This post is a quick recap of Global Drone Security Network (GDSN) #3.
We are honoured to host presentation from Victor Vuillard from Parrot. If you haven't watched his talk "Parrot, from Cybercrime by Design to Bug Bounty" please visit our YouTube channel.
Parrot, from Cybercrime by Design to Bug Bounty
Hello, everybody. And nice to be at GDSN again, it's a real pleasure for me. And I talk to you today about cyber security at Parrot and what brought us to bug bounty. So just before starting, I don't know if you see my slide. Yes you do. It was quite important to explain the whole journey to the bug bounty, because at the end of the day, bug bounties, I would say is kind of an accomplishment. But it is there because we are a few steps before and it makes sense, because we did a lot before that. So just before I begin on cyber security, just a few information concerning Parrot for those that don't know us. So we design and manufacture small drones. And our latest product is ANAFI USA, which is an awesome drone. Really, it's quite small, and it can be unpacked in less than a minute. It's really quiet. But still, it has an awesome capability. And it can zoom 32 times, which means that you can basically see someone at two kilometers away and see if people have a gun, or have a precise view of what's happening there. And, of course, cyber security and trust is also quite important because this drone is made in the US and we had careful choice of components so that it's NDA compliant. So there is basically what's about ANAFI, it's an awesome small drone, but very powerful. And of course, secured. So first, let's talk about security by design. It's not quite easy to define security by design, because there can be a lot under this definition. But first, it's important to mention that, for us, security by design begins with people. People are quite important because it's them that design the product, develop and implement what's in the product. So security awareness at Parrot is not just a matter of the security team it's really a concept. It's a awareness that is spread across the whole organization, from the CEO, to product managers, to developers. And basically everybody is aware of cybersecurity. And to me, that's one of the main point, it's quite important that people get involved, that people understand what are the security need, and understand that it's important to protect your clients' data. So for me, it works first, because people are there. People with really wide range of skillsets at Parrot. And among those skillsets, they get better and better at adjusting the security and implementing security. So that's the first point. And this allows us to implement security from the beginning of projects. You notice many produce for which cybersecurity is kind of an add on. It's an afterthought, sometimes at the end of the development of a product or even from time to time after it's out on the market. And it's quite different at Parrot because cybersecurity is there from the beginning. And when we start a project we wonder what is a real need and what we have to improve into that project compared to previous ones. So as far as it's a priority for Parrot, we define it just the same ways that we would define that a drone would have to fly for this amount of time, and would have to see with this amount of zoom, or thermal capability and so on. So cyber security is there, and it's there from the beginning. And cybersecurity is not just a matter of implementing it in-house at Parrot, it's important to have this broad view and global view, and to include all suppliers and especially, all the supply chain that provides some components or from time to time able to implement part of the software. So concerning this supply chain, we've seen in the past a few products in the electronic consumers parts that might be backdoored, or may have huge vulnerabilities. So it's quite important at Parrot that we check what is the level of security of the different suppliers and we make sure that we trust where the components come from. So that was a real need for NDA compliance and for Blue sUAS program for ANAFI USA. But it's now part of the way we do things. So it's a great improvement also. And, of course, when we speak about security by design, it's important to do it at the very beginning and define what the security need is and what the different security features will be. Then implement but also check. And that's what we will focus on when we speak about audit and bug bounty, because this part is quite important. And this cycle helps us to implement continuous security improvements, which means that over time, builds for one product, and also from product to future products will continuously improve cybersecurity, which means that in the previous years, we've done a lot so far. But we won't stop there and we will continue to keep integrating even more security and protect user data, always better so that we make sure that we minimize the potential impact of a defect if one day there is one.
