MENU

Global Drone Security Network Event #2- Victor Vullard (Parrot)

This is the fifth post of GDSN #2 review, if you haven't read our previous reviews it is a good time to check out the great talks!

Mike Monnik (DroneSec)

Christopher Church (INTERPOL)

Kim James (DroneGuard)

Ulf Barth

Lucas Le Bell (CERBAIR)

Evangelos Mantas(Infili)

Jacob Tewes (Kutak Rock)

David Kovar (URSA Inc)

 

 Victor Vullard (Parrot) - Security of a Drone Platform ANAFI

 

Thank you very much. And thank you for inviting me and giving me the opportunity to speak about parrot and how we implement cyber security. And before starting, I wanted to say that it's great to have such an event in which we speak about drone cyber security and counter UAS and all problems that may be posed by drones. So, it's really huge to have such an event. And thanks for that. And thanks also for everyone that is attending our previous presentation. So first, I'm going to talk about the cyber security of drone platforms. So Parrot is as the second worldwide drone manufacturer. And before starting about cyber security, I'm going to give you some more insight and information about our latest model of drones, which is called ANAFI USA, because that’s the drone we've been working first for the US Army since a couple of years now. And now we are selling it as a specific model to everyone, or at least people that may need it. so important to note that it's a high performing micro drone in its category. And what we do at parrot is small drones. We are not focused on drones with which we can carry a large payload or anything like that. But we want to have smaller drones that could fit in a backpack of a soldier or rescue team or postman and so on. One strong decision from Parrot was to manufacture this drone in the USA. So of course, this is driven by the fact that we are now working with the Defence Innovation unit and the US army, which is great. And it brings a lot to us because it leads us to improve our products and make it even more secure. it important to note also that we've been working a lot about how we secure the supply chain, and where comes the different parts which we need to build the drone. So, in the United States there’s a National Defence Authorization Act, that gives us some constraints and that we need to be compliant with. And basically, this states that we can’t include in our drones, certain components that may come from adverse countries seen from the United States. So, ANAFI USA, that's a professional drone, it's not for techies. Of course, you can take a great videos and photos. But it's used for both the public sector for professional such as inspection or mapping or eye agriculture. And it's also done for the public safety and defence. And like I said before, we want it to be pretty small and really quick to deploy. So, our target was to deploy it in less than a minute, which means that you've got it in your backpack, and from the moment that you open your backpack to the moment that the drone is flying there’s less than a minute. So you can unfold it quite easily as you can see in the video. It's pretty small. And then just launch it so that the drone is flying just any moment you need and then pretty quickly.

And of course, you can also land  it on your hand. And it's important to underline that because for certain jobs, you may be piloting a drone and around you there’s snow, sand, or maybe you can be on a boat, and you don't want to land your drone on the ground. So, our drones, because it's pretty small, because there’s just some safety features that would, for example, cut off the motors, if the propeller touch you’re hand is pretty innocuous. And it's going to do that, it's great for the user experience and still stay safe doing so. So, of course, that's one of the lightest drones of its category. We've got a great vision capability, both for day and night. And for such a capability. It's only a 500-gram drone. So, half a kilo, and it flies for more than 30 minutes, which means that with less than a kilo in your backpack, which means a drone and three additional batteries, you can fly for two hours, which is quite a lot when you're doing surveillance or mapping or whatever. It's pretty stable, both outdoor and indoor. So, it's important to know that you can have GPS denied environments, and the drone will still be stable and fly pretty, pretty well. And concerning the environment in which you can fly, we are also IP53 certified, which means that the drone can fly under the rain, or even when there's a lot of dust or sand or whatever kind of environment. So, it's really robust. And you can use it in pretty much every environment. It's important to say that when you're doing surveillance, you really need a quiet drone, because the effectiveness of surveillance is that you will need to see people without them seeing you. So, ANAFI USA it's pretty quiet, that’s 79 db’s when it's just close to you, which means that when the drone is 100 feet from you, you can hardly hear it and then if you are in the middle of the desert with absolutely no noise, you have to be a bit further. But still, it's pretty quiet. And then very effective if you want to stay stealth and don’t let people see you.

