Founded in 1994, Parrot has become a pioneer among companies specializing in drone technology. In 2010, they launched the world’s first ready-to-fly drone controlled via smartphone, helping to cement their role in the booming drone industry over the next decade. In recent years, Parrot’s primary focus has shifted to manufacturing commercial drones.

Businesses rely on Parrot drones for inspecting buildings, power lines, and solar panels among various other needs. Parrot drones can even be flown into the heart of a volcano, where their thermal sensors can help check conditions that would be unreachable by humans. In addition to offering products for business use, Parrot also sells drones to the military, law enforcement, and first responders. Parrot sold more than 4.5 million drones worldwide. In matters of life and death, Parrot drones serve as substitutes for when human involvement would be too costly. While a wildfire burns, search and rescue can deploy a drone to look for people as opposed to risking more human life. Firefighters can use Parrot drones to gauge the perimeter of an ongoing fire without putting themselves in harm’s way. Due to their use in very specific, highly sensitive situations, Parrot wanted to ensure their privacy guarantee about their drones, applications, and stored data was accurate and tested by security experts.

In addition to testing against their privacy policy, Parrot must meet certain criteria for regulatory compliance. Given Parrot’s wide European user base, ensuring GDPR compliance was crucial. Outside of Europe though, they needed to make sure they were in line with several other international regulations – including some from the most stringent military and government agencies, like the National Defense Authorization Act (NDAA compliance). In fact, Parrot was chosen as an official supplier in September 2020 by the Blue sUAS program by the United States Army and the Defense Innovation Unit (DIU). In 2019, Parrot was selected to produce next-generation short-range reconnaissance drones by the United States Department of Defense for the U.S. Army.

Securing the Freeflight 6 Application

Instead of reacting to a breach or a similar incident that left user data compromised, Parrot opted for a far more proactive approach. Parrot was familiar with Bishop Fox’s reputation in the offensive security sphere. They also were familiar with our research contributions in the greater security community.

“I wanted to choose a company with deep technical skills that clearly excelled at offensive security. I didn’t want to simply ‘check a box’ when it came to security. We really wanted to show our customers that our products are secure and can be trusted.”

— Victor Vuillard, Chief Security Officer and Chief Technology Officer at Parrot

Parrot sought out the services of Bishop Fox for a third-party assessment of their FreeFlight 6 mobile application, which they would share the results of publicly. By choosing to favor transparency in regard to customer privacy, Parrot could build further trust with their current users – and position themselves as an even stronger partner for enterprises and other organizations vetting drone vendors.

One flagship line of Parrot drones, ANAFI, are built specifically with photography and videography in mind. Parrot’s ANAFI drones’ corresponding mobile application is the FreeFlight 6. This application allows users to control their drone settings as well as access any data stored on their drone (like photos and videos) via their mobile device. Parrot guarantees the privacy of the FreeFlight 6 app to its customers via its official privacy policy – and they wanted to substantiate that customer guarantee with tangible proof.

“We wanted an expert’s external perspective to ensure we hadn’t missed anything when it came to protecting customer information.”

— Victor Vuillard, Chief Security Officer and Chief Technology Officer at Parrot

Thoroughly Assessing Parrot's Attack Surface

Bishop Fox conducted a privacy audit and security assessment of Parrot’s FreeFlight 6 mobile application for iOS and Android as well as their corresponding web API. In order to thoroughly evaluate the mobile application and web API, the Bishop Fox team needed to customize their testing to meet the requirements of Parrot’s request. Most importantly though, the Bishop Fox team needed to assess the accuracy of the Parrot privacy policy. The team’s testing specifically focused on the details included in the policy to ensure there was nothing about the FreeFlight 6 mobile application and web APIs that contradicted what was stated.

“We adjusted our testing so we could get that needed deep dive into the security of their environment.”

— Rob Ragan, Principal Researcher at Bishop Fox

The team decided to perform a source code review in addition to assessing the permissions requested by the FreeFlight 6 mobile app and monitoring for suspicious activity. Since Bishop Fox’s standard testing methodology wouldn’t be applicable to the points of Parrot’s request, the team adjusted accordingly to get a holistic view of the source code and overall environment.

Ultimately, the team verified that the FreeFlight 6 mobile application and web APIs were predominantly secure. No obfuscation techniques – and no hidden features – were detected in the app. No backtracing was detected, either. Additionally, back-end APIs performed the proper authorization checks on incoming requests. The APIs also used proper input sanitization techniques to prevent SQL injection attacks.

Furthermore, the Bishop Fox team confirmed that the app and APIs aligned with the promise they made in their privacy policy. The only data stored by the app – if the user granted their consent – was flight data. Parrot states that their applications and products are built to adhere to “privacy by design,” and our work with them confirmed this was accurate. The Bishop Fox team provided Parrot with both tactical and strategic recommendations to increase their security posture going forward so they can ensure that future features and updates don’t compromise their promise to customers.

Reaffirming Parrot's Commitment to Their Customers

Being transparent about security procedures and data use is becoming increasingly important, be it for obtaining compliances or building trust with a user base. Parrot has demonstrated their commitment to security as well as their commitment to the privacy of their customers. In a world where user data can be “up for grabs” to the highest bidder, Parrot has set themselves apart and proven their dedication to protecting users.

Following the engagement with Bishop Fox, Parrot published the report to their website, revealing the most intimate details of the assessment to the public. This move further attested to their commitment to customer privacy by embracing transparency.

“We can say – with demonstrable proof – that we have no hidden features, and that we are completely transparent. We know our customers trust us with incredibly sensitive information – in some cases, with life-or-death ramifications. We look forward to fostering that trust for years to come.”

— Victor Vuillard, Chief Security Officer and Chief Technology Officer at Parrot

About Parrot

Founded in 1994 by Henri Seydoux, Parrot is today the leading European group in the fast-growing industry of drones. Visionary, at the forefront of innovation, Parrot is a real ‘End to End’ drone group from hardware and software to services. Parrot, the world’s number 2 of the consumer drone market, designs drones known for their high performance and ease of use. It currently employs more than 500 employees worldwide and makes the majority of its sales outside of France. Parrot, headquartered in Paris, has been listed since 2006 on Euronext Paris (FR0004038263 - PARRO).