Come Fly with Me: Securing the Drone — Why Urban UAS Safety Matters Now

Drones are no longer just military toys or hobbyist gadgets. They are becoming an integral part of modern life, from Amazon’s ambitious delivery plans to city-wide surveillance and infrastructure inspections. But as these unmanned aircraft systems (UAS) fill our skies, a critical question emerges: are we prepared for the drone security risks that come with them? Without proper safeguards, the very technology designed to improve our lives could open the door to cyberattacks, privacy violations, and even physical danger.

Understanding the Drone Security Risks in Smart Cities

The Cloud Security Alliance (CSA), in partnership with the Securing Smart Cities initiative, recently released a report titled Establishing a Safe and Secure Municipal Drone Program. This document highlights a sobering reality: drone technology is advancing faster than the safety measures needed to protect it.

Brian Russell, co-author of the report and Chair of CSA’s IoT Working Group, notes that “drones will play an important and even critical role in the smart city environment.” Yet, the same connectivity that makes drones useful also makes them vulnerable. Hackers could gain control of a drone mid-flight, steal sensitive data, or cause crashes. Privacy concerns also loom large, as drones equipped with cameras can surveil public spaces without consent.

Key Challenges in Drone Cybersecurity

The report identifies several pressing challenges. First, the airspace where drones operate remains largely unregulated, with global guidelines still in their infancy. Second, drone manufacturers have historically neglected security during the development phase. Additionally, multiple integration points within a city-wide drone system—including cloud-based software—can serve as attack vectors. New, unproven algorithms for automated operations further complicate the picture.

Other issues include the anonymity of drone pilots, making it difficult to identify or locate operators, and the rapid proliferation of consumer drones that must share airspace with municipal fleets. As drones gain approval for Beyond Line of Sight (BLOS) operations, security engineers must plan now to counter future threats.

How to Secure a Municipal Drone Program

To address these drone security risks, the CSA report offers concrete recommendations. Cities should establish planning requirements that prioritize security from the outset. This includes integrated system design, acquisition security, and rigorous testing before deployment.

Mohamad Amin Hasbini, a board member of Securing Smart Cities, warns: “The mass adoption of drones by cities implies that thousands of programmable connected mobile devices will operate in the streets, above them, and below them. From a security perspective, this guarantees potential disasters if any system becomes compromised.” His message is clear: proactive measures are essential, not optional.

Best Practices for UAS Safety

For a successful municipal drone program, organizations must integrate security into every stage of the lifecycle. This means adopting methodical security practices during manufacturing, enforcing strict software programming standards, and ensuring ongoing monitoring and response capabilities. Governments and regulatory bodies also bear significant responsibility—they must set realistic yet strict guidelines that all stakeholders follow.

Building on this, cities can look to existing frameworks like those from the National Institute of Standards and Technology (NIST) for guidance. By learning from other sectors, such as the Internet of Things (IoT) and cloud computing, urban planners can avoid repeating past mistakes.

The Future of Drones in Urban Environments

Despite the risks, the potential of drones remains immense. They can conduct dull, dirty, or dangerous work—inspecting bridges, monitoring traffic, surveying wildlife, and supporting search and rescue missions. However, as the CSA report underscores, safety and security must keep pace with innovation.

Therefore, the path forward requires collaboration between manufacturers, regulators, and city officials. Software programming must be treated as a security priority from the development phase. At the same time, public awareness campaigns can help citizens understand both the benefits and the risks. As one expert put it, “Drones in the sky, drones in the sea, drones on land. But are we ready?”

In conclusion, the future of UAS could be extremely bright—but only if we address drone security risks head-on. By following the guidelines set forth by organizations like the CSA, we can ensure that drones serve as tools for progress, not vectors for chaos. So, as Sinatra sang, “Come fly with me”—but only when it’s secure. For more insights, check out our guide on smart city cybersecurity and IoT security best practices.

