- Flight Controller: Main processing unit managing flight operations
- Communication Systems: RF controls, Wi-Fi, Bluetooth, cellular (4G/5G)
- Sensors: GPS, IMU, cameras, ultrasonic sensors, barometer
- Hardware: Motors, ESCs, battery management system, physical ports
- Ground Control Station (GCS): Remote controller, mobile app, base station
- Cloud Services: Telemetry storage, flight logs, firmware updates
- Data Storage: Onboard storage, SD cards, encrypted memory
- Primary Control: 2.4GHz/5.8GHz RF link
- Telemetry: MAVLink protocol over various transports
- Video Feed: Analog/digital video transmission
- Command & Control: Wi-Fi, cellular, satellite communications
- Firmware Updates: USB, OTA updates
[Public Internet]
|
+---------+---------+
| |
[Cloud Backend] [Firmware Server]
| |
+-----------+-----------+ |
| | |
[Ground Station] [Drone]------+
(Controller) |
| |
+--- RF/WiFi --------+
Commands
[Ground Control Station]
|
RF Commands
|
v
+----------------[Flight Controller]----------------+
| | | |
| Sensor Data Control Logs
| | | |
v v v v
[GPS Module] [IMU/Sensors] [Motors/ESCs] [Storage]
| | | |
+--------------------+--------+---------------------+
|
[Telemetry]
|
[Cloud Services]
Lens 1 - Context & Lifecycle
- Firmware authenticity during updates
- Boot process integrity
- Debug port access (JTAG/UART)
Lens 2 - Trust Relationships
- Trust between flight controller and sensors
- Authentication of ground station commands
- Firmware signing verification
Lens 3 - Adversary Goals
- Take control of drone flight
- Install malicious firmware
- Impersonate legitimate ground station
Lens 4 - Verification & Recovery
- Secure boot implementation
- Firmware signature verification
- Hardware-based attestation
Threat Scenarios:
- SPOOF-FC-01: Attacker uploads unsigned firmware via exposed debug ports
- SPOOF-FC-02: Man-in-the-middle attack on firmware update process
- SPOOF-FC-03: Rogue ground station sends unauthorized commands
Lens 1 - Data Sensitivity
- Flight parameters and PID settings
- Waypoint data
- Return-to-home coordinates
Lens 2 - Change Paths
- Parameter modification via MAVLink
- Direct memory manipulation
- Configuration file tampering
Lens 3 - Adversary Benefits
- Cause controlled crash
- Redirect drone to attacker location
- Disable safety features
Lens 4 - Integrity Checks
- Parameter validation
- Checksum verification
- Secure storage implementation
Threat Scenarios:
- TAMP-FC-01: Modify GPS home location to hijack drone
- TAMP-FC-02: Alter flight ceiling limits to exceed regulations
- TAMP-FC-03: Tamper with battery voltage readings
Threat Scenarios:
- SPOOF-COMM-01: GPS spoofing to misguide drone navigation
- SPOOF-COMM-02: Wi-Fi evil twin attack to intercept control
- SPOOF-COMM-03: RF replay attacks on control signals
Threat Scenarios:
- TAMP-COMM-01: Modify MAVLink messages in transit
- TAMP-COMM-02: Inject false telemetry data
- TAMP-COMM-03: Alter video feed data
Threat Scenarios:
- INFO-COMM-01: Sniff unencrypted telemetry data
- INFO-COMM-02: Capture video feed transmission
- INFO-COMM-03: Extract flight paths and operational patterns
Threat Scenarios:
- DOS-COMM-01: RF jamming attacks on control frequencies
- DOS-COMM-02: Wi-Fi deauthentication attacks
- DOS-COMM-03: GPS jamming to trigger failsafe
Threat Scenarios:
- SPOOF-SENS-01: Laser/light attacks on optical sensors
- SPOOF-SENS-02: Ultrasonic interference on proximity sensors
- SPOOF-SENS-03: Magnetic field manipulation for compass
Threat Scenarios:
- TAMP-SENS-01: Physical manipulation of sensor mounting