One of the greatest strengths of ANAFI USA, is its very powerful zoom. So, there's a 32 times zoom, which is great for a drone of this category. Most of the time, 30 times zoom, 32 times zoom, you will find that in a drone which would weigh something between 5 to 10 kilograms. So here we are 10 to 20 times smaller, which means also that we are more quiet and more stealth and less easy to carry on you on your backpack when you take it on your missions. But still, it's just a great zoom. And the main objective of this zoom is that you can detect a person two miles away from you. Two kilometres away from you. That will be one the two knives. So, on a pretty long distance you can see things pretty well. And it's important for surveillance. It's also pretty important for the precision of mapping even if you're not doing surveillance. That's an example of videos that was taken by the drone when flying, and those soldiers jumping in with parachutes, they are more than eight kilometres away. So, 8 kilometres will be something like six miles. And you see that thanks to the zoom, you can have  a clear vision and then count how many of them even if it's pretty far from the point where the drone is. Of course, there's also infrared and night vision. And thanks to a strong partnership with FLIR, we have a great integration of the camera. So, we include a FLIR boson, which allows a person to see at 200 meters, which means that at night when you're flying 200 meters away from someone, you can identify the person. So that's kind of images you may get when you're flying at night. We have also strong knowledge of all wireless protocols. So, on our consumers and some professional drones, our most professional drones, we use Wi-Fi, but on a optimized version of Wi-Fi. And since a few months we've included also other wireless chips and other protocols, especially for the defence sector. So important to state that ANAFI is real. That's a drone that has been produced and used by a lot of people. So, among Armed Forces, and public safety, we have a long list of users. And that's just a few,  we can mention the FBI, the US Army, the armies in United Kingdom, Switzerland, France. And of course many more. It's also used by rescue teams and as especially by CASA, which is doing interventions for rescues. And we've been producing more than 150,000 units of ANAFI. So, ANAFI USA is just a new derivative of ANAFI. There are a lot of things that are common between ANAFI and ANAFI USA. And what's different is that there's a longer flight range. Of course, there's a way better video camera, both for day and night. But the rest of the drone is almost the same.

So, we've been doing those, we've been doing improvements on those platforms of ANAFI for 2 years now, which means that the software is pretty, pretty stable. And it's been tested a lot, before we launched the product. But we also had a lot of feedback from our users that allowed us to improve our products. And we've been doing so for 2 years now. And important to know that Parrot was the first drone manufacturer that was selling drones to the consumer. And we've been doing so for more than two years now. We've got high production capability And we've been producing more than 4 million drones right now. Which means that we are able to produce really stable drones and we have a lot of knowledge from those 10 years of activity in France and of course the greatest strength of Parrot is that there are more than 300 engineers working on drones, improving our products. And before we jump to the main subject about cyber security, I'd like to say that for those engineering, most of them may be working on the video feed or the embedded system or many other aspects of the drones, and not specifically on cyber security. But most of them have learnt a lot on cyber security. Some of them are good experts, and cyber security at parrot is not a matter of just a few persons. It's really a culture. And all those 300 engineers are really dedicated to cyber security, they really do understand what the problems, what problems are posed about cyber security. They think, with privacy in mind, whenever they add a feature, they wonder how we could secure it, how we can prevent users’ data to be exposed. And we speak a lot about technology, when we speak about trends. But for me, one of the greatest strengths of Parrot is that human being behind this technology is the ones that do the drones. And those are really dedicated to cyber security and privacy. Before speaking about cyber security, I will mention a few innovations. For example, here you see a video of ANAFI USA landing on a truck. So that's one of the features that is used, for example for border patrols, so that they can have their boat moving or have a vehicle moving and still they are able to launch the drone and have the drone go directly to the moving vehicle. And don't waste time when you've got a person which is dedicated to the task of having the drone land, of course you may waste time and here the drone is able to land even if the vehicle is moving. We've got a great subsidiary called Pix4D, and they produce great software for photogrammetry, which are used a lot for tactical mapping, and also for damage assessment, after a hurricane or after bombing or whatever. So that's one of the main added value of drones, you can launch it in just a few seconds or minutes. And within a few minutes, you will have a live mapping of the area below the drone

