Drone Security Defcon Talk Withdrew — Defenders Dillema
Edit: It came to our attention that we didn’t mention we offered the IOTvillage an edited talk with one drone and more information on other subjects.
TLD;R Many of us agree that there should be no free bugs for companies, so we’re just expanding that to conferences. #nofreebugsforcons
The reason why our company saw it best to withdraw a talk from the defcon iotvillage is not an extremely simple one, however with only 140 characters saying we’re too busy in the drone startup space does explain a very small portion of a very large picture. That tweet was viewed over 8000 times, but that’s just a sliver of what is really going on. We’ve decided it would be best to explain everything from the beginning.
Are Drones secure? That’s a question that popped into our founders head in 2015 when working on a Parrot drone and it was quickly proven that the Parrot drone in question was anything but secure, since it falls out of the air like a rock after being hacked. The drone was a prize provided from bugcrowd during a bug bash in 2015 at Santa Monica Appsec California that our company won.
“fly the drone into the electrical wires!”
We wanted to show one person in the media the exploit we found and were looking for a place to show it. We noticed the account iotvillage tweeting and asked them if they knew a safe location and they said they did. We were not prepared to have a drone demonstration for at least 50 people, because that’s a giant responsibility but that’s what happened. A few members of the press quickly showed that they didn’t care about safety, since one of the first things someone said was “fly the drone into the electrical wires!” Yeah, no. That is extremely reckless and careless, not to mention what those wires connected to. Another problem that happened is a press member who got in the way of the drone and refused to move. If I had shutdown the device two seconds later it would’ve hit the guy. Since this drone had safety guards that protected people from the propellers which can cut people, it wasn’t a major safety issue. This year the drones we tested can cut off ears and have no safety guards around the propellers.
While the media claims the drone demonstration happened at defcon, it technically didn’t. We had to go into an area that wasn’t controlled by defcon to do the demonstration, since defcon was afraid of idiots running under the drone who would want to be hit, and after seeing the way a couple members of the press behaved last year their logic is completely understandable.
We wanted to give our information to the public, but as anyone knows the defenders dilemma is an extremely hard one, to say the least. We feel it is best to explain everything to the public, since we did withdraw a talk.
While we believe it’s important to teach the drone industry about the security issues, it’s also important to weigh every decision in the balance. One thing we had to weigh in the balance is the question if presenting in a public forum like defcon is the best way to solve these issues? That’s a hard question to answer, but we do know that presenting last year lead to some minor improvements in pre-existing drones and completely blocking the one exploit we demonstrated last year in their newer drones.
Another question we fought with was if it is worth giving this talk for free when the conferences and media are the only ones who profit off our work? We thought about this at length and decided this isn’t right. We take all the risk involved in doing this type of research and the extreme risk of speaking about it publicly, since some companies don’t take kindly to this type of research and sometimes sue in retaliation.
We decided to see if it was cost prohibitive for defcon and villages to pay people to speak, including in the iotvillage. While we don’t know how much the iotvillage makes we do know defcon had over 20,000 people attend the conference and each person had to pay $230 just to enter the conference. That made defcon $4.6 million in sales just at the door. What defcon pays in cost and overhead to hold the event is currently unknown to us. Some of this profit should be used to fund those who are taking the risk to speak.
It is important to share information, but we had already incurred plenty of legal fees and would have to incur a lot of more fees to make a safe drone demonstration, even if we just made a video to show at the talk or a live demonstration at defcon. We also had to consider our paid work, including our paid work in the drone space versus this free work that only others will profit off of.
Why don’t you just get a sponsor?
We tried to get sponsored by security companies and even by the drone industry for a year. Some companies simply over-estimated what they would be able to do within their budget and had to withdraw, while the drone industry took the approach that we were going to give everything away for free at defcon, so why fund us? We still have their exploits, however we aren’t going to talk about them for free if we talk about them at all. We do believe the problems are critical and do need to be seen, but not where we feel that we’re being taken advantage of.
Why did you submit a talk if your company believes everything written above?
Because as we’ve said the talk needs to be given, but when we submitted the talk we didn’t know defcon would prohibit a demonstration since last year we thought that they had implied it might have been possible to do a drone demonstration if we had let them know sooner. That brought us into figuring out how to do the demonstration of the vulnerabilities and would’ve lead us to looking for more sponsors, but that had already proved to be futile for a year, so we decided not to do that.
It is important to be honest, so it’s important to note that we did not ask to be paid by the iotvillage or defcon, however it should be a given without being asked.
Just because we aren’t talking, doesn’t mean our research is ending actually it’s quite the contrary. We are already planning our next project which no one has delved into yet and is extremely interesting. That’s all we will say at this point in time. If you are interested you can always check our website https://planetzuda.com or contact us sales at planetzuda.com. please replace at with the @ sign.
