> mavlink_decode --source udp:14550 | grep HEARTBEAT_
Your drones carry your data, connect to your network, and fly beyond your perimeter. We test them the way an attacker would — across five domains, from radio link to firmware to corporate VLAN.
Commercial drones are deployed across every sector — construction surveying, infrastructure inspection, security patrol, marketing photography, and agricultural monitoring. They carry high-resolution cameras, LIDAR sensors, and GNSS receivers. They connect to corporate Wi-Fi. They sync data to internal servers. They store credentials, flight logs, and months of operational intelligence on an SD card accessible via anonymous FTP.
They are networked computing platforms that fly. And they are almost never assessed for security.
Hedgehog Security's Airspace Security practice is the UK's most comprehensive commercial UAV security assessment capability. We assess the full attack surface of drone operations — the aircraft, the controller, the radio link, the data workflow, and the corporate network integration — using methodologies developed through years of real-world engagements documented in our From the Hacker Desk research series.
We operate one of the UK's few commercial GPS spoofing assessment capabilities. Our team combines offensive security expertise with RF engineering, embedded systems analysis, and aviation regulatory knowledge. Five published research articles document real-world findings across five distinct attack domains — from command injection to firmware supply chain compromise.
A drone operation is not a single device — it is a system of interconnected components, each with its own threat model and failure modes. We assess all five.
| Domain | Techniques | Typical Findings |
|---|---|---|
| Aircraft Interfaces | Wi-Fi PSK analysis, service enumeration, FTP/HTTP/RTSP access, MAVLink interception, firmware version audit, CVE assessment | Default Wi-Fi credentials, anonymous FTP to SD card, unencrypted video streams, unauthenticated command acceptance, critical unpatched CVEs |
| Controller Firmware | Firmware extraction (network interception, UART, flash dump), static binary analysis, string extraction, credential discovery, update integrity testing | Hard-coded cloud credentials, unsigned firmware updates (MD5-only), UART debug backdoors, shared platform-wide MQTT tokens |
| RF & Signals | SDR-based RF characterisation, video downlink interception, MAVLink command injection (grounded/tethered), GPS spoofing (shielded, authorised) | Unencrypted video, unauthenticated C2 channels, GPS route displacement, altitude manipulation, geofence bypass |
| Data & Metadata | EXIF extraction across image corpus, flight log GPS analysis, cached credential recovery, video intelligence assessment, GDPR impact review | Site locations, client intelligence, identifiable individuals, cached corporate Wi-Fi PSKs, GDPR non-compliance, no data retention policy |
| Network Pivot | Device onboarding analysis, NAC assessment, VLAN assignment review, sync credential extraction, lateral movement from drone position | No device segmentation, plaintext domain credentials on device, overprivileged sync accounts, full corporate network access from unmanaged UAV |
Civilian GPS signals are unencrypted and unauthenticated. Any device that transmits a signal matching the GPS specification, at sufficient power, will be accepted by a civilian GPS receiver as a legitimate satellite. An autonomous patrol drone can be subtly redirected — and the security control room will see normal telemetry throughout.
We demonstrate three attack scenarios against autonomous navigation systems:
| Scenario | Method | Consequence |
|---|---|---|
| Route Displacement | Gradual positional offset in synthetic GPS signals shifts the drone's perceived position laterally from its actual position. | Drone patrols a parallel route offset from the perimeter fence. Camera covers ground that is not the perimeter. Unmonitored gap created. |
| Altitude Manipulation | Spoofed altitude reduction causes the flight controller to climb to compensate, increasing actual flight altitude. | Thermal detection range and image resolution degrade. Spotlight effectiveness reduced. Intruder identification capability diminished. |
| Geofence Evasion | Perceived position held inside the geofence boundary whilst actual position is displaced beyond it. | Drone displaced beyond its approved operating area without triggering geofence return. Aviation safety boundary defeated. |
GPS spoofing involves the transmission of radio signals on protected GNSS frequencies. In the United Kingdom, transmission on GNSS frequencies without authorisation is an offence under the Wireless Telegraphy Act 2006. All Hedgehog Security GPS spoofing assessments are conducted under specific regulatory exemptions, within shielded test environments that prevent signal leakage, and with a formal safety case. We do not conduct GPS spoofing in uncontrolled environments.
If your organisation operates drones — or if drones operate over your assets — airspace security is part of your attack surface.
Our Airspace Security practice is underpinned by published research from our From the Hacker Desk series — five articles documenting real-world drone security assessments across different industries, attack vectors, and methodologies.
| Article | Focus | Key Finding |
|---|---|---|
| Hijacking the Drone Above the Construction Site | Aircraft control systems — RF interception, MAVLink command injection, video downlink capture | Unauthenticated MAVLink accepted flight commands via Wi-Fi. Unencrypted video downlink viewable by anyone within radio range. |
| Turning a Corporate Drone into an Airborne Reconnaissance Platform | Passive data accumulation — GPS logs, EXIF metadata, cached credentials, video intelligence | 18 months of flight logs revealed 23 site locations including unannounced developments. Corporate Wi-Fi PSK cached in plaintext. |
| Exploiting GPS Spoofing Against a Security Patrol Drone | GNSS signal manipulation — route displacement, altitude manipulation, geofence evasion | Autonomous patrol route displaced 80m without detection. Security control room showed normal telemetry throughout. |
| Cracking the Drone Controller — When Firmware Becomes the Weak Link | Controller firmware — reverse engineering, hard-coded credentials, unsigned updates, cloud exposure | Hard-coded MQTT credentials provided access to real-time telemetry for all devices on the manufacturer's platform globally. |
| Drone-to-Network Pivot — Landing Inside the Firewall | Network integration — device onboarding, NAC bypass, credential extraction, domain compromise | Compromised drone connected to corporate Wi-Fi, extracted domain credentials from sync config, pivoted to domain administrator. |
Airspace security assessments operate under a dual regulatory framework — cybersecurity law and aviation law. Our methodology delivers thorough findings whilst maintaining strict compliance with both.