And that's great, because most of the time when you’re a soldier in need of a satellite feed, you would need some time before getting that. And maybe that won't be available or you encounter cloudy weather, which would prevent you doing so. And with the drone, you can adapt the way you fly it so you can fly under the cloud. And see whatever you need to see. So Pix4d is doing great software. And they are even doing a dedicated software for security, which is called Pix4D react. And the main difference is that you can use it offline. We've got a lot of defence and public safety users that are worried about having an internet connection all the time. And of course, this can be problematic for security reasons. But when they are in the middle of the desert, they may not have those kinds of internet connections. So, they don't want to be preventing, prevented from flying and from having live mapping when they are in that kind of environment. And it's great to have that kind of solution that allows you to do it completely offline. So now we are going to jump to our privacy and cyber security concerns. So first, at Parrot we really have privacy and cybersecurity in mind. And we want to implement privacy by design. It's not just something we do after everything else, that's something that is really deep into all of our processes. And when we develop a new feature, one of the main questions is, how do I secure it? How do I protect that data of my users? And at some point, if we need to share some data, or to propose to the user to share some data, we really want that the users has control over everything that is done. So first, I think I said that before, but there's no data transferred by default, which means that we've got services that allows the user to share data and post flight data on Parrot servers that can be used so that our own users can get the flight data from their computer or from another device or whatever they need. It's also used for customer support, to add customers adding all the data, and be more able to speak about what was done during the flight. But what's important is that even if we implement those features, it's enabled and we transfer data only if the user opts in, and by default, just nothing. So of course, we are GDPR compliant. So GDPR is a European regulation. And it's not a question of being a European company, because every company be that an American or Chinese or Asian company, selling to European customers, should be GDPR compliant. But we implemented GDPR features and all a lot of processes a long time ago. And that allowed us to improve, and to make sure that we didn't forget anything. So, it's really important for us, first, to be compliant to the relation. But it's also a regulation that drives our own mindset, the way we work and everything that is done in the company. Important to note that it's not mandatory for GDPR, but we host all of our data in Europe, in European servers.

