Continue your mission
Drones (unmanned aerial vehicles) present a dual cybersecurity challenge: they are systems with exploitable attack surfaces including GPS receivers, command links, and firmware, and they are also emerging threat vectors that adversaries can deploy against secure facilities and networks.
# Drone Cybersecurity
Drone cybersecurity addresses the security of unmanned aerial vehicles (UAVs) from two distinct directions: protecting drones from exploitation by adversaries and protecting facilities, networks, and operations from drones used as threat vectors. The term "drone" encompasses a wide spectrum of platforms, from consumer quadcopters sold for under $300 to military-grade ISR (intelligence, surveillance, and reconnaissance) platforms costing tens of millions of dollars. The security considerations differ significantly across this spectrum, but the underlying attack surface categories are consistent.
UAVs have transitioned from a niche military capability to a ubiquitous commercial and consumer technology in roughly a decade. The Federal Aviation Administration (FAA) registered approximately 870,000 commercial and recreational drones in the United States as of 2023. Commercial applications include aerial photography, infrastructure inspection, agricultural monitoring, package delivery (Amazon Prime Air, Wing), and emergency response. This proliferation has created a security landscape where drones are simultaneously critical operational assets requiring protection and potential adversarial tools requiring countermeasures.
The attack surface of a UAV can be divided into five categories: the command and control link, the GPS receiver, the firmware and onboard computing systems, the data link (video and sensor transmission), and the ground station or mobile application used to operate the drone.
The command and control link is the radio frequency (RF) channel between the operator's controller and the drone. Consumer drones typically use 2.4 GHz or 5.8 GHz ISM band radio, often with proprietary protocols. These links can be jammed (flooding the frequency band with noise to disrupt control) or intercepted (capturing the link to analyze its protocol). If the protocol lacks encryption or authentication, an attacker with the right RF equipment can inject commands, potentially taking control of the drone. Link 16, the encrypted tactical datalink used for military UAS platforms, is not vulnerable to this class of attack, but civilian drones rarely implement equivalent protections.
GPS spoofing involves broadcasting fabricated GPS signals stronger than the authentic satellite signal, causing the drone's GPS receiver to compute a false position. The drone, believing it is somewhere it is not, may fly toward the attacker's intended destination or trigger its built-in return-to-home function with false home coordinates. The 2011 capture of a U.S. RQ-170 Sentinel drone in Iran included claims of GPS spoofing, though the U.S. government disputed this account and the technical details remain classified. Regardless of that specific incident, GPS spoofing against commercial drones has been demonstrated repeatedly by researchers and is a practical threat for adversaries willing to invest in the required RF equipment.
Firmware vulnerabilities in commercial UAVs can allow remote code execution on the drone's flight controller. Researchers have identified vulnerabilities in multiple commercial platforms including DJI, Parrot, and others, ranging from authentication bypass in companion applications to buffer overflows in the flight control software itself. Successful firmware exploitation can give an attacker persistent access to the drone's systems, including its camera feeds, GPS track log, and potentially the ability to issue flight commands.
The data link, used for transmitting video and sensor data from the drone to the operator, is a separate RF channel from the control link. Early commercial drones commonly transmitted unencrypted analog or digital video, meaning anyone with a compatible receiver in range could watch the drone's camera feed in real time. This has improved in newer platforms, but unencrypted data transmission remains a vulnerability in older deployed fleets and some lower-cost current-generation platforms.
DJI, which holds the largest global market share in commercial drones, has faced specific scrutiny. In 2017, the U.S. Army issued a directive banning the use of DJI products following a cyber vulnerability assessment. Concerns included unencrypted video transmission in some product lines and data sharing practices involving Chinese servers (DJI's mobile application used a WeChat-linked SDK that transmitted telemetry data back to servers in China). DJI subsequently launched a Government Edition firmware line with modified data handling for government customers and established a bug bounty program.
The security of drone platforms matters for three overlapping reasons: operational security for organizations using drones, physical security for facilities threatened by hostile drones, and public safety and regulatory accountability.
For organizations that operate drones, a compromised drone is a mobile surveillance and data exfiltration platform. An attacker who gains access to a drone's camera feed or GPS log obtains real-time or historical aerial imagery of the organization's operations, potentially exposing sensitive facilities, personnel locations, and physical security configurations. For critical infrastructure operators using drones for pipeline or transmission line inspection, the data these drones collect (high-resolution imagery of critical assets, flight logs revealing inspection schedules and access points) is itself a target.
