FIRMWARE
HARDENING

The Threat — Command Injection

MAVLink protocol is open source. The packet format is published. Any competent adversary can build a MAVLink transmitter from an SDR and a laptop. Without signing, the autopilot cannot distinguish between a command from the legitimate operator and a command from the enemy. The most damaging attack is not crashing the drone — it is sending a silent RTL (Return To Launch) command. The drone obediently flies back to the enemy's coordinates that they set as the "home" position. The operator sees the drone leave and cannot stop it because the enemy's RTL command overrides the operator's inputs.

MAVLink signing prevents this: every command includes a SHA-256 hash computed with a 32-byte secret key. The autopilot verifies the hash before executing any command. Without the correct key, the command is silently discarded. The enemy sees the drone but cannot control it. Key generation: openssl rand -hex 32 produces a 256-bit random key. Load via USB at first connection. The key exists only in the operator's USB drive and the drone's volatile memory — it is never stored in persistent flash.

Hardening Parameter Set

BRD_SERIAL_SIGNING=1: enables MAVLink signing on all serial ports. Every inbound MAVLink command must carry a valid HMAC signature. Unsigned commands are discarded without response — the attacker receives no indication that their commands are being rejected. This is the single most important hardening parameter.

FS_THR_ENABLE=1: activates throttle failsafe. If radio link is lost for more than FS_THR_VALUE seconds, the drone executes FS_LONG_ACTN (default: RTL at 150m AGL). This prevents flyaway — a drone that loses link without failsafe continues its last command indefinitely until the battery dies, potentially landing in enemy territory with intact electronics and encryption keys.

GEO_FENCE_ENABLE=1 with GEO_FENCE_TYPE=7 (altitude plus circular plus polygon): creates a virtual boundary. If the drone crosses the fence — whether through pilot error, wind, or command injection — it automatically returns to the launch point. GEO_FENCE_ALT_MAX=300 prevents the drone from climbing above 300m AGL where it becomes visible to radar and SAM systems.

AFS_ENABLE=1: Advanced Failsafe. Provides additional termination logic for catastrophic failures — if all navigation sources fail, if the autopilot detects hardware malfunction, if multiple failsafe conditions trigger simultaneously. AFS_TERM_ACTION=42 triggers controlled flight termination: motors cut, drone falls predictably. This prevents an uncontrolled drone from flying into friendly positions.

SERIAL3_PROTOCOL=-1, SERIAL4_PROTOCOL=-1, SERIAL5_PROTOCOL=-1: disables all unused serial ports. Each open serial port is an attack surface — an adversary who gains physical access to the drone can connect to an unused UART and inject commands bypassing radio-layer encryption. Closing unused ports eliminates this vector.

What Hardening Does Not Protect Against

Physical capture: if the drone lands in enemy territory, they have the hardware. Hardening does not protect against physical disassembly — the captured drone protocol (keys in RAM, LUKS-encrypted SD, no persistent secrets) handles this separately. Barrage jamming: hardening secures the command channel but cannot overcome a jammer that blocks all radio frequencies — FHSS and CRPA address jamming. Kinetic destruction: no firmware parameter protects against a bullet or a SAM missile. Hardening is one layer in a multi-layered defense architecture — it is necessary but not sufficient alone.

Hardening Verification Checklist

After applying hardening parameters, verify each one took effect. Test 1 — Signing: from a second ground station without the signing key, send a MAVLink ARM command. Expected result: the drone ignores it. If the drone arms: signing is not active. Test 2 — Geofence: fly to the geofence boundary in SITL. Expected: drone automatically returns. Test 3 — Failsafe: disconnect the radio link. Expected: drone enters RTL within the configured timeout. Test 4 — Port scan: connect a USB-serial adapter to UART3. Expected: no MAVLink response (port disabled). Document all four test results in the drone's maintenance log. Repeat after every firmware update — parameters can reset to defaults during flashing.

Firmware hardening is the foundation of drone cybersecurity — without it, every other security measure is bypassed at the firmware level. A drone with encrypted MANET but unhardened firmware accepts unsigned MAVLink commands through any serial port. Firmware hardening closes these backdoors permanently. The firmware configuration should be verified after every parameter change and before every deployment.

← Part of Platoon Integration

Implementation

# ArduPilot Security Hardening Checklist
HARDENING_PARAMS = {
    # MAVLink signing — reject unsigned commands
    "BRD_SERIAL_SIGNING": 1,
    
    # Disable unused serial ports
    "SERIAL3_PROTOCOL": -1,    # Disabled
    "SERIAL4_PROTOCOL": -1,    # Disabled
    "SERIAL5_PROTOCOL": -1,    # Disabled
    
    # Geofence — prevent flyaway
    "GEO_FENCE_ENABLE": 1,
    "GEO_FENCE_TYPE": 7,      # Altitude + circle + polygon
    "GEO_FENCE_ACTION": 1,    # RTL on breach
    "GEO_FENCE_ALT_MAX": 300, # Max 300m AGL
    
    # Advanced failsafe
    "AFS_ENABLE": 1,
    "AFS_TERM_ACTION": 42,    # Terminate flight on critical failure
    
    # RC override protection
    "RC_OVERRIDE_TIME": 0,    # Disable RC override via MAVLink
}

# Apply all parameters
for param, value in HARDENING_PARAMS.items():
    print(f"param set {param} {value}")

Related Chapters

Sources

Swedish Armed Forces MAVLink signing documentation. MAVLink 2.0 protocol specification. ArduPilot failsafe configuration guide. FSG-A hardening standard v3.0.