SECURITY ANALYSIS OF UAV RADIO COMMUNICATION SYSTEM

. This paper presents analyzed questions of the safety of the information transferred by the radio connection link of the Polish UAV project “Aircraft for monitoring” SAMONIT. This safety is especially important for the design and use of unmanned aerial vehicles (UAV). This paper also presents the structure of the SAMONIT communication system, security threats to the radio connection system, and possible measures to ensure secure information.


Introduction
An unmanned aerial vehicle (UAV) may be used for various purposes: military, monitoring, transportation, and radio communication (UAVNET… 2006).For UAV management, telemetry, and other data transmission, a radio communication link is used.It could inevitably be confronted with threats: loss of radio communication, transmitted information, or control or deliberate external intervention.To avoid these undesirable consequences, it is necessary to take information security measures (Rudinskas et al. 2008).In this paper, the radio-related problems, potential threats, and possible solutions of the UAV project "Aircraft for monitoring" SAMONIT in the framework of Institute of Aeronautics and Applied Mechanics at Warsaw University of Technology are analysed (Goraj 2007, Goraj 2008, Goraj et al. 2008).

System description
Various uses are being developed for unmanned aircraft.UAVs, depending on the purpose and the configuration, can be in touch with the ground at the station or with other UAVs and can also receive data from independent sources of information (GPS, meteorological stations, etc.) (Torun 1999).A summary the UAV communication scheme is presented in figure 1.
Main purpose of the SAMONIT is surveillance of the European Union's external borders in Poland.The ground to air aircraft communication system is used for communication between a ground control station and the UAV.These communication channels are used to transmit commands for the control of the UAV, telemetry data, or other information.Communication systems are classified into two groups: − information transfer system; − information security system.In the next chapters, we will discuss the methods and equipment of information security.

Security threats
For UAV management, telemetry, and other data transmission a radio communication link has been used.It is inevitably confronted with threats: loss of radio communication, transmitted information, or control or deliberate external intervention.The threats come in two types: those independent of humans, and those related to humans (Fig. 2).
To continue further we will detail the potential threats.
One of those types is independent of human threatsnatural phenomena that have an effect on transmission quality but not on the security of the transferred data (Fig. 2).
Human-related threats include eavesdropping on the communication channel, changing or damaging information, and blocking the channel (Fig. 2).Regardless of the purpose of the UAV, strong information security measures are necessary.They are required because, as was previously mentioned, corrupted information may have a negative impact on the vehicle, or the information gathered may be used in other attacks against the UAV.

Measures of information security
An adversary may attempt to manipulate transferable data with the intention of hiding, modifying or delaying control commands.Such critical faults in the UAV influence mission success or flight hazards.The manipulation may be done by corrupting, replaying, or blocking the data during its collection or distribution.However, during real-time UAV operation integrated units generate alerts on the attacks.Furthermore, the adversary may passively eavesdrop on critical data to derive information that may be used for other attacks.Although the above two threats do not cause immediate hazards for flights, they may be exploited for the future attacks.
Physical protection and logical (software) security measures can be used for information security (Torun 1999).The physical security measures assign to technical safeguards (physical protection of information memory devices).Information coding, complex data transfer protocols and encryption algorithms, etc.All information security measures have to be integrated in the radio communication system (Fig. 3).
The default SAMONIT radio communication systems do not include security equipment to protect the transfer of information (Homziuk et al. 2009).Figure 3 shows the functional diagram of the SAMONIT radio communication system with integrated equipment for the information security (dotted line boxes "Encrypt/Decrypt").We will discuss these boxes later.
In order to mitigate the aforementioned threats, we make the following security primitives and recommendations: − Reliability of radio channel: Radio quality on aerial vehicles is influenced by various factors: the frequency band used, the distance, the weather conditions, the intensity of external noise, the position of the aircraft, etc.To ensure the quality and reliability of radio communication, it is necessary to use duplicating transmitters with perpendicular antennas.When there is a communication problem with the main device, automatically turns the second transmitter and continues to maintain the link.For the SAMONIT communication system several different frequencies (35 MHz, 2.4 GHz) are used (Goraj 2007, Goraj 2008, Homziuk et al. 2009)  − Communications antennas must be mounted on the surface of the SAMONIT.If impossible to mount antennas on the surface, "windows" made from other materials (example -glass fibre) must be built-in on the body; − Integrity: The SAMONIT communication channel must be protected from unauthorized modification of data by an adversary attempting to hide, for example, a change in controls commands or telemetry data.Hence, data received from the UAV must be identical to (or an aggregate of) data sent by the originating UAV (Robinson 2007a); − Authenticity: Furthermore, the UAV must also be protected from the injection of misleading data sent by unauthorized ground stations.In order to prevent external adversarial attacks, when receiving data the UAV must be able to verify the validity of both the source and the message.For defending against compromised ground stations, the UAV can employ distributed solutions, such as a majority voting scheme that can jointly determine validity (Lazos et al. 2005); − Confidentiality: Not all information, transferred to/from a UAV, are public: control commands, telemetry data, etc.The assurance of confidentiality will be discussed below; − Mitigation of Channel Jamming: The adversary can, for example, employ jamming attacks to block or delay critical fault detection from propagating towards the ground station.Therefore, channel-jamming attacks must be detected as soon as possible and mitigated in the UAV.A potential solution was described by M. Li; there a UAV adjusts its transmission rate in order to contain jamming interference (Li et al. 2007); − Secure Routing: The UAV and ground station need to route their readings timely and reliably even when under attack.The UAV and ground station routing protocol must be robust enough to withstand jamming attacks that induce long and energy-inefficient routes.The routing protocol must also be robust enough to resist attacks based on misleading routing messages.For example, if geographic routing is used, is capability to change location information (e.g. the wormhole attacks (Lazos et al. 2005)); − Early and Correct Detection of Manipulation: Any manipulation of transferred information must be detected as soon as possible, while false alarms must be avoided.For this threat, we can use the intrusion detection system.The SAMONIT onboard computer must also have the capability to create an archive for all events.

