UAV Integration: Privacy and Security Hurdles

Todd Humphreys | Aerospace EngineeringThe University of Texas at Austin

Royal Institute of Navigation UAV Conference | February 12, 2013

• University of Texas Radionavigation Lab graduate students Jahshan Bhatti, Kyle Wesson, Ken Pesyna, Zak Kassas, Daniel Shepard, and Andrew Kerns

Acknowledgements

• February 2012: President Obama signs an Act mandating that the FAA draw up a plan by 2015 to integrate unmanned aerial vehicles into the national airspace.

• Key early milestone: By August, 2012, FAA must select 6 test sites in U.S. where integration exercises can begin.

• Still waiting …

2012 FAA Modernization Act

• Privacy: Low cost, ease of use eliminate practical privacy protections

• Security: (1) Secure navigation, (2) secure command and control, (3) secure sense and avoid, and (4) secure telemetry (e.g., video feed)

Hurdles to Integration

• U.S. Supreme Court Precedent is fairly clear: No expectation of privacy in open fields (e.g. in backyards) that are naked-eye-visible from public airways (e.g., Florida v. Riley)

• Surveillance of U.S. citizens from manned domestic aircraft is routine

• But the news is abuzz with drones; citizens nervous; Virginia has passed a broad law against drones; Texas legislators trying

• Why? What is new here?

Privacy (1/2)

• Why? Because UAVs could change the balance• Could eliminate a practical privacy protection: high

cost and inconvenience of manned surveillance aircraft

• Growing realization that citizens do, in fact, have an expectation of privacy even when in public places: an expectation to not be continuously monitored

• Decision and concurring opinions in U.S. v. Jones suggests that SCOTUS sympathetic to this expectation

Privacy (2/2)

• No blanket injunction against imagery of private citizens on private land (bad for hobbyists and researchers)

• Apply Peeping Tom/ Improper Photography laws • “Cone of transparency” for non-hobbyist UAVs:

data on owner and purpose of UAVs above you should be readily accessible

• If problem worsens, perhaps a Texas solution: authorize property owners to shoot at unidentified UAVs over their property

Privacy Recommendations

• Privacy: Low cost, ease of use eliminate practical privacy protections

• Security: (1) Secure navigation, (2) secure command and control, (3) secure sense and avoid, and (4) secure telemetry (e.g., video feed)

Hurdles to Integration

GPS Jammers

GPS Spoofer

University of Texas Spoofing Testbed

Internet or LAN

Receive Antenna External Reference Clock

Control Computer

GPS Spoofer

UAV coordinates from tracking system

Transmit Antenna

Spoofed Signals as a “Virtual Tractor Beam”

Target UAV

Commandeering a UAV via GPS Spoofing

UAV Video

• RAIM was helpful for spoofing: we couldn’t spoof all signals seen by UAV due to our reference antenna placement, but the Hornet Mini’s uBlox receiver rejected observables from authentic signals, presumably via RAIM.

• 5-8 dB power advantage is required for clean capture: A matched-power takeover leads to large (50-100 m) multipath-type errors as the authentic and counterfeit signals interact.

• The UAV’s heavy reliance on altimeter for vertical position was easily overcome by a large vertical GPS velocity.

Observations (1/2)

• GPS capture breaks flight controller’s feedback loop; now spoofer must play the role formerly assumed by GPS. Implication: Fine control of UAV requires accurate radar or LIDAR UAV tracking system.

• Seamless capture (no code or carrier phase unlock) requires target position knowledge to within ~50 m and velocity knowledge better than ~2 m/s. This is quite challenging for small UAV targets at long stand-off ranges (e.g., several km).

• Compensating for all system and geometric delays to achieve meter-level alignment is challenging but quite possible.

Observations (2/2)

• Require navigation systems for UAVs above 18 lbs to be certified “spoof-resistant”

• Require navigation and timing systems in critical infrastructure to be certified “spoof-resistant”

• “Spoof resistant” defined by ability to withstand or detect civil GPS spoofing in a battery of tests performed in a spoofing testbed (e.g., TEXBAT)

RecommendationsFrom testimony to House Committee on Homeland Security, July 19, 2012

• Privacy: Low cost, ease of use eliminate practical privacy protections

• Security: (1) Secure navigation, (2) secure

command and control, (3) secure sense and avoid, and (4) secure telemetry (e.g., video feed)

Hurdles to Integration

• Many in the aviation community believe that the only sense and avoid (SAA) technology that is broadly applicable to all UAV will be based on Automatic Dependent Surveillance-Broadcast (ADS-B)

• ADS-B: Each aircraft periodically (e.g., 1 Hz) broadcasts an identifier, a position, and velocity

Secure Sense and Avoid

Problem: FAA introduced no provision for authentication in ADS-B broadcast

ADS-B False Injection Attack

Magazu, Mills, Butts, Robinson, “Exploiting the ADS-B System via False Target Injection,” JAAP, fall 2012

ADS-B False Injection Attack

Magazu, Mills, Butts, Robinson, “Exploiting the ADS-B System via False Target Injection,” JAAP, fall 2012

Altering Live ADS-B Data

Magazu, Mills, Butts, Robinson, “Exploiting the ADS-B System via False Target Injection,” JAAP, fall 2012

The ability to read live ADS-B broadcasts and generate slightly altered versionsof these should be of significant concern to the FAA: How will ground radarpick out the right aircraft from within a “cloud” of nearby phantom aircraft?

Root ProblemFAA’s organization and culture has historically targeted safety and efficiency, not security: 96-page NextGen Implementation Plan (2011) references safety over 100 times, efficiency at least 50 times, security less than 5 times.

Recommendations• Strongly consider re-designing ADS-B• Broadcasts still in the clear• Each broadcast signed using a public/private-key

framework • Revised broadcast would need to be significantly

lengthened to ensure digital signature strength• Update key database before flight• Use Iridium satellite constellation for en-route key

management (e.g., key revocation)

A re-design would set NextGen back years.

• Privacy: Legislate privacy protections that are acceptable to the public without stifling nascent commercial UAV industry

• Security: (1) Develop secure/robust navigation technology, (2) require encrypted command and control links (with master keys for law enforcement), (3) find a secure and broadly applicable sense and avoid technology (e.g., re-design ADS-B), and (4) encrypt telemetry (e.g., video feed)

UAV Integration: Summary of Challenges

radionavlab.ae.utexas.edu