If you’re a nefarious sort, you might use a commercial drone to smuggle drugs, carry explosives, or to just spy on your neighbors. Drones are appealing to criminals in part because they seem fairly anonymous, flitting through the sky with an invisible digital tether to its owner. But anonymity is no longer a safe bet. In the hands of crime investigators, a drone can reveal a range of personal and financial information about its owner.
Most of these details are stored in memory chips inside the drone’s circuit board. Or sometimes a law enforcement official gets hold of a drone’s controller instead, which can open up access to its owners’ setup account. The exposed data includes credit card numbers, which might be stored in an owner’s account for after-market purchases, or GPS information about the drone’s flights. It can even include an email or physical address.
With drones more regularly getting caught up in criminal activity, the National Institute of Standards and Technology has assembled an archive of digital readouts from 14 commercial drones, with the goal of helping law enforcement officials learn how to best extract this little-used trove of data. The NIST reference manual gives step-by-step instructions on how to physically remove the individual SD memory chips from each drone, and what to look for once an agent plugs the card into a computer.
NIST technicians are partnering with a Colorado-based tech firm, VTO Labs, a digital security consulting firm. The NIST archive is a digital training ground for law enforcement analysts to figure out what they might find on a specific drone model that gets picked up as evidence in a crime investigation, says Barbara Guttman, who leads NIST’s software quality group. “When you get the [SD] card back, there may be some handshake information with a PC, or there may be some ways to get latitude and longitude of where it was first flown,” she says.
NIST’s drone database includes an in-depth blueprint of the physical capabilities of each drone, such as its speed, rotor rotation rate, and altitude, as well as the information it might contain on its owner. The guide even has photographs depicting what kind of tools you need to take the drone apart without damaging the built-in flash memory chips that can’t be as easily removed as a smart card. “If you have an important case, you don’t want to practice on (the drone itself),” Guttman says.
In Colorado, VTO Labs has collected digital forensic data from a range of devices, including mobile phones and internet-connected appliances, for law enforcement investigations. But in the past three years, CEO Steve Watson says he has been getting more and more requests involving drones. “As they started to receive the devices, they wanted to answer the five basic questions of who, what, where, when, and why,” Watson says. A particularly useful indicator is the record of a drone’s first flight, which often takes place at or near its owner’s home. “One of the first things a person does is take it out of the box and fly it. As soon as you turn it on it acquires a GPS signal and will mark where it’s flying. In many situations, law enforcement finds it’s the person’s backyard or a nearby park.”
To build its database for NIST, technicians at VTO bought three different drones for each of 14 models and flew them to collect baseline data. The information was collected from circuit boards and onboard cameras, as well as from the pilot’s handheld controller and the smartphone apps that run some drones. Watson says the exchange of digital information between a drone and the smartphone app or handheld controller is not as secure as some owners think. One drone had the owner’s credit card information stored in a database that law enforcement officials were then able to access.
Watson and NIST aren’t the only digital experts tapping into this cache of personal information that’s flying around on drones. A team from the University College Dublin used a DJI Phantom 3 drone as a case study on how to obtain data from its onboard chips. And a Kentucky-based engineering firm announced last month that it would start offering forensic expertise to private individuals who might pursue legal action when a malfunctioning drone crashes into someone or their property, or invades their privacy in some way.
Drone-maker DJI has faced troubles in the past year after the Department of Defense banned federal agencies from purchasing Chinese-made DJI drones because of security concerns. Separately, a private security firm found a bug that could allow hackers to access the DJI drone’s camera and video recorder in-flight.
Watson says his firm trains law enforcement analysts on how to collect drone data that may help lead to a terror cell or prison gang, for example. “We are doing research to identify what data exists and how it can be retrieved,” he says. He says he’s been working with Interpol this month, as well as police forces from Australia and the Netherlands. Many of these nations require drone owners to register their devices in a federal database. That’s not the case in the United States, but rogue drone operators better hope that their spy toy or drug mule either lands safely back at home, or crashes out of sight in a really tall tree.