For facilities and events, hostile drones are an evolving physical threat. Drones have been used for surveillance of facilities, to smuggle contraband into correctional facilities, to disrupt airport operations (Gatwick Airport 2018 disruption, causing approximately 1,000 flight cancellations), and in multiple attempted or successful kinetic attacks against military and infrastructure targets internationally. The security community now treats hostile drone activity as a physical security problem that requires technical countermeasures integrated with access control and perimeter security.
The regulatory dimension matters because accountability for drone operations depends on identification. The FAA's Remote ID rule, which took effect for most commercial operators in 2023, requires drones to broadcast identification and location information in flight. This creates an accountability mechanism and enables ground-based detection systems to identify the operator of a given drone. Remote ID also creates a monitoring surface: organizations that deploy RF detection infrastructure can passively monitor drone activity in and around their facilities.
Counter-UAS (C-UAS) technology addresses the detection and neutralization of unauthorized drones. Detection methods include RF monitoring (scanning for drone control frequencies and identifying known drone communication signatures), radar (small radar systems designed for low-altitude, slow-moving target detection), optical and infrared cameras (visual or thermal detection), and acoustic sensors (listening for the characteristic rotor sound signatures of common drone platforms). No single detection technology is reliable across all conditions; mature C-UAS programs use sensor fusion, combining multiple detection methods with correlation logic.
Neutralization methods are more legally constrained than detection. Jamming a drone's control link is effective but constitutes unauthorized use of a radio transmitter in most jurisdictions, requiring specific federal authorization (18 USC 32 and FCC regulations generally prohibit unauthorized jamming). Similarly, taking control of a drone via RF or cyber means requires legal authority. In the United States, only specific federal agencies (DoD, DHS, DOJ, FAA) have statutory authority under 10 USC 130i and 6 USC 124n to use active C-UAS measures. State and local law enforcement and private entities face significant legal constraints. Physical neutralization methods (net-launching systems, trained raptors such as the brief Dutch Police eagle program) are legally available to more actors but have operational limitations.
Military drone security uses additional protections beyond civilian platforms. GPS anti-spoofing in military receivers (M-code GPS in newer U.S. military systems provides authenticated positioning signals that are significantly harder to spoof). Encrypted datalinks for command and control are standard. Mission planning for military UAS includes degraded-mode programming: if the control link is jammed or severed, the platform executes pre-programmed contingency logic rather than simply crashing or hovering.
From a firmware perspective, secure boot implementation on drone platforms (verifying the integrity and authenticity of firmware before execution) is a critical control that limits the impact of firmware vulnerabilities. Most consumer platforms do not implement secure boot; enterprise and government-oriented platforms increasingly do.
Within the SPH domain, CDA's Autonomous Posture Command (APC) methodology treats drone threats as a physical security posture concern integrated with digital controls. APC posture assessments for facilities include evaluation of airspace monitoring capability, RF environment baseline establishment, and the organization's current ability to detect and characterize drone activity in their vicinity. Organizations with sensitive operations, data centers, headquarters campuses, or manufacturing facilities should have documented policies and technical controls addressing unauthorized drone activity.
Within the VSD domain, Continuous Surface Reduction (CSR) applies to the drone platform itself for organizations that operate UAV fleets. The attack surface of a drone operator includes the fleet management software, the controller devices (tablets or dedicated controllers), the mobile applications, and the back-end systems receiving drone data. Each of these components represents an attack surface that must be inventoried, assessed, and managed. Organizations procuring drones for operational use should include cybersecurity requirements in vendor selection criteria, favoring platforms with encrypted communications, secure boot, documented vulnerability disclosure programs, and clear data handling policies.
CDA recommends that organizations planning to use commercial drones for sensitive operations (infrastructure inspection, site security, government contracting) procure only platforms with documented Government Edition or equivalent security certifications, establish data handling policies for drone-collected imagery and telemetry, and include drone infrastructure in their vulnerability management program.
CDA Theater missions that address topics covered in this article.
Cryptographic technique that encrypts data while preserving its original format and length, enabling protection without breaking legacy system compatibility.
Guide to HTTP/2 security covering binary framing, HPACK compression attacks, rapid reset vulnerability, stream multiplexing risks, and mitigation strategies.
Explanation of Certificate Transparency framework, covering log servers, Signed Certificate Timestamps, monitoring capabilities, and detection of fraudulent certificates.
Written by Evan Morgan
Found an issue? Help improve this article.