Much of the battle over police drones in the United States has been over privacy. Recently, however, a new concern has come to light: the threat of hackers.
In March, security researcher Nils Rodday claimed he could take over a drone that cost between $30,000 and $35,000 using just a laptop and $40 worth of special equipment. He specifically targeted a drone model marketed to police departments by intercepting its Wi-Fi connection and sending it new commands.
Rodday isn’t the only person hacking drones. At the University of Texas, engineering professor Todd Humphreys showed in 2012 that drone GPS signals can be “spoofed” to allow remote operators to take them over. In a paper published this month in Proceedings of the IEEE, he broke down which kind of attacks were effective against which defenses. The results weren't encouraging.
"Some military defenses can be thwarted by the simplest attacks," Humphreys told NBC News.
There is a history of federal agencies and militaries struggling to protect their drones. Several weeks ago in Israel, a member of Hamas was indicted for hacking into the video feeds of drones flown by the Israel Defense Forces. And last year the U.S. Customs and Border Protection agency said that drug traffickers were spoofing its drones.
That hasn't stopped police departments from requesting permission to use drones, which are much cheaper and more versatile than helicopters. Imagine an officer simply pulling a drone out of his trunk to get an aerial view of an accident or get close to a shooter in a remote area without risking his or her own life. In 2014, a sheriff's deputy in Grand Forks County, North Dakota, used a drone to track suspects who fled in different directions.
Why police drones can be hard to protect
Police departments aren't buying the $80 quadcopters consumers can buy on Amazon. They are in the market for drones that costs tens of thousands of dollars. Still, law enforcement drones aren't as secure as the drones the U.S. military uses, Humphreys said.
Military drones have large, expensive receivers that connect to encrypted GPS signals, which aren't available to local law enforcement. And while there is demand for police drones, it's not high enough for companies to justify outfitting unmanned aerial vehicles (UAVs) with pricey, top-of-the-line security features specifically built for law enforcement, Humphreys said.
"I think there is a strong market for law enforcement drones waiting in the wings," he said. "There are companies that will harden their drones against these attacks. The problem is that the market just isn’t there yet."
Privacy concerns have slowed the adoption of drones across the country, he said. If police departments can't convince communities they aren't spying on law-abiding citizens, chances are they won't get the funds to buy new drones. Still, there are companies catering to security-minded buyers, like Switzerland-based u-blox, which has created GPS receivers for commercial drones that can handle encrypted signals.
Another problem facing federal and local law enforcement is the inability to draw top talent away from tech companies.
"It's nearly impossible to get good people on staff and retain them, even for private companies," said security consultant Katie Moussouris.
For local governments, keeping a drone security expert in-house probably isn't an option. Even if they contract out their work, finding bugs and security holes can be hard because the "helpful hacker" community is reluctant to share its findings with law enforcement.
"It could be a situation where they are literally incriminating themselves," Moussouris said.
To solve that problem, she suggested local and state governments set up programs similar to Hack the Pentagon, which she helped create with the Department of Defense. It pays bounties to vetted hackers who find vulnerabilities in the agency's system. Something similar could help understaffed police departments, she said.
A complicated problem
Even if resources are committed to stopping hackers, there is no guarantee those efforts will be successful.
"The world isn't ready to deal with these cyberattacks," said Barry Horowitz, a professor of systems and information engineering at the University of Virginia. "It's a problem that is just emerging."
He led System-Aware Secure Sentinel, a joint project with the Georgia Institute of Technology aimed at monitoring drones so that operators can spot hacks instantly and respond before any damage is done.
Securing a central command center is a "more plausible strategy" than securing every single drone, Horowitz said, because there are so many ways to hack any individual UAV. The monitor Horowitz and his team built lives on three different computers and with three different operating systems. It switches between them randomly about every two seconds, making it very difficult for hackers to get into the system.
When it comes to individual drones, utilizing encrypted communications could be the key to increasing security. Like most computer security issues, it's a moving target, since hackers are continuously developing new attacks.
That is bad news for police departments, because it could take just one hacked drone to sink an entire program.
"There is a cost-benefit analysis here that says that the worst that can happen is a drone falls out of the sky," Humphreys said. That doesn't sound so bad, he said, but from the "police department's perspective, the worst-case scenario is that they could lose the support of the public."