Confidentiality assurance
Communications in the UAV that contain proprietary data or sensitive data capable of aiding future attacks (e.g., engine fuel level, collected data) must be protected against passive eavesdropping on the wireless channels.
The simplest solution is to transfer data in plaintext format using simple data transfer protocol: start, data, checksum and stop bytes (Fig. 4).(Homziuk et al. 2009) This data transfer method is simple but not secure.In addition, no radio modems used have integrated security measures (Homziuk et al. 2009, MaxStream… 2005).For providing integrity, authenticity and confidentiallity of UAV communications, cryptography can be used.
All cryptographic equipment can be integrated into the communication channel as hardware, as an embedded tool (Fig. 3, dotted boxes), or software tools integrated into the main computer of the SAMONIT can be used.There is simple integrate a hardware cipher tool into communication channel, but it challenge some problems.First, it is hardware and needs a power supply and it adds weight.Second, we lose time converting data from different protocols.Software tools do not have the weakness that hardware tools have, but ciphering time is directly dependent on the speed of the main processor (8, 16, 32, or more bits), capacity of the memory, and programs installed.
Since UAV's are limited in terms of battery (fuel) power, symmetric cryptography is preferred.Asymmetric cryptography has the drawback of being relatively computation and communication intensive.At the same time, to increase UAV's functions, asymmetric cryptographybased solutions such as digital signature can be used to communicate with other subsystems (Li et al. 2007, Robinson 2007b).Furthermore, solutions based on link layer cryptography, i.e. using a cryptographic key shared by two neighbours, are more suitable than solutions based on end-to-end cryptography, i.e. using a key that is shared by each originating UAV and the end destination, which can be an aggregator, a UAV, or the base station.
Standard ciphering tools such as those are used in wireless networks can be used to guarantee confidentiality.For example, one of the possible measures is the Advanced Encryption Standard (FIPS… 2001).The AES has different modes: AES Counter mode (AES-CTR), AES-CCM, and AES-CBC-MAC.The ciphering keys used cannot be less than 32 bits.
Cryptography solution can't be used only for transferred data including checksum securing in transfer protocol, or for data and service information (Fig. 5).-17, 18, 254, 112, 0245, 97 The ciphering process requires a lot more capacity for mathematical calculations, and sometimes that is difficult to achieve in the system.There now exist solutions, however that allow cryptographic capabilities to be integrated in small embedded systems.For example, ciphering solutions can be derived from from smart card technology (ZK-Crypt… 2009).

$IM01,
Most available radio communication systems have integrated security measures that are configured by default settings.To protect transferred information, exploring all available integrated security measures is recommended.

Conclusions
1.The security of transferred information is needed for safe UAV use.
2. The analysis of the radio communication system in the SAMONIT project demonstrates that security equipment for transferred data is insufficient, and an adversary could perform external intervention.
3. The minimum requirements for the security of transferred information it is advisable to use data ciphering methods.

Fig 4 .
Fig 4.Structure of questioning message and answering message corresponding to the telemetry layout(Homziuk et al. 2009)