Freeflight 6, that’s the applications that we provide so that our users fly the drones. So, it is the application used to control the drones to take pictures or videos, and to have a lot more features. And that's also the application that may or may not share data to Parrot servers, when the user opts in. It's important for us that inside this application, there's no obfuscation, there are no hidden features. There is absolutely nothing hidden and everything is clear to the user. There's no forced update, which is important, because some of our most of our users are happy to have the latest update installed on their device, and that helps them have everything fixed, everything optimized, and they are happy with that. However, we have a few users, especially in the defence and public safety sectors, which have been evaluating a specific version of the application. They've been training people on a dedicated version. And for various reasons be that for security reasons, or just practical reasons, they don't want to update. And the way we work is that we propose updates for consumer versions. Those are proposed for installation as soon as they’re available to users. And then for security editions of our drones, that's up to the user to decide whether or not, and when installed the updates. So, it's not really a technical point. Even so, force update may pose a security problem because that may allow someone to take control of a device, if there's a security program on the update chain, but here, we do that so that we have a process that allows the user to decide whenever they want to update or not. So, I mentioned that there's no data transmitted to Parrot servers by default. And it's pretty easy to obtain. And you have different level of potential data transmission. For example, you can just share an anonymous data so that it helps Parrot enhance the products, you can also host all your flight data on private servers, so that you can access it from whatever device you want. And because it's really easy to obtain, we want that it's as easy to opt out. And most products propose that, but a lot of products have absolutely no features that allows the user to ask for the data that was previously sent to a server or another. And what we do is that inside our software, we have specific features for which the user can manage, all its options be that for newsletters, or sharing anonymous data. Or just in one click, the user can also ask to get all the data for portability. For example, if someone wants to import data, not in the parrot product but in another software, then he can ask, the user can ask to Parrot all the data and do whatever it is, because that's users’ data and not Parrot’s. And, of course, there's features in which we can just ask deletion of all previous data, which means that when you share data to Parrot, this data can be sent to multiple servers, because first, it may be used on the first part for accessing your flight data online. But then if you call the user support, and discuss with user support, you get a partial copy of those data in another system. And then if you share data so that Parrot can enhance products, it may be shared with your research and development departments. And when you kick in this delete my flight history, it not only deletes data on the first Parrot server, which is posted online and on which you can access your flight data online, it really organizes the data deletion on every service, so that we make sure that there's no copy that Parrot would keep. And when you ask for your data to be deleted, when you decide to withdraw consent and not to share the data to Parrot anymore, you don't just stop sharing data, you can just, you can also ask to delete all previous data that was shared before. So, it's really important to know that it's just a one click option, it's pretty easy for the users and you won’t have to contact the data protection officer, you don't have to go into complex processes and wait for several days or several weeks for that to be deleted. In previous presentations, several speakers spoke about a no-fly zones, the problems that flying in dangerous environment may pose. And our way of thinking about it is that we don't want to impose no’fly zones and especially to our defence and public safety users, but also to professionals because I will just give you an example, but I was speaking a few weeks ago to an air company that is doing inspection on their planes with drones which means that inside an airport, they use drones for inspections because they are allowed to do so. And it's normal, even if having done otherwise drones is dangerous. And we don't want that. We also have professionals and public safety and defence actors, who are allowed to fly in those environments. And to allow that we don't have to, to have online to have them as online if they are allowed to fly. Because first is that's not Parrot, the ones that should give permission to it for everyone to fly. And it also poses a cybersecurity problem, because if we did implement that, that kind of feature, we would need to get the user's location. And I think that most of the time, a public safety entity or defence entity should not share this location to anybody. That's up to them to fly responsibly. And as that was said in the previous presentation, bad guys don't care because they already have drones with no-fly zones. And they already can do whatever they want. So, it's more important to focus on effective measures that would prevent the flight of dangerous drones. And for example, at Parrot, we work a lot with different work groups on a remote identification. And I find it really useful to have a policy framework and have real life implementations of remote identification, so that's, that's effective. And when you are on a sensitive location, you can see all drones, you can see which drones have remote identification among those drones, you can define which one you authorized and which when you did not. And more importantly, you can focus on those drones that are not identified because they don't broadcast any information about those information. So, it's important to have that kind of features, and to work on how we secure both the security and confidentiality of those remote identification rather than imposing and managing features such as no fly zones. Because we already do care, about privacy, privacy and security, we decided to conduct a dedicated security assessment which would be made public. So of course, during the previous years, we've been doing a lot of internal audits, we've been improving continuously our products, and on the other end, we also have a lot of users and especially in the defence sector, that have been conducting security assessments of our product and services. But we wanted to have one of those public, which is most of the time not possible with a defence entity having independent testing of our products. So, a few weeks ago, we joined a few weeks, and we got those results. A few weeks ago, we've been working with Bishop Fox. So, Bishop Fox is a cyber security company based in the US and they are pretty focused on offensive security. So, they do a lot of code review and penetration testing and they are used to finding vulnerabilities in products. So they have been testing our app Freefligh6, both Android and iOS version. So just I said before Freeflight6 is the applications that is used to control the drones, and that may or may not share use of data to Parrot web services and service. So, they did both vulnerability scanning and research. They did a code review of both the application and web services, as well as penetration testing, and you can find the results on our website. Because we decided to make it public. So, we provide the letter of assessment, which details, all the results. And as I said before, there's no obfuscation and they checked in on which condition the application may or may not share data to our own servers or the parties’. And, of course, they didn't find any difference between what we state and what we do. And for me, it's quite important to be transparent, it's quite important to do or to say what we need to say what we want to do, and to do what we say. And we've been writing in a privacy policy, every information that we may collect and which set of circumstances we collect it, so that the user knows what is happening. And just as I said before, whatever the user chooses, whether or not he decides to share something or not. So, everything that I mentioned before, concerning the forced update, obtain or whatever, Bishop Fox checked that and, and both with source code reviews, and reverse engineering of the application published on the Google Play Store or Apple Store. And they've been doing penetration testing to check that if you are an authenticated user, you can't access to the data from another user. And then we are quite happy to see that they found no security and privacy issue. They gave us a few advice, for example, they advised us to, to create a configuration files that is stored inside your own device. So that if you install a malicious application on your own phone, this malicious application wouldn't have access to certain parameters. In addition, there was an unused key that was still stored on the application that we removed in the beta version, but that was not, it wasn't possible to do anything with this key. So, they gave us a few advices. We discussed also on some cyber security features that we may or may not implement. And it's important to discuss those features, because it may seem important to cyber security professionals to implement certain functions, but when we think about how our users use a drone, and the actual security risk, that can be pretty low. We also decided not to implement some features. For example, Bishop Fox proposed that we expire the user login and authentication. And to our point of view, when you're flying your drones, you may need to have to do this very quickly. And let's say that you are a policeman and want to chase a person across the street, you're not going to waste one minute authenticating, and we preferred to have authentication that is saved into your device. And it's not a security problem because your device has a PIN code is encrypted, or whatever the security measures are. But then we target a good level of security and at the same time a really appropriate user experience. Another example was certificate pinning. So visual folks propose that we implement that but we previously chose not to so and for the reason I explained before, concerning the fact that some of users may want to stick to a specific version of our application. And if you consider certificate pinning, that we need that the day you modify the certificate, you have to force the users to update to a newer version and if not, you may add a security issue or break the features that uses the connection. And when you measure the risks and benefits from this kind of implementation, we find that it's better to give the choice to the user whether or not to update rather than force them to do so. The last example of a security decision I made is that Bishop Fox proposed that we implement jailbreak and hood detection. And for me, jailbreak and the hood detection may be used to prevent a security researcher to look at what's inside our application. And in fact, I don't care about that. I even encourage every cybersecurity researcher to look at what's inside our own application. And that's why I don't want any obfuscation technique, I don’t want a hood or jailbreak detection. And everyone that want to look can look at what's happening on the application. Concerning drone hardening, so, it's important to protect not only the application that controls the drone, but also the drone itself. So of course, we have a protected embedded system. And the first protection is that we have no mechanism for which user can connect remotely. So that's not a feature that's part of the drone. And this means that malicious attacker would not circumvent that kind of feature or find a vulnerability that may enable him to take control of the drone. Our firmware is also digitally signed, which means that it prevents an attacker from tampering the system or modifying what's installed inside the drone. So, you are sure as a user that when you update the drone you’re sure that the firmware comes from Parrot, you are sure that the firmware has not been modified, and then it still has the full integrity. By default, on main product, we have WPA2 authentication and encryption. And just as I mentioned before, we also on certain products, integrated also wireless protocols and other wireless chipsets. So, we are also able to provide even stronger encryption and authentication. Concerning the data that is stored on the drone, a few months ago, we added full disk encryption of the SD card. And we chose a pretty robust AES-XTS algorithm with 512-bits key length. So that's one of the most robust algorithms that is used and kind of a standard for full disk encryption.