So an example of questions we could ask ourselves when we design a product. And by the way, that's also the kind of questions that clients asked to Parrot just to understand how we implement security. So we've got the drone, most of people would wonder how we authenticate and encrypt the video links between the remote controller and the drone, they want to understand how we protect the user data that is stored on the drone, and how we would protect the drone itself. Because it's important that no attacker could put malicious software into the drone. And for some people it's also quite important to protect flight data. For example, for forensics analysis. Because if a drone is lost or caught by an adverse party, you may not want this adverse party to understand where you took off, where you've been flying for this mission or for previous missions. So it's important, especially for defense and sometimes for public safety, to also protect this kind of data. So once we've defined the security need, of course, we implement solutions. So here are just a few examples of those solutions, so if you wonder how we authenticate and encrypt the radio link between the remote controller and the drone. So basically, we use a standard WPA2 protocol. We define for each pair of drone, and remote controller a unique key. So first the fact that there is a unique key makes it secure by default, because there's no default password that an attacker could guess or could reuse very easily. But then, that's not the only thing we define. Because even if it's unique by default, the user can define its own address to to make sure it's his password, and not just the one defined by Parrot. If you wonder how we protect data that is stored on the drone, so that's one of the best enhancement on ANAFI USA. We implement a full disk encryption on the SD card. Basically, all photos and videos taken by the drone is stored into this SD card. And we don't encrypt data file by file, but the whole disk is encrypted. And that's great because it allows to protect every data. And it also prevents some forensics techniques that will be used, for example, to retrieve just one data, or try to intercept part of the data before it's encrypted. So here, everything is encrypted. And we use best in class algorithms. Just to name it, AES-XTS with 512 bits key length. And what's quite important is that we don't stick to marketing cybersecurity, we also implemented it the right way. For example, with XTS, we choose the right block mode of operation, we choose the longest possible key length. And the most important thing is that we make sure that this key is never stored on the drone. Because if the drone is lost, someone could try to retrieve this key. And here, it's completely different because to make it secure, we have this key that is stored into the software that is in the remote controller, and when it's paired to the drone the remote controller transmits the key to the drone in a secure manner. This key is never written into drone. So it's never written to disk and only used on volatile memory, which means that if the drone is lost, as far as accessed with the volatile memory is protected. As far as the drone is switch off, everything is just lost and nobody can retrieve the keys that would allow an attacker to to to decrypt data. So it's important not just to stick to the security features, but also to implement it the right way. So just to continue to the different questions. So if you wonder how to ensure the embedded system integrity and make sure that no attacker would put a malicious software into the drone. So what's quite important is that first, we harden the system, so that there's no remote access to the embedded system, and no way to connect to the operating system. But then when the software evolves, the drone makes sure that there's a legit digital signature before applying a firmware update. So doing that we make sure that this firmware really comes from Parrot. And we make sure that if an attacker try to modify just one bit, the attacker won't be able to push this update, because the drone would notice that just one bit difference, which would make the digital signature invalid and be disregarded. So that's one of the example of the way we protect the system. And finally, how do we protect flight data from forensics analysis. So it's not implemented on all versions of drones, but for security editions which mean governmental use, we have additional antiforensics techniques that prevent an attacker from accessing fly data return to home or return to position, and any data that the drone would have to keep in memory during the flight, just so that things go well. So it's important because we could say there's no data on the drone. But during the flight, you need some data. For example, if you lose the video link between the remote controller and the drone, the drone has a return to home, or you could even define a return to position. So if you define a position before takeoff, so that the drone won't come back to you, that will define positions that an adverse party won't guess where you are. So if you want to protect all this data, you have to make sure that nothing is written to disk and data is protected, so that no one can retrieve this. And lastly concerning data, of course, we can fly our drones with no internet connection. And there is a way to push firmware updates completely offline and import maps offline. And there's a mechanism to unlock flying in the no-fly zones.
