important at Parrot that we check what is the level of security of the different suppliers and we make sure that we trust where the components come from. So that was a real need for NDA compliance and for Blue sUAS program for ANAFI USA. But it's now part of the way we do things. So it's a great improvement also. And, of course, when we speak about security by design, it's important to do it at the very beginning and define what the security need is and what the different security features will be. Then implement but also check. And that's what we will focus on when we speak about audit and bug bounty, because this part is quite important. And this cycle helps us to implement continuous security improvements, which means that over time, builds for one product, and also from product to future products will continuously improve cybersecurity, which means that in the previous years, we've done a lot so far. But we won't stop there and we will continue to keep integrating even more security and protect user data, always better so that we make sure that we minimize the potential impact of a defect if one day there is one.
So an example of questions we could ask ourselves when we design a product. And by the way, that's also the kind of questions that clients asked to Parrot just to understand how we implement security. So we've got the drone, most of people would wonder how we authenticate and encrypt the video links between the remote controller and the drone, they want to understand how we protect the user data that is stored on the drone, and how we would protect the drone itself. Because it's important that no attacker could put malicious software into the drone. And for some people it's also quite important to protect flight data. For example, for forensics analysis. Because if a drone is lost or caught by an adverse party, you may not want this adverse party to understand where you took off, where you've been flying for this mission or for previous missions. So it's important, especially for defense and sometimes for public safety, to also protect this kind of data. So once we've defined the security need, of course, we implement solutions. So here are just a few examples of those solutions, so if you wonder how we authenticate and encrypt the radio link between the remote controller and the drone. So basically, we use a standard WPA2 protocol. We define for each pair of drone, and remote controller a unique key. So first the fact that there is a unique key makes it secure by default, because there's no default password that an attacker could guess or could reuse very easily. But then, that's not the only thing we define. Because even if it's unique by default, the user can define its own address to to make sure it's his password, and not just the one defined by Parrot. If you wonder how we protect data that is stored on the drone, so that's one of the best enhancement on ANAFI USA. We implement a full disk encryption on the SD card. Basically, all photos and videos taken by the drone is stored into this SD card. And we don't encrypt data file by file, but the whole disk is encrypted. And that's great because it allows to protect every data. And it also prevents some forensics techniques that will be used, for example, to retrieve just one data, or try to intercept part of the data before it's encrypted. So here, everything is encrypted. And we use best in class algorithms. Just to name it, AES-XTS with 512 bits key length. And what's quite important is that we don't stick to marketing cybersecurity, we also implemented it the right way. For example, with XTS, we choose the right block mode of operation, we choose the longest possible key length. And the most important thing is that we make sure that this key is never stored on the drone. Because if the drone is lost, someone could try to retrieve this key. And here, it's completely different because to make it secure, we have this key that is stored into the software that is in the remote controller, and when it's paired to the drone the remote controller transmits the key to the drone in a secure manner. This key is never written into drone. So it's never written to disk and only used on volatile memory, which means that if the drone is lost, as far as accessed with the volatile memory is protected. As far as the drone is switch off, everything is just lost and nobody can retrieve the keys that would allow an attacker to to to decrypt data. So it's important not just to stick to the security features, but also to implement it the right way. So just to continue to the different questions. So if you wonder how to ensure the embedded system integrity and make sure that no attacker would put a malicious software into the drone. So what's quite important is that first, we harden the system, so that there's no remote access to the embedded system, and no way to connect to the operating system. But then when the software evolves, the drone makes sure that there's a legit digital signature before applying a firmware update. So doing that we make sure that this firmware really comes from Parrot. And we make sure that if an attacker try to modify just one bit, the attacker won't be able to push this update, because the drone would notice that just one bit difference, which would make the digital signature invalid and be disregarded. So that's one of the example of the way we protect the system. And finally, how do we protect flight data from forensics analysis. So it's not implemented on all versions of drones, but for security editions which mean governmental use, we have additional antiforensics techniques that prevent an attacker from accessing fly data return to home or return to position, and any data that the drone would have to keep in memory during the flight, just so that things go well. So it's important because we could say there's no data on the drone. But during the flight, you need some data. For example, if you lose the video link between the remote controller and the drone, the drone has a return to home, or you could even define a return to position. So if you define a position before takeoff, so that the drone won't come back to you, that will define positions that an adverse party won't guess where you are. So if you want to protect all this data, you have to make sure that nothing is written to disk and data is protected, so that no one can retrieve this. And lastly concerning data, of course, we can fly our drones with no internet connection. And there is a way to push firmware updates completely offline and import maps offline. And there's a mechanism to unlock flying in the no-fly zones.
