Drone ID Brings SSL/TLS Certificates to IoT Security

As increasing numbers of Drones take to the skies, the new Drone ID effort backed by AirMap and DigiCert aims to help provide identification and security.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

When a drone flies overhead, how can its owner be identified? That's a question that is not easily answered today, but it might be in the future if the idea behind Drone ID, takes off.

While Drone ID is specifically about helping to secure drones, the basic idea behind the technology has much wider applicability and could be a catalyst for Internet of Things (IoT) security.

The new DroneID effort is backed by airspace intelligence vendor AirMap and digital security certificate vendor DigiCert and involves the use of SSL/TLS (Secure Socket Layer/Transport Layer Security) certificates. SSL/TLS is widely used on the internet today to help secure websites. When validated by a Certificate Authority like Digicert, SSL/TLS certificates provide the added benefit of helping to validate the ownership and authenticity of a given site or service.

"This is the first time anyone has embedded certificates on drones," Jared Ablon, CISO at AirMap told eWEEK. "We'll be using the Intel Aero platform as the initial place where we'll deploy Drone ID."

Intel first announced the Aero platform in October as a developer framework on which vendors can build their own drones. Ablon added that while the Intel Aero is the initial deployment vendor, the plan is to open up the Drone ID platform to other vendors in the future.

Drones today have multiple identifying elements including various 3G/LTE and WiFi radios as well as MAC (media access control) addresses. Ablon said that MAC addresses and other hardware identifiers can potentially be spoofed by an attacker.

"The nice thing with Drone ID is that it will be signed by DigiCert, which is a trusted root Certificate Authority," Ablon said. "We are trying the certificate to a specific drone, with specific information on the drone."

With a website, an SSL/TLS certificate is tied to specific web domain, with different degrees of validation. A Domain Validated (DV) certificates is simply validated against control of a specific domain, while an Organization Validated (OV) certificate also validates the authenticity of the organization requesting a certificate. Dan Timpson, CTO at DigiCert, said that Drone ID will be aligned with OV certificates, providing a higher degree of attestation than a DV certificate.

In Timpson's view, the need for organizational validation is a critical element of helping to enable IoT security.

"With respect to IoT devices in general there is a need to know which organization is looking after a device and ensuring that they are following security practices that work," Timpson told eWEEK.

FAA Regulations

Part of the Drone ID initiative is an effort by AirMap to get ahead of potential civil aviation regulations for drones from the U.S. Federal Aviation Administration (FAA) and other regulatory organizations around the world. The FAA has been considering different rules for drone use over the course of 2016.

Ablon noted that different jurisdictions around the world are considering various ideas for drone regulation. In France, for example, there is a a discussion now about using a transponder to identify drones.

"We think that instead of just having a transponder, why not digitally sign the information that you're transmitting," Ablon said. "I think we can improve our security posture and Drone ID is one way to do that."

"We're trying to look beyond the regulations that are already out and we think that Drone ID is a great way to help ensure security in the ecosystem," he added.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.