- TAMP-SENS-02: Calibration data corruption
- TAMP-SENS-03: Sensor fusion algorithm manipulation
Threat Scenarios:
- PHYS-01: Extract encryption keys from unprotected memory
- PHYS-02: Install hardware implants on PCB
- PHYS-03: Side-channel attacks on crypto operations
- PHYS-04: Fault injection attacks on processors
| Protocol | Port/Frequency | Attack Vector | STRIDE Category |
|---|---|---|---|
| Wi-Fi | 2.4/5GHz | Deauth, Evil Twin | S, D |
| RF Control | 2.4GHz | Jamming, Replay | S, D |
| MAVLink | UDP 14550 | Injection, Sniffing | S, T, I |
| Video Feed | 5.8GHz | Interception | I |
| GPS | L1/L2 | Spoofing, Jamming | S, D |
| Cellular | 4G/5G | IMSI Catcher | S, I |
| Component | Interface | Attack Vector | STRIDE Category |
|---|---|---|---|
| Flash Memory | SPI | Firmware extraction | I |
| Debug Ports | JTAG/UART | Command injection | S, T, E |
| SD Card | SDIO | Data extraction | I |
| USB Port | USB 2.0 | Malicious firmware | S, T |
| I2C Bus | I2C | Sensor manipulation | S, T |
-
Component Identification
- Map all hardware components
- Identify communication protocols
- Document firmware versions
-
Network Mapping
- Scan for open ports
- Capture network traffic
- Identify encryption usage
Tools: HackRF, RTL-SDR, GNU Radio
- Spectrum analysis
- Signal replay attacks
- Jamming effectiveness
- Protocol reverse engineering
Tools: Aircrack-ng, Kismet, Custom scripts
- WPA/WPA2 attacks
- Deauthentication floods
- Evil twin scenarios
- MAVLink injection
Tools: Logic analyzers, JTAG debuggers, ChipWhisperer
- Firmware extraction
- Debug port exploitation
- Glitch attacks
- Side-channel analysis
-
Custom Exploits
- Protocol-specific fuzzers
- Hardware glitch tools
- RF signal generators
-
Attack Chains
- Multi-stage attacks
- Persistence mechanisms
- Data exfiltration paths
| Threat ID | Description | Impact | Likelihood | Risk Level | Mitigation Priority |
|---|---|---|---|---|---|
| SPOOF-FC-01 | Firmware tampering | High | Medium | High | Immediate |
| DOS-COMM-01 | RF jamming | High | High | Critical | Immediate |
| INFO-COMM-01 | Telemetry sniffing | Medium | High | High | High |
| SPOOF-COMM-01 | GPS spoofing | High | Medium | High | High |
| TAMP-FC-01 | Home location modification | High | Low | Medium | Medium |
-
Secure Boot Implementation
- Cryptographic verification of firmware
- Hardware root of trust
- Anti-rollback protection
-
Communication Encryption
- End-to-end encryption for all channels
- Perfect forward secrecy
- Certificate pinning
-
Physical Security
- Tamper-evident enclosures
- Secure element integration
- Memory encryption
-
Anomaly Detection
- Behavioral analysis
- Sensor fusion validation
- Command pattern recognition
-
Fail-Safe Mechanisms
- Autonomous return on signal loss
- Geofencing enforcement
- Emergency landing protocols
- Firmware integrity verification
- Communication channel encryption status
- GPS signal authenticity
- Sensor calibration validation
- RF spectrum analysis
- Wi-Fi vulnerability scanning
- MAVLink fuzzing
- Hardware interface probing
- GPS spoofing tests
- Video feed interception
- Battery management attacks
- Sensor manipulation tests
- Log collection and analysis
- Vulnerability documentation
- Exploit proof-of-concept
- Risk scoring
- Mitigation recommendations
-
Security Assessment Report
- Executive summary
- Technical findings
- Risk ratings
- Remediation roadmap
-
Proof-of-Concept Code
- Exploit demonstrations
- Testing tools
- Automation scripts
-
Threat Model Updates
- New attack vectors
- Emerging threats
- Mitigation effectiveness