As the use of drones (small unmanned aerial systems or UASs) has continued to expand, a great deal of ink has already been spilled over two categories of risk associated with their operation: 1) bodily injury and property damage caused by negligent and/or malicious operations; and, 2) claims for invasion of privacy, nuisance and trespass. Cybersecurity, however, has not received nearly as much attention. Yet it represents a significant risk that must be considered by the industry. Take for example the recent report by an Israeli cybersecurity firm, Check Point Research, which highlighted a troubling vulnerability with the website of DJI, the world’s largest manufacturer of commercial drones.
Check Point identified that a vulnerability with DJI’s website (as opposed to the software used in the drones themselves), if exploited, would allow hackers to obtain access to flight logs showing exactly where a drone had travelled, as well as the photos and videos taken by the drone. Moreover, under certain circumstances, hackers could have gained access to live camera views and map views during flights. Finally, hackers were able to access information associated with a DJI user’s account, including user profile information. After DJI was notified of the vulnerability, it responded with a patch and further reported there was no evidence the vulnerability had actually been exploited.
Check Point’s identification of the vulnerability demonstrates that, as with all other data collected and stored, data derived from drones is exposed to cybersecurity concerns. To that end, while many focus on the regulatory issues relating to where and how drones may operate, the industry cannot lose sight of the fact that drones are very efficient data collection platforms, generating significant amounts of sensitive data that have value and must be protected. Thus, drone operators and service providers are attractive targets for hackers before, during and after conducting flights. The collected raw or processed data sitting on a local server or in the cloud could very well be subject to ransomware seizures demanding cryptocurrency payments to release, other malware or Trojan horse infiltrations, and spoofing of accounts and/or destinations to which client data is to be sent.
Accordingly, those who are operating drones in their day-to-day business, or who are operating drones as third-party service providers for others, must take care to assure that the data, particularly that containing sensitive account activity and personally identifiable information, are protected. Appropriate risk management efforts are essential, such as assessing insurance needs and available coverages, reviewing or including indemnitees and disclaimers in contracts, and assessing regulatory compliance obligations to assure that you are protected in the event you experience an issue with data you have collected. If you are a drone owner or operator, or use the services of one, do you know what obligations you have to monitor the security of the data you collect? If your, or your client’s, data have been seized by hackers, do you know what obligations you have to notify your clients, the authorities, your insurance carriers? As with all matters relating to cybersecurity, it is not a question of if, but when the need to address these questions will arise for drone operators.