MAVLink Security Hardening for Production Deployments

PX4 v1.17

MAVLink is an open communication protocol designed for lightweight, low-latency communication between drones and ground stations. By default, all MAVLink messages are unauthenticated. This is intentional for development and testing, but production deployments must enable message signing to prevent unauthorized access.

WARNING

Without message signing enabled, any device that can send MAVLink messages to the vehicle (via radio, network, or serial) can execute any command, including shell access, file operations, parameter changes, mission uploads, arming, and flight termination.

What Is at Risk

When MAVLink signing is not enabled, an attacker within communication range can:

Capability	MAVLink mechanism
Execute shell commands	`SERIAL_CONTROL` with `SERIAL_CONTROL_DEV_SHELL`
Read, write, or delete files	MAVLink FTP protocol
Change any flight parameter	`PARAM_SET` / `PARAM_EXT_SET`
Upload or overwrite missions	Mission protocol
Arm or disarm motors	`MAV_CMD_COMPONENT_ARM_DISARM`
Terminate flight (crash)	`MAV_CMD_DO_FLIGHTTERMINATION`
Trigger emergency landing	Spoofed `BATTERY_STATUS`
Reboot the vehicle	`MAV_CMD_PREFLIGHT_REBOOT_SHUTDOWN`

All of these are standard MAVLink capabilities used by ground control stations. Without signing, there is no distinction between a legitimate GCS and an unauthorized sender.

Hardening Checklist

1. Enable Message Signing

Message signing provides cryptographic authentication for all MAVLink communication. See Message Signing for full details.

Steps:

Connect the vehicle via USB (key provisioning only works over USB).
Provision a 32-byte secret key using the SETUP_SIGNING message.
Set MAV_SIGN_CFG to 1 (signing enabled on all links except USB) or 2 (signing on all links including USB).
Provision the same key on all ground control stations and companion computers that need to communicate with the vehicle.
Verify that unsigned messages from unknown sources are rejected.

INFO

MAV_SIGN_CFG=1 is recommended for most deployments. This enforces signing on telemetry radios and network links while allowing unsigned access over USB for maintenance. USB connections require physical access to the vehicle, which provides equivalent security