There’s really good question about encryption. Because when you're using your drone, you may think that you need to have the encryption key written somewhere on the drone. And the way we work is that there's a key that is transferred from the ground control station to the drone. And inside the drone, this specific key is used only in volatile memory, which means that if an adverse party catches your drone, even if this adverse party installed memory components and use forensics techniques to recover the keys it can't. So, if a drone is crashed, then the adverse party cannot create anything and know your photos or videos on nothing. With almost the same principles, we also have additional protections against such forensics analysis to protect flight data and certain information such as return to home or return to position. And that’s enabled but only on our security edition. That's where we are today. But, as I mentioned, just a fabulous team at Parrot and hundreds of great engineers, and everyone is dedicated to security and really interested into improving even more the cyber security of our drones. So, I think that today, we already have a great level of security. But important to note, we are going to have even better features in in the next weeks, months and years. So, one of the examples and that's just one example amongst the several, we announced a partnership with WISeKey, it was back in July. And WISeKey is one of the main manufacturers of hardware security component. So, they produce, for example, Secure Element, which is FIPS140-2 compliant, which is a common criteria certified. And that's great, because that allows to securely store certain keys and to compute that some cryptographic functions in a secure way. And the fact that it's FIPS compliant means that the keys are generated in a safe way, that when we use randomness, that's real randomness. And every cryptographic feature, it is done the right way. So, stay tuned. Because with that kind of improvement, in a few weeks or months, we are going to announce even greater security features on our drones. It's, it's about over. So, I think that we've got a couple of minutes for questions.



Leave a reply