Ultrasonic Cross-Device Tracking: The Hidden Eavesdropper in Your Pocket

Imagine you are watching your favorite TV show. When the ads start, you glance at your phone. Suddenly, a pop-up appears for the same chocolate bar that was just on the screen. This is not coincidence—it is ultrasonic cross-device tracking at work. This technology uses high-frequency sounds, inaudible to humans, to link your television, smartphone, tablet, and computer. Advertisers then build detailed profiles about your behavior across devices. But the implications go far beyond targeted ads.

How Ultrasonic Cross-Device Tracking Works

Ultrasonic cross-device tracking (uXDT) embeds ultrasound signals into TV commercials, radio ads, or JavaScript code in online banners. These signals are picked up by the microphones on your other devices—provided a receiving app is installed. Sometimes users agree to this, often in exchange for rewards or incentives. However, many mobile apps listen for these sounds without explicit consent, and some even lack an opt-out option.

The process is seamless. A TV ad emits an ultrasonic beacon. Your smartphone, with a compatible app running, detects it. The app then reports back to the advertising platform, linking your TV viewing to your phone activity. This allows advertisers to measure ad effectiveness: Did you watch the full ad? Did you search for the product later? The goal is a unified profile of your multi-device habits.

Privacy and Security Risks of Ultrasonic Tracking

De-Anonymizing Tor Users

Security researchers at Blackhat EU and the 33rd Chaos Communication Congress demonstrated a serious vulnerability. They showed that uXDT can be used to de-anonymize Tor users. In the attack, described by researcher Vasilios Mavroudis and his team, a Tor user is tricked into visiting a page that emits ultrasound—either through an ad or via cross-site scripting. If the user’s phone or tablet is within range and has a listening app, the mobile device sends identifying details to the advertiser. A state actor could then subpoena that data, potentially revealing the user’s real IP address, geo-location, Android ID, or IMEI code.

This means that even with Tor’s privacy protections, your identity can leak through your phone. The attack exploits the very connectivity that makes uXDT attractive to marketers.

Data Collection Without Consent

Beyond Tor, the broader concern is unauthorized data collection. Many apps that listen for ultrasound do not clearly inform users. They may run in the background, constantly monitoring for beacons. This raises serious questions about consent and transparency. For more on how advertisers track you online, see our guide on digital privacy tips.

Who Uses Ultrasonic Cross-Device Tracking?

Major companies are investing in uXDT. Google, Nestle, and Domino’s have either funded or used providers like SilverPush and Signal360. These platforms offer advertisers the ability to link users across devices, creating more precise targeting. But the technology remains controversial, especially when used without clear user consent.

Advertisers argue that uXDT improves the user experience by showing relevant ads. Privacy advocates counter that it undermines anonymity and can be exploited for surveillance. The line between personalization and intrusion is thin.

How to Protect Yourself from Ultrasonic Tracking

What can you do to block ultrasonic cross-device tracking? Here are practical steps:

• Check app permissions: Review which apps have access to your microphone. On Android and iOS, you can disable microphone access for apps that do not need it.
• Use browser extensions: Mavroudis and his team developed a Chrome extension called SilverDog that filters out ultrasound from HTML5 audio. However, it does not block sounds from Flash, and it is not available for Firefox (which Tor Browser is based on).
• Advocate for OS-level controls: The researchers propose a new Android permission that would require apps to explicitly request access to the ultrasound spectrum. This would give users more control.
• Support standardized beacons: A standardized format for ultrasound advertising beacons, similar to Bluetooth, could make it easier to detect and block them. For more on securing your devices, read our article on mobile security best practices.

Turning off your microphone entirely is not practical for most phone users. But being selective about which apps can listen is a reasonable first step.

The Future of Cross-Device Tracking

Ultrasonic cross-device tracking is not going away. As advertisers seek ever more detailed profiles, the technology will evolve. However, increased awareness and regulatory pressure may force greater transparency. The European Union’s GDPR and similar laws require explicit consent for tracking. Yet enforcement remains inconsistent.

For now, the best defense is vigilance. Know that your devices can communicate through sounds you cannot hear. And before you reach for that chocolate bar, consider: Was it your choice, or an algorithm’s?

About the Author: This article was adapted from original reporting by Sharon Conheady, director of First Defence Information Security and a founding member of The Risk Avengers. For more on security awareness, visit our security awareness training page.