So for example, if your a cop and you you need to fly in an airport, because let's say there's a terrorist attack and you need to fly into this airspace, there's no need for you to say, hey, I'm a cop and ask Parrot for the ability to fly in this zone. So we think that pilots have to be responsible, and won't, don't have to necessarily really ask to Parrot for a right to fly when they need to. So basically, you don't need any internet connection, not during of flight, not before the flight, you can do just everything offline, which is quite different from some competitors, because they say you can do or this offline. But in one step or another at the end of the day, you need some kind of connection. And during the beginning of the presentation, I was speaking about continuous improvement. So it's quite important for us to see the future and to implement always better cyber security. So last year, we announced a partnership with WiseKey, which is a provider of Secure Element, and this will have a great place into implementing security in our next models of the ones. So it's a quite great component because it allows the drone to keep some information secrets. So it's just like a safe. And it also computes some cryptographic functions in a secure manner. So this way we make sure that this information stays a secret, and is computing the right way. So I guess we will be able to speak about this in greater details quite soon. So we've been speaking about security by design. And you've seen that from security awareness and the importance of people from the way we implement security from the beginning. And THEN from the way we look at great details to implement security the right way. So there's a whole cycle that helps us to implement good security. But that's not the end of the day. And beside this it is really important for Parrot to be quite transparent, because we know that for our customers, the more transparency, the more they trust our solutions, and that way everything is crystal clear and Parrot is being transparent. We can explain how our security works and how our data are protected and how communication works. And this level of transparency is really important for trust. For example, in our application, we chose not to obfuscate anything into our software. We don't have any hidden features. So compared to what's been found in other solutions. Here, we have full transparency. And whenever we can, we use standard protocols and standard file formats. So this can be for security, such as WPA2, or for video communications, as well as file formats, such as standard file formats used for flight logs for drone operations. And this use of standard protocols is quite important for security, because then it makes it possible to verify security. So let's imagine that you get a drone for which the manufacturer provides an encrypted protocol for communication between the remote controller and the drone. But say, don't worry, but it's proprietary so you won't know how it works. So that's not a good strategy, because you can't check it's done the right way. They could use a few marketing buzz words, such as say, okay, it's encrypted with AES 256. And if you're not aware of cryptography, you may say, hey, Okay, that's a good standard. And that's a good technology. So as far as I understand, I would trust this. But then, if you go into details, you can see that the way it's implemented, the way you may have session keys, the way you use, block mode operations and encryption, there's many details for which security could fail. And because it proprietary, you won't be able to verify it's done the right way. So here for Parrot, it's quite important for us to use standard protocols, because first it helps interoperability but then it also helps all of our clients to verify it's done the right way. So we also have an open SDK. So you could, you can interact with our drone with an open software development kit. This is the secure exchange of information between the drone and other software platforms, solutions, cloud and everything. Just two words about privacy, it's important to speak about security. But privacy, it's also quite important for Parrot. And the transparency I just mentioned is quite important for for privacy. And so first, we don't collect any data by default. So when a user flies a Parrot drone no data is shared by default. But still, a user can choose whether or not he will store the data online. So we only speak about flight data here. And what's important for data processing transparency, is that when you look at our privacy policy, it's quite clear why this data might be processed. So for example, concerning flight data, it can be useful for the user to store it on Parrot servers, so that he can synchronize data between one device and another device for support between a smartphone, a tablet and a computer. So whatever device the user will use it with access to the fly data it will share on previous flights. But this same data is also potentially useful for customer support. And it may be useful for Parrot to enhance products. And at the end of the day, it's important to understand the different purpose for which data can be useful, because then, within the organization, this data might be widespread between the server that allows a user to synchronize data, or to the servers that