Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

7/7/2020
03:05 PM
50%
50%

Drone Path Often Reveals Operator's Location

The threat posed by drones to critical infrastructure and other operational technology is made more serious by the inability of law enforcement to locate operators, researchers say.

The way that a drone moves and its path through the sky can reveal the location of the operator, a critical step in preventing drone attacks on critical infrastructure and other malicious activities, researchers at Ben-Gurion University (BGU) of the Negev said in a paper published on July 7. 

The researchers observed that drones moved differently depending on the operator's location, and that experienced observers can often tell whether the drone pilot is viewing its flight through a screen — in first-person view (FPV) mode — or if they are observing it from the ground. Using a simulated environment, the researchers trained a machine learning model to extract and identify artifacts that leak information about the pilot's location.

In the end, the researchers created a dense neural network that could use 120 points from 81 flights to create drone paths to predict from which of three locations a pilot was operating the drone with 73% accuracy, says Eliyahu Mashhadi, lead researcher with BGU's Department of Software and Information Systems Engineering.

"Our goal was to make a POC [proof of concept] to see that in the simulator it is indeed possible to deduce the position of the drone operator given a route, or part of the route, that the drone performed," Mashhadi says.

Drones have taken off globally. In the United States, more than 1.5 million unmanned aircraft systems have been registered and more than 170,000 pilots certified as of March 2020, according to the US Federal Aviation Administration.

But with their use comes risk. Unmanned aerial vehicles — drones — pose a serious threat to critical and operational infrastructure. In the first quarter of 2020, more than 370 incidents of drones behaving dangerously were reported to the Federal Aviation Administration.

Specific incidents highlight that danger. In December 2018, 129 separate sightings of unauthorized drone flights shut down London's Gatwick Airport, but no operator was ever found. In the Middle East and North Africa, more than 100 drone attacks have targeted military bases and commercial airports in the past two years. The most damaging attack, however, is arguably the September 2019 drone strike on a Saudi Aramco oil processing facility by Iranian-backed Houthi rebels in neighboring Yemen.

While military drones may use different technology, the potential for commercial drones to be used for damaging critical infrastructure poses a threat. In these cases, just as attributing a cyberattack can help punish the attackers, or at least deter future attacks, finding the operator of a drone can help dissuade users from malicious activities.

At present, drone operators are often located using the radio-frequency signals sent from the controller, but sensors generally have to be matched to the various drone technologies in use, according to the researchers. In addition, sensors have to already be on-site and near the operator to be able to locate them.

The academic researcher team's approach requires only somewhat accurate location information at a particular sample rate — eight samples per second in the proof-of-concept experiment. Using the path of the drone, the neural network focuses on the speed of the unmanned aircraft systems, the approach the pilot chooses for a flight path, and whether the movement is aggressive or passive. 

One flight feature that could help in the future is the drone's yaw, the rate of turn around its vertical access, Mashhadi says. 

The researchers found that higher sampling rates yielded better predictions. While sampling at a higher rate could have produced better results, the current simulator software did not allow for sampling at a rate higher than eight samples per second. 

"Maybe in future experiments, we will edit the code — [since] it is open source simulator — so we can record at a higher rate," Mashhadi says. "I believe it will improve the results."

While the initial experiment only included three possible locations for the operator, a greater number of locations does not necessarily reduce accuracy, he says.

"Since publishing this article, we have done more experiments where there are four options for operator location and two different flight destinations ... and increased our dataset," he says. "The results we got were better and we reached 78% accuracy."

Related Content:

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
stonde
50%
50%
stonde,
User Rank: Apprentice
7/11/2020 | 8:22:05 AM
Interesting article
Thank you.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Out-of-Date and Unsupported Cloud Workloads Continue as a Common Weakness
Robert Lemos, Contributing Writer,  7/28/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14310
PUBLISHED: 2020-07-31
There is an issue on grub2 before version 2.06 at function read_section_as_string(). It expects a font name to be at max UINT32_MAX - 1 length in bytes but it doesn't verify it before proceed with buffer allocation to read the value from the font value. An attacker may leverage that by crafting a ma...
CVE-2020-14311
PUBLISHED: 2020-07-31
There is an issue with grub2 before version 2.06 while handling symlink on ext filesystems. A filesystem containing a symbolic link with an inode size of UINT32_MAX causes an arithmetic overflow leading to a zero-sized memory allocation with subsequent heap-based buffer overflow.
CVE-2020-5413
PUBLISHED: 2020-07-31
Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when provided data contains mali...
CVE-2020-5414
PUBLISHED: 2020-07-31
VMware Tanzu Application Service for VMs (2.7.x versions prior to 2.7.19, 2.8.x versions prior to 2.8.13, and 2.9.x versions prior to 2.9.7) contains an App Autoscaler that logs the UAA admin password. This credential is redacted on VMware Tanzu Operations Manager; however, the unredacted logs are a...
CVE-2019-11286
PUBLISHED: 2020-07-31
VMware GemFire versions prior to 9.10.0, 9.9.1, 9.8.5, and 9.7.5, and VMware Tanzu GemFire for VMs versions prior to 1.11.0, 1.10.1, 1.9.2, and 1.8.2, contain a JMX service available to the network which does not properly restrict input. A remote authenticated malicious user may request against the ...