The other reason is that as we are a European manufacturer, it was easier for us to organize things with a European partner. Because concerning drones, it's not just a matter of checking cyber security on a website or web service. It's also important for us to provide drones to security researchers. And we define a mix of public and private bug bounty programs and for part of the private bug bounty programs, we use that to test future products. Which means that we select a few security researchers that are amongst those that are more skilled on the platform, and also those that we trust, because then we will give them products that are not already on the market. So we have to make sure that we trust those security researchers. And then they look at potential security vulnerabilities before the project is out, which of course benefits our clients. Because even before the solutions are on the market, we make sure that it gets the right level of security, and that nothing was forgotten or there any error in the way we implement things. So that, to me, is that access to be even more transparent, and to give always more assurance, to our consumer, so that you can make sure that when we say we've got trusted drones and cyber secured drones, it's not just words, it's based on facts. So one of the most important thing is the difference from audit and the bug bounty. And, and we can see that each solution has benefits and drawbacks. So for example, the main difference between audits and bug bounty is the parameter and the limitation in time or in versions that you may have for audits. So, of course, drone would evolve over time and all the time, we make better software, and we implement new features into the drone. So even for the same drone, the software may evolve over time. So when we do an audit, we know if there's potential vulnerabilities on this version at this precise time. But the main difference with bug bounty is that you can cover a wider parameter. And you can have continuous testing, because it's not based on a specific time frame, that you can have it all over the year. And if someone finds something, maybe it was an old bug, but it may be also something that was introduced during development on a brand new feature. And then, it's quite useful to benefit from the expertise of security researchers that can look at modifications and do that in a continuous way. So for me, that is the main reason for which we decided to go with bug bounty compared to audit. It helps Parrot to have security checking not just at defined steps, but all the time. Concerning the parameter, we also saw that we focused on actual drones or future model of drones and they way they were secured, but seeing how our security researchers participating in bug bounty works, they work just the way an attacker would do. And they also looked at other solutions. So for example, Parrot has been doing drones for for more than 10 years. And we may have cloud services to retrieve logs from older ones at a time that cyber security was not at the same level with the same needs. And most of the times at that time, Parrot was mostly doing toys and drone for professionals. So with this wider perimeter, we can benefit from better security for all products, not just those from today, but also those that were sold something like five years ago and didn't have the same level of security compared to those we provide today. So that's the way that we base these on a wide range of researchers that have a wide range of skillsets because the number here is quite important. When you think about cyber security, it's not just one field of application, cyber security is quite wide. And when you think about cyber security and the skillset needed for cyber security, you can see that some security professionals are really good at understanding the network, and the ways that network protocols can be misused or can be protected. You can see that other security experts, really do know how to secure a mobile application or web service. And you see that other security professionals are really good at securing an embedded system or attacking an embedded system. And there's a wide range of skillsets, and at the end of the day, there's no ways that one or two auditors can have all these skills that may be needed for wide and global view on cyber security. And other times you may have one, two, or even five or 10 auditors, you'll be always limited to those skills they have at the time of the audit, the great benefit with bug bounties that you benefit from all the skills from hundreds or thousands of security researchers and all of them are really good at something. But the fact that we benefit from the sum of all of those skillsets make it a good complimentary view. So that's the basically the main difference between audit and bug bounty in favor of bug bounty. You also have to be aware of some of the drawbacks. For example, most of the time, it is easier to go into details with auditors compared to bug bounty. And, for example, what we did with Bishop Fox, we share the source code, we spend weeks and weeks, if not months, to exchange with them so they first have a global view and then go into details of one scenes then another. And that needs a lot of work. And that needs a lot of exchanges so that they can understand everything of what we do, the way we do it and to check, we do it the right way. If we compare to bug bounty, most of security researchers, that participate in bug bounty, look at easier solutions. And, of course, they stick to the ways that an attacker would proceed. But sometimes with a more superficial view. So that's one of the drawback and, and another drawback is that with bug bounty, you have to do more triage, which means that you've got maybe a few reports. And amongst those reports, let's say 10 reports, there's one or two that are really important, and you may have something to do better. But for others, you may have report for hypothetic vulnerabilities that may have absolutely no impact on real confidentiality or integrity or availability of information. So it may be hard for a security researcher participating in bug bounty, to understand the drone market, to understand what security needs we have, and it's easier to have this kind of exchanges with security auditors. So just to sum up, bug bounty is not an all-in-one solution. It's really complimentary. And that's why I wanted to speak to you about security by design, the different steps and the way we implement security, the way we check it. And at the end of the day, bug bounty is relevant just because we add the previous steps and then we did security by design. And then we first checked with audits. If we did not do that, I guess we would add tens and tens of reports within the bug bounty, and that we would be really hard to manage. But here, because we did all those previous steps we have something that is complimentary and just helps us to make sure that we didn't forget anything, and let us know there's no old function that may have the default on or something like that. So it's quite important to have both and not just bug bounty. So that's basically it. And I guess we may have questions now.