The fight to lock down drones and their supply chains

Drones have already shown their impact in military operations, and their influence is spreading across the agricultural and industrial sectors. Given their technological capabilities, we need to be aware of the risks they bring.

Drones as a new attack vector

Companies like Amazon are already using drones for product delivery, which means these fleets in the air face potential risks.

Drones can disrupt operations in key areas like power plants and transportation systems. A single incident can stop supply chains, delay flights, or damage facilities, causing financial losses. Denmark was forced to shut down its airports after drones of unknown origin flew overhead, an incident linked to rising tensions between the EU on one side and Russia on the other.

Small computers like a Raspberry Pi can be mounted to scan Wi-Fi networks and collect details such as MAC addresses and SSIDs. The device can then mimic a known network, tricking devices or users into connecting and allowing hackers to capture login credentials.

With cameras, drones can perform physical surveillance, tracking shift changes, monitoring security protocols, and identifying weak points for cyber or physical attacks. Some use thermal imaging to locate sensitive equipment, such as servers.

The success of commercial drones in the war in Ukraine shows how dangerous they can be in attacks. The Ukrainians demonstrated this potential in an operation where they equipped them with malware that activates upon capture, targeting Russian forces in multiple ways.

China’s grip on drones

The fact that many countries get their low-cost drones and parts from China represents a possible liability for global drone operations. This allows China to control who it sells drones and components to, and under what conditions, as seen in the case of Ukraine, where sales restrictions have been imposed.

The dependence on these components has prompted some countries, especially the US, to distance themselves from Chinese technology due to frequent rumors of hidden components.

Frequent attack methods

Attackers most often target drones using the following methods:

DoS and DDoS attacks: These attacks overwhelm a drone’s communication channels or onboard systems with excessive traffic, overloading its processing capabilities.

Signal jamming: Devices can be used to disrupt the communication between a drone and its controller, causing the drone to lose connection. This can lead to crashes or make the drone vulnerable to hijacking.

Spoofing: Attackers can send false GPS signals to a drone, making it believe it’s in a different location. This can cause it to fly off course or land in an unintended area.

Man-in-the-middle attacks: Communications between the drone and its controller can be intercepted, allowing unauthorized individuals to listen in or modify the information being sent.

Malware and firmware attacks: Drones run on software and firmware like any other device. If malware is introduced or firmware is tampered with, attackers can gain control over the drone. Researchers at Nozomi Networks Labs analyzed the firmware of a commercial drone and found nine vulnerabilities in its Wi-Fi quick transfer mode. Some of these flaws could allow attackers to access or extract photos and video, including operational data.

Drone law trends

In 2025, the use of drones, including autonomous operations, is growing, and regulations are changing to keep up. Governments are expanding no-fly zones around sensitive sites, setting rules for beyond-visual-line-of-sight flights, and addressing privacy concerns in residential and commercial areas.

In the U.S., the FAA and state laws use geofencing, BVLOS guidelines, and restrictions on facial recognition. In Europe, EASA and GDPR focus on temporary airspace closures, AI risk management, and protection of personal data.

What companies can do to prepare

Companies that use drones for delivery, monitoring, inspections, or industrial tasks can take the following steps to protect their drones, data, and operations.

Pre-flight: Secure procurement and setup

• Verify the drone manufacturer’s origin.
• Review privacy policies to understand how data is stored and shared.
• Protect accounts with strong passwords and update default credentials.
• Enable 2FA if possible.
• Limit data sharing during registration.
• Connect drones only to secure Wi-Fi networks.
• For drones made abroad, enable Local Data Mode (LDM) to prevent unwanted transmissions.
• Keep firmware and software up to date from trusted sources.
• Review licensing agreements before installing software or updates.

During flight: Maintain secure operations

• Set a fixed Return-to-Home (RTH) location to ensure drone recovery.
• Use the GCS kill function to prevent cameras from capturing unintended areas.
• Use a VPN when sharing videos or operate over wireless networks.

Post-flight: Secure data storage and disposal

• Delete sensitive data, including imagery, GPS history, and telemetry, once securely transferred.
• Safely remove and store portable storage devices.
• Ensure network security by isolating or segmenting systems to prevent malware spread.
• Conduct periodic log reviews and compliance checks.