If your drone is not secure, it’ll cost you
Watch out, there’s a ‘drone’ jacker’ about… so ensure you have legal protection, says Nick Gibbons
Drone technology offers many benefits – from the potential for speedy Amazon deliveries from the sky, to saving lives, as witnessed recently when the Lochaber mountain rescue team used one to find a hurt climber.
But on the flip side, there are risks associated with aerial technology, such as drone jacking or hacking.
Typically, when the conversation moves to the subject of drone-jacking, people immediately envisage a Hollywood-style breach of national security, probably in or around the White House before Will Smith leaps in to save the day.
However, attacks on this technology represent very real risks for the growing number of businesses using drones, such as engineers surveying buildings and infrastructure, e-commerce giants sending deliveries or companies gathering surveillance for insurance claims.
Earlier this year, Amazon announced an expansion to its research and development team in Cambridge. This will see 400 technology specialists fine-tuning the technology behind delivery drones. Despite claims that such deliveries are “pipe dreams”, there is a growing market for commercial drone technology, and with this comes a growing risk of drone-jacking.
Last November, a report from security software company Mcafee predicted cybercriminals will soon turn their attention to targeting drones, particularly those used for law enforcement, filming and deliveries.
Drones without adequate security in place will be vulnerable to hacks, as well as physical attacks. The report speculates 2017 will see an increase in availability, via the dark web, of pre-packaged software and toolkits for hacking drones. In these cases, hacking of the drone itself or its supporting software may result in either physical misuse or data breaches. Hacking for the physical diversion of a drone carries the potential for personal injury or property damage, actual theft of the drone or indeed, the item it was carrying.
Theft of data is another real risk, particularly if the drone contains personal or sensitive information, whether customer data included for delivery purposes or footage collected via an attached camera.
The loss of data via drone-jacking leaves businesses and authorities with many privacy concerns, especially with the EU’S General Data Protection Regulation (GDPR) coming into force in May 2018. In recent years, there have been a raft of data breaches resulting in an invasion of privacy for customers of companies, including Talktalk and Camelot, and breaches of the GDPR could entail fines of up to four per cent of a company’s global turnover.
Attacks are becoming more sophisticated and wide-reaching; recently, we saw the extensive damage hackers can unleash with the Wannacry cyber attack bringing organisations across the globe to a standstill.
If cyber attacks start targeting drones, drone-jacking could leave businesses and their customers equally exposed with regards to personal and commercial data, and the prospect of big fines levied by the Information Commissioner’s Office.
Although the use of drones is already, to an extent, covered by a range of laws and regulations, including the Data Protection Act, more specific, targeted legislation is necessary, as are effective insurance products for organisations using drones. This is especially important with the European Commission predicting full integration of drones into European airspace by 2028.
The UK Government is clearly live to the emerging risks of drone technology. Following a recent consultation exercise, a registration system is to be launched for drones weighing 250g or more. The UK Government is considering the best legislative
option for introducing the new rules.
Currently, a combination of existing insurance policies are required to cover risks associated with drone technology. As the risk of electronic theft of sensitive data rises, the market for specialised policies grows.
In the case of drone-jacking, it would be wise for a business to consider cyber risk policies available for first and third parties. These can provide protection against business interruption, reputational risks, loss or theft of third party corporate data notification expenses and the payment of compensation to individuals affected by security or privacy breaches. Care should be taken, however, when selecting a particular cyber policy, including detailed discussions with a specialised brokers.
So while drones have life-saving potential for Scotland’s mountain rescue teams and a business may find investing in the technology an attractive proposition, an outbreak of drone-jacking could be hugely costly. It is critical that companies consider the security breaches drone-jacking could leave them open to, and invest in the appropriate protection – just in case Will Smith is not available. Nick Gibbons is a cyber security expert and partner at BLM