He spoke at worldwide security conferences in San Francisco, Singapore and other places. Media all over the world wrote stories about how a German student discovered security issues with professional drones. Nils Rodday who graduated from the EIT Digital Master School in July 2015, stirred up the global drone scene with his master thesis ‘Exploring security vulnerabilities of unmanned aerial vehicles’ and is seen as a worldwide expert on the matter.
In his master thesis, Rodday discovered security-issues with a professional drone, the kind that big companies, police forces, or fire departments use. He succeeded in taking over the steering of the drone of one manufacturer who lent him one for his research, and let it fly as he commanded. The issues he discovered also apply to other unmanned aerial vehicles as many manufacturers are using similar technologies. Besides detecting the security-problem(s), he also has made several suggestions to improve drones. “The most important one is to use proper encryption”, Rodday says.
Rodday’s research was conducted during his internship at KPMG under supervision of Prof. dr. ir. Aiko Pras and Dr. Ricardo de Oliveira Schmidt from the University of Twente and Matthieu Paques and Ruud Verbij of KPMG. “This was an upcoming topic where I had to work on. Very interesting. And risky for a thesis project. I didn’t know if the penetration test was about to fail or succeed.”
The internship was part of his two year course of study at the EIT Digital Master School – Security & Privacy. He studied the first year at the University of Trento (Italy) and the second year at the University of Twente (The Netherlands). In between, he participated in the Summer School in Stockholm. “To me learning at EIT Digital was a great experience. I met so many people, made so many new friends and was astonished by the technical content. Being able to study in three European cities is absolutely an added value.”
New version of drone
Rodday only used one model of a drone from one manufacturer for his research. He won’t say which manufacturer. “It doesn’t matter, many drone-manufacturers use similar technologies.” In the meanwhile, the concerning manufacturer is producing a new version of the drone. He doesn’t know if the manufacturer followed up on all of his suggestions for improvement. “Even if this manufacturer fixed the issues, I guess there are many more that didn´t.”
The EIT Digital’s student felt the results of his research would be worth sharing with the security scene. So he applied to talk at the RSA Conference 2016, acting on a call for speakers and also to Black Hat Asia 2016 in Singapore. Amazingly enough, he got invited to both conferences. “These are huge conferences and you don’t get to speak there just like that.” But there was a tiny problem. He needed money to actually give a presentation in San Francisco. “The travel and hotel expenses are quite expensive, and as a student I couldn’t pay for that.” He asked around and found EIT Digital willing to cover these expenses. “I am very glad they helped out here.”
Since then he is seen as an expert in the field of drone security. His story on stage created a stir amongst the audience of professionals in security. He is still getting offers to speak on conferences. And important media like Forbes in the USA, the BBC in England, the NOS in the Netherlands, local magazines in different countries and of course the specialized magazines on drones reported on his findings. In the eyes of journalists, Rodday is an expert on drones and security.
He nuances this phrase. “I just started my career, so you cannot expect that I am an expert on IT Security. Though I do know about IT and security and of course about drones. But I am careful about calling myself an expert.” But he loves going to the conferences he says. “As a student you don’t get to attend a lot of conferences, especially not the big ones. They are too expensive. Now as a speaker I got the chance to see and meet very interesting people.”
Rodday was very surprised by all the media-attention. “I never thought this would happen.” But then again he can find an explanation. “Not a lot of people thought about researching drone security. The subject is new and appeals to people. This is the first kind of research ever done about the security of professional drones.” Also his research includes the disclosure of vulnerabilities and the fact that professional drones are used by police forces and fire departments in different countries could have contributed to the stir his research created in the field.
Also unexpected is the amount of times that his thesis is downloaded. “It is not usual that people other than your professors read your thesis. Now my thesis is shared by many more.” His research is source of inspiration for other students. Rodday says that he got a lot of questions about his thesis from PHD students and Drone companies. He is certain that his thesis will be used for more research. “Either as a follow-up on my research or as a blueprint in other areas.”
Lessons to learn
His security study reveals an important issue in general with the development of new technologies. New technologies should be more focussing on security, he states. “Often with new technologies, the features come first. Security is hardly ever a first priority and therefore new technologies often miss some crucial security parts or security is not implemented at all.” Security is quite important, Rodday underlines. “Especially for products with a professional focus and for products working with sensitive data.”
Rodday now works as a security consultant at IBM in Germany. Drones may be a specialty to Rodday, at IBM he works on several fields of IT Security. Now he is working on the areas Space & Defence and Insurance. Also projects where security is “quite important”.
The story of Nils has had a lot of media coverage in Germany, Holland, Italy, Great-Britain and the USA as well. Here is a selection:
- BBC (GB)
- Securityaffairs (IT, english)
- Cnet (USA)
- Dday (IT)
- Drones (NL)
- Dronewatch (NL)
- Exchange Wire (GB)
- Forbes (USA)
- Heise (DE)
- NOS (NL)
- Officer.com (USA)
- UT Nieuws (NL)
- The Register (GB)
- Wired (USA)
- WZ (DE)
- ZDnet (BE)
and so on, and so on….