At Aloft, we take great pride in the security of our products and organization. In partnership with Anzu Robotics, we’ve released Air Control for the Raptor. This product has been built over the last twelve months to safeguard your data and enable secure flight. We engaged White Knight Labs, a renowned third-party cybersecurity firm, to conduct a comprehensive penetration test to ensure that the Anzu Raptor meets the highest security standards. As the old saying goes, “With great power comes great responsibility,” so we also wanted to ensure that customer data was always encrypted with communications only to Aloft servers.
In building and designing the Raptor flight experience, we wanted to bring forward the best elements of the hardware and firmware provided in the licensed technology while creating a fundamentally better and more empowered flight experience. For example, we removed the geofencing so there is no spurious geofencing or blocking of your flights with Raptor drones.
White Knight Labs tested and validated these core data elements in their analysis. With the default setup with Aloft running out of the box, your data is secure and remains only in the Aloft Air Control platform.
What is Static and Dynamic Analysis of Traffic?
White Knight Labs utilized static and dynamic analysis methodologies to assess the security of the Anzu Raptor and Air Control application. These methodologies involve examining the system’s code and behavior in a controlled environment to identify vulnerabilities or weaknesses.
Static Analysis involves reviewing the source code, configuration files, and system architecture without executing the code. By meticulously analyzing the static components of the Anzu Raptor, White Knight Labs can identify any potential security flaws in the design and implementation stages.
Dynamic Analysis involves observing the system in operation, analyzing the data traffic, and monitoring the drone’s behavior in real-time. By executing the system in a live environment, White Knight Labs can identify vulnerabilities that only become apparent during actual use. Specifically, we wanted to test the entire lifecycle of the Raptor, from initial registration to takeoff, landing, photos, and flight logs.
The White Knight Labs Assessment
White Knight Labs is highly regarded in the cybersecurity industry for its static and dynamic traffic analysis expertise. Their team of seasoned professionals employed modern information security tools and techniques to scrutinize the data flow of Anzu Raptor, coming from the Anzu Raptor, and communicate with the Aloft Air Control application and servers.
1. Data Transmission Targets: One of the primary concerns for this technology is the security/destination of data transmission. White Knight Labs meticulously analyzed the data flow from the Anzu Raptor and confirmed that all data was exclusively being sent to Aloft servers. This verification ensures that no sensitive information was observed being leaked or intercepted by unauthorized parties.
2. References to Chinese Domains: During their assessment, White Knight Labs identified several references to Chinese domains within the system, although no data was flowing to them. Aloft promptly remediated these findings by removing the references, further enhancing the security of our platform. This proactive measure underscores our dedication to maintaining a secure and trustworthy product.
The Importance of Third-Party Attestation
Engaging a reputable third party like White Knight Labs provides an additional layer of assurance for our customers. Their thorough and unbiased evaluation of the Anzu Raptor validates our commitment to data security. By remediating findings and ensuring that all data is securely transmitted to encrypted Aloft servers, we have reinforced the integrity and reliability of the Raptor+Aloft platform. We believe that security needs transparency and bringing in outside parties for analysis is the best way to have confidence in our platform.
While Aloft undergoes annual SOC 2 Type II and ISO 27001 security certifications, along with FAA audits as an approved UAS Service Supplier for LAANC, we regularly undergo third-party analyses and penetration tests. Working with providers like White Knight Labs will continue to be a core part of our process for our airspace, UTM, fleet management, and hardware integrations.
Conclusion
The successful penetration test conducted by White Knight Labs is a significant milestone for the Anzu Raptor. It demonstrates our unwavering commitment to delivering a secure and reliable product. At Aloft, we understand the importance of trust and security in today’s digital landscape. By partnering with leading cybersecurity experts and continuously improving our security measures, we aim to provide our customers with peace of mind, knowing that their data is going exactly where they intend it to.
Our vigilance does not stop with this report. As with anything in security, it’s an iterative and ongoing process. We will continue to improve the platform’s posture in the coming weeks, months, and years. For any firmware updates or product expansions with Anzu, we’ll be conducting similar and ongoing analyses to ensure that your data remains secure, encrypted, and only on US-based Aloft servers at all times.
If you would like a copy of the attestation letter or would like to discuss the Anzu+Aloft product in more detail, please email infosec@aloft.ai.
Joshua Ziering
Joshua is the Founder and Chief Security Officer of Aloft (formerly Kittyhawk), the market leader in drone airspace systems & UTM technologies. He is also a Part 61 certificated private pilot, a founding member of the FAA's Drone Safety Team, and an FAA Part 107 certificate holder.