Why API Dependancy, IoT Expansion, and GDPR Will Define Cybersecurity in 2017, According to (ISC)2

As the digital economy accelerates, 2017 is poised to be a pivotal year for cybersecurity. Experts from (ISC)2 highlight that increasing API dependancy, the rapid growth of the Internet of Things (IoT), and the enforcement of GDPR will fundamentally reshape how businesses approach data protection. These forces are not just technological shifts—they are catalysts for a new era of accountability and risk management.

The Growing Risk of API Dependancy in a Connected Economy

Application Programming Interfaces (APIs) have quietly become the backbone of modern digital interactions. They enable software and systems to communicate seamlessly, powering everything from mobile apps to smart home devices. However, this increasing API dependancy also introduces significant vulnerabilities.

Consider Transport for London’s open API, which supports over 500 travel apps, or the Amazon Echo’s API that connects kettles to cars. While these innovations enhance convenience, they also create potential pathways for cyberattacks. A single weak API in an app store could compromise millions of smartphones. As a result, businesses must embed security into the design phase of every API-driven system.

IoT Expansion: New Threats and Shared Responsibilities

The Internet of Things (IoT) is expanding at an unprecedented rate. By 2020, there could be up to 20.8 billion connected devices, from traffic lights to medical implants. This growth, fueled by initiatives like the UK’s £40 million IoT investment and the EU’s €365 million Smart Cities funding, promises efficiency but also introduces complex security challenges.

In a connected world, a cyberattack on one sector—say, energy—can quickly cascade into others, such as transportation or healthcare. This interconnectedness demands cross-sector intelligence sharing. The cybersecurity profession must evolve from siloed competition to collaborative defense. As GDPR compliance looms, companies will be legally obligated to protect data across the entire supply chain, further driving this convergence.

GDPR Compliance: Shifting Accountability to the Boardroom

The General Data Protection Regulation (GDPR) represents a seismic shift in data privacy. With fines of up to 4% of global turnover, it gives regulators real enforcement power. Crucially, GDPR places responsibility squarely on corporate boards, not just IT departments.

Boards must now appoint data privacy officers and oversee privacy strategies. This change is already driving demand for cyber insurance and forcing businesses to integrate cybersecurity into risk management. As a result, 2017 will see cybersecurity earn a permanent seat in the boardroom.

How GDPR Affects Data Integrity

Beyond fines, GDPR aims to restore consumer trust. High-profile data breaches have made users wary of sharing personal information. Some are already falsifying details online, undermining the data-driven economy. GDPR’s transparency requirements will compel companies to disclose breaches, but this could further erode trust if not handled carefully. Businesses must prioritize data integrity to maintain the fuel of the digital economy.

3D Printing and the Industrial Supply Chain

Another emerging threat comes from 3D printing, which is transforming manufacturing. Printable files contain millions of lines of code, effectively creating a “data supply chain.” However, without universal cybersecurity standards, these files are vulnerable to sabotage.

Imagine a drone crashing because a hacker altered its propeller design during printing. Such scenarios are not far-fetched. The digitalization of manufacturing means that cybersecurity can no longer be an afterthought. Industry 4.0 demands built-in protections at the design stage to ensure product safety.

Cross-Sector Collaboration: The Future of Cybersecurity

As API dependancy and IoT blur industry boundaries, cybersecurity professionals must adapt. The threat landscape is no longer confined to one sector—an attack on a smart city’s traffic system could disrupt emergency services. Therefore, intelligence sharing across energy, healthcare, and finance is essential.

GDPR will accelerate this trend by making every link in the data supply chain accountable. Companies are already calling for co-operation, and 2017 may herald a new era where cybersecurity thrives on partnership rather than competition. For more insights, explore our guide on cybersecurity strategies for 2017 and learn about GDPR compliance steps.

In conclusion, the convergence of API dependancy, IoT proliferation, and GDPR enforcement will define 2017. Businesses that embrace proactive security, board-level accountability, and cross-sector collaboration will be best positioned to thrive in this new landscape.