Detailed scoping workshop covering the drone fleet, operational context, network integration, and regulatory constraints. For RF and GPS assessments, we develop a formal safety case and obtain necessary regulatory authorisations. For firmware and data assessments, standard penetration testing authorisations apply.
All RF testing is conducted with aircraft grounded or tethered. GPS spoofing is performed within shielded environments only. No testing on aircraft in uncontrolled flight. No transmissions that could affect other airspace users. Safety is non-negotiable — our methodology delivers findings without creating hazards.
Deep assessment across all five domains — aircraft interfaces, controller firmware, RF environment, data accumulation, and network integration. We chain findings across domains to demonstrate complete attack paths, not isolated weaknesses.
Comprehensive report separating client-remediable findings from manufacturer-remediable findings. When findings affect the manufacturer's platform globally, we follow responsible disclosure — the manufacturer is notified with full details and a remediation window. Your report is delivered immediately.
Fix the issues within your control. When you're ready, we retest every client-remediable finding — included in the price — to verify closure. Manufacturer-remediable findings are tracked against the vendor's disclosure timeline.
Every airspace security engagement delivers actionable output designed for both your technical team and your board.
| Deliverable | Detail |
|---|---|
| Executive summary | Board-ready overview of risk posture, business impact, and strategic recommendations — written for non-technical stakeholders who need to understand the risk without the protocol-level detail. |
| Technical report | Detailed findings across all five assessment domains with evidence, risk ratings, MITRE ATT&CK for ICS mappings, and remediation recommendations. Client-remediable and manufacturer-remediable findings clearly separated. |
| Remediation roadmap | Phased remediation plan (immediate, short-term, strategic) with cost indications, responsible parties, and dependency mapping. Designed for direct incorporation into your risk treatment plan. |
| UAV security policy | Tailored policy template covering procurement, operation, data management, credential handling, network onboarding, and firmware maintenance — ready for adoption into your ISMS. |
| Face-to-face debrief | Walkthrough session with your technical, operations, and leadership teams. We explain each finding, demonstrate the attack paths, and help prioritise remediation. |
| Free retest | Once you've remediated, we retest every client-remediable finding at no additional cost and issue an updated report confirming closure. |
| Letter of assurance | Formal letter confirming the scope, dates, and outcome — suitable for clients, auditors, insurers, and regulators. |
Drone security assessments intersect multiple regulatory domains. Our team maintains awareness across all applicable legislation to ensure every engagement is conducted lawfully and findings are presented within the appropriate context.
| Regulation | Domain | Relevance |
|---|---|---|
| Computer Misuse Act 1990 | Cybersecurity | Authorisation required for all access to drone systems, controllers, and connected infrastructure. |
| Wireless Telegraphy Act 2006 | Radio frequency | Governs transmission on GNSS and other protected frequencies — GPS spoofing requires specific regulatory exemption. |
| Air Navigation Order 2016 | Aviation | Regulates unmanned aircraft operations — interference with aircraft is a specific offence. |
| Aviation Security Act 1982 | Aviation safety | Offences relating to endangering safety of aircraft — including unmanned aircraft. |
| Space Industry Act 2018 | Satellite navigation | Interference with satellite navigation services — applicable to GPS spoofing assessments. |
| UK GDPR / DPA 2018 | Data protection | Aerial imagery containing identifiable individuals or vehicles constitutes personal data — DPIA may be required for drone operations. |
No. All testing is conducted with aircraft grounded or tethered. RF assessments use SDR equipment to observe and characterise emissions. GPS spoofing is performed in shielded environments. Firmware and data assessments are bench-based. We never conduct testing on aircraft in uncontrolled flight.
Transmission on GNSS frequencies without authorisation is an offence under the Wireless Telegraphy Act 2006. We conduct GPS spoofing assessments only under specific regulatory exemptions, within shielded test environments that prevent signal leakage, and with a formal safety case. We handle the regulatory engagement as part of the engagement — you do not need to obtain authorisation yourself.
When findings affect the manufacturer's platform rather than your configuration alone — such as hard-coded credentials compiled into firmware — we follow responsible disclosure. The manufacturer is notified with full technical details and given a remediation window. You receive the findings immediately. Our report clearly separates what you can fix from what requires vendor action.
Yes — perhaps especially so. A marketing drone accumulates GPS logs, cached Wi-Fi credentials, and imagery containing identifiable individuals and security infrastructure over months of use. If the drone is lost, stolen, or accessed via its maintenance Wi-Fi, that data is exposed. We also assess GDPR compliance for aerial imagery — a regulatory obligation many organisations are unaware of.
It depends on scope. A focused data and firmware assessment of a single drone model takes 3–5 days. A comprehensive assessment covering all five domains — including RF characterisation and GPS spoofing — typically takes 10–15 days including regulatory preparation. We'll give you a clear timeline during scoping.
We assess drones from all major commercial manufacturers as well as custom-built and open-source platforms. Our methodology is platform-agnostic — we assess the interfaces, protocols, and data regardless of the vendor. If it has a Wi-Fi interface, a MAVLink implementation, or firmware that can be extracted, we can assess it.
Every engagement starts with a free, no-obligation scoping call. Tell us what flies, where it connects, and what it carries — and we'll tell you what an attacker would find.