Drone-Related Cybersecurity Risks Abound Both in the Air and on ‎the Ground

Privacy & Cybersecurity Newsletter
January 2019

As the use of drones (small unmanned aerial systems or UASs) has continued to expand, a great deal of ink has already been ‎spilled over two categories of risk associated with their operation: 1) bodily injury and property damage caused by negligent ‎and/or malicious operations; and, 2) claims for invasion of privacy, nuisance and trespass. Cybersecurity, however, has not re‎ceived nearly as much attention. Yet it represents a significant risk that must be considered by the industry. Take for example ‎the recent report by an Israeli cybersecurity firm, Check Point Research, which highlighted a troubling vulnerability with the ‎website of DJI, the world’s largest manufacturer of commercial drones.‎

Check Point identified that a vulnerability with DJI’s website (as opposed to the software used in the drones themselves), if ‎exploited, would allow hackers to obtain access to flight logs showing exactly where a drone had travelled, as well as the pho-‎tos and videos taken by the drone. Moreover, under certain circumstances, hackers could have gained access to live camera ‎views and map views during flights. Finally, hackers were able to access information associated with a DJI user’s account, in-‎cluding user profile information. After DJI was notified of the vulnerability, it responded with a patch and further reported ‎there was no evidence the vulnerability had actually been exploited. ‎

Check Point’s identification of the vulnerability demonstrates that, as with all other data collected and stored, data derived ‎from drones is exposed to cybersecurity concerns. To that end, while many focus on the regulatory issues relating to where ‎and how drones may operate, the industry cannot lose sight of the fact that drones are very efficient data collection plat-‎forms, generating significant amounts of sensitive data that have value and must be protected. Thus, drone operators and ‎service providers are attractive targets for hackers before, during and after conducting flights. The collected raw or processed ‎data sitting on a local server or in the cloud could very well be subject to ransomware seizures demanding cryptocurrency ‎payments to release, other malware or Trojan horse infiltrations, and spoofing of accounts and/or destinations to which client ‎data is to be sent. ‎

Accordingly, those who are operating drones in their day-to-day business, or who are operating drones as third-party service ‎providers for others, must take care to assure that the data, particularly that containing sensitive account activity and person-‎ally identifiable information, are protected. Appropriate risk management efforts are essential, such as assessing insurance ‎needs and available coverages, reviewing or including indemnitees and disclaimers in contracts, and assessing regulatory ‎compliance obligations to assure that you are protected in the event you experience an issue with data you have collected. If ‎you are a drone owner or operator, or use the services of one, do you know what obligations you have to monitor the security ‎of the data you collect? If your, or your client’s, data have been seized by hackers, do you know what obligations you have to ‎notify your clients, the authorities, your insurance carriers? As with all matters relating to cybersecurity, it is not a question of ‎if, but when the need to address these questions will arise for drone operators.‎