are used by customer support, or to different systems that are used by research and development teams to make products even better. So if you consider this, it might be difficult to make sure that users keep control over all this data, even if it's widespread among different services in the organization. And what we did is that we are a global governance of data. And just by one click into the mobile application, a user can decide if he asked for that deletion. And we have a global scheduler that will give the order to every internal server to erase this specific data. So it's quite important because it's not just a matter of opt in or opt out to to receive marketing emails, or even at one point in time to share data. Using this, we have privacy by design, because for every copy, for every piece of information that belongs to the user, the user keeps control and you can choose whether or not this data can be deleted or not. So here is basically where you can find it in the app. So that was the first part about what we do in terms of cyber security and privacy. But once you've defined cyber security and design, the good way. Once you've implemented this, it's also quite important to check it's being done the right way. And you didn't forget anything, and there is no error in the way it is being done. So here, we have a global framework, which is quite complimentary. And we benefit from both internal audits, external audits and audits by clients. So basically, internal audits are those audits done by Parrot staff. So basically, that's what I've been doing part of my time because previously, I was a cyber security auditor and I did a lot of penetration testing. So it helps Parrot to see if something was done the right way and what we have to add. So that's the first step. But then we have complimentary steps and especially external assessments. So there might be different ones, but the one we communicated about last year was one audit by Bishop Fox, and the assessment team really did a good dig into details. First, because the parameter was a wide enough, because inside the parameter was both the mobile applications that can controls the drone, but also the different services with which as the application speaks. And we did both source code assessment, as well as penetration testing, just to make sure that we stick with the attackers point of view. And it's important to mention that there's no complacency here, and no strong limitation compared to other competitors that use that kind of audit for marketing purposes. But when you look at the reasons, they say ok, there's an audit that we had quite limited time and quite limited skillsets and by the ways there was no reverse engineering skills among the team and that was not the purpose and when you add all the limitations, you see that this security audit was kind of useless. But then the conclusion of the audit was, oh okay, there were lots of limitations, but we found nothing. That's not relevant here. So what we do at Parrot is that we choose the best audit teams with the best skillsets, and we make sure that they've got everything. They can benefit from our source code, they can look at whatever they want. So they define what is useful, and what is the good level of verification. So important to see it allows them to deep dive and to look into great details of our solutions. And because we have more and more clients, for which cyber security's a key point, those clients are also doing additional audits. So we've benefited from many audits from clients be that in the defense space, or public safety, or even in the industry. So, there's many professionals that are more and more aware of cyber security and are aware that if they want to operate drones, they have to create it in a secure manner. So they are doing their own audits. And it's great for us because it allows us to to validate every piece of work we've done before, and to make sure it's done the right way. And, of course, one big part of the audit was the, Blue sUAS program. So as you may know, we've got the great chance at Parrot to be among the five manufacturers which are selected in the United States for trusted drones, that may be used for government or any sensitive purpose. So during this process, there were audit teams, both on the defense innovation unit side and on the users' side, that checked for security, both on the software part but also concerning the supply chain and the different components we selected, and the probabilities that depending on the source of those components, there might be security considerations. So as you may see, checking security is not only one solution, but doing it the right way with the addition of different steps. And the way we do different audits. But then doing all of this, we wondered what we could do better, and we came to bug bounty. So we'll see precisely why we did that. And what's the difference between the audit and the bug bounty? So first, we partner with Yes We Hack, which is the first European bug bounty platform. So we chose Yes We Hack for two reasons. So first, as it's the first European platform, the benefit from the wider number of security researchers or security testers. So that's quite important because that enables the platform to have wider skillsets and the more people that look at cybersecurity the better.
The other reason is that as we are a European manufacturer, it was easier for us to organize things with a European partner. Because concerning drones, it's not just a matter of checking cyber security on a website or web service. It's also important for us to provide drones to security researchers. And we define a mix of public and private bug bounty programs and for part of the private bug bounty programs, we use that to test future products. Which means that we select a few security researchers that are amongst those that are more skilled on the platform, and also those that we trust, because then we will give them products that are not already on the market. So we have to make sure that we trust those security researchers. And then they look at potential security vulnerabilities before the project is out, which of course benefits our clients. Because even before the solutions are on the market, we make sure that it gets the right level of security, and that nothing was forgotten or there any error in the way we implement things. So that, to me, is that access to be even more transparent, and to give always more assurance, to our consumer, so that you can make sure that when we say we've got trusted drones and cyber secured drones, it's not just words, it's based on facts. So one of the most important thing is the difference from audit and the bug bounty. And, and we can see that each solution has benefits and drawbacks. So for example, the main difference between audits and bug bounty is the parameter and the limitation in time or in versions that you may have for audits. So, of course, drone would evolve over time and all the time, we make better software, and we implement new features into the drone. So even for the same drone, the software may evolve over time. So when we do an audit, we know if there's potential vulnerabilities on this version at this precise time. But the main difference with bug bounty is that you can cover a wider parameter. And you can have continuous testing, because it's not based on a specific time frame, that you can have it all over the year. And if someone finds something, maybe it was an old bug, but it may be also something that was introduced during development on a brand new feature. And then, it's quite useful to benefit from the expertise of security researchers that can look at modifications and do that in a continuous way. So for me, that is the main reason for which we decided to go with bug bounty compared to audit. It helps Parrot to have security checking not just at defined steps, but all the time. Concerning the parameter, we also saw that we focused on actual drones or future model of drones and they way they were secured, but seeing how our security researchers participating in bug bounty works, they work just the way an attacker would do. And they also looked at other solutions. So for example, Parrot has been doing drones for for more than 10 years. And we may have cloud services to retrieve logs from older ones at a time that cyber security was not at the same level with the same needs. And most of the times at that time, Parrot was mostly doing toys and drone for professionals. So with this wider perimeter, we can benefit from better security for all products, not just those from today, but also those that were sold something like five years ago and didn't have the same level of security compared to those we provide today. So that's the way that we base these on a wide range of researchers that have a wide range of skillsets because the number here is quite important. When you think about cyber security, it's not just one field of application, cyber security is quite wide. And when you think about cyber security and the skillset needed for cyber security, you can see that some security professionals are really good at understanding the network, and the ways that network protocols can be misused or can be protected. You can see that other security experts, really do know how to secure a mobile application or web service. And you see that other security professionals are really good at securing an embedded system or attacking an embedded system. And there's a wide range of skillsets, and at the end of the day, there's no ways that one or two auditors can have all these skills that may be needed for wide and global view on cyber security. And other times you may have one, two, or even five or 10 auditors, you'll be always limited to those skills they have at the time of the audit, the great benefit with bug bounties that you benefit from all the skills from hundreds or thousands of security researchers and all of them are really good at something. But the fact that we benefit from the sum of all of those skillsets make it a good complimentary view. So that's the basically the main difference between audit and bug bounty in favor of bug bounty. You also have to be aware of some of the drawbacks. For example, most of the time, it is easier to go into details with auditors compared to bug bounty. And, for example, what we did with Bishop Fox, we share the source code, we spend weeks and weeks, if not months, to exchange with them so they first have a global view and then go into details of one scenes then another. And that needs a lot of work. And that needs a lot of exchanges so that they can understand everything of what we do, the way we do it and to check, we do it the right way. If we compare to bug bounty, most of security researchers, that participate in bug bounty, look at easier solutions. And, of course, they stick to the ways that an attacker would proceed. But sometimes with a more superficial view. So that's one of the drawback and, and another drawback is that with bug bounty, you have to do more triage, which means that you've got maybe a few reports. And amongst those reports, let's say 10 reports, there's one or two that are really important, and you may have something to do better. But for others, you may have report for hypothetic vulnerabilities that may have absolutely no impact on real confidentiality or integrity or availability of information. So it may be hard for a security researcher participating in bug bounty, to understand the drone market, to understand what security needs we have, and it's easier to have this kind of exchanges with security auditors. So just to sum up, bug bounty is not an all-in-one solution. It's really complimentary. And that's why I wanted to speak to you about security by design, the different steps and the way we implement security, the way we check it. And at the end of the day, bug bounty is relevant just because we add the previous steps and then we did security by design. And then we first checked with audits. If we did not do that, I guess we would add tens and tens of reports within the bug bounty, and that we would be really hard to manage. But here, because we did all those previous steps we have something that is complimentary and just helps us to make sure that we didn't forget anything, and let us know there's no old function that may have the default on or something like that. So it's quite important to have both and not just bug bounty. So that's basically it. And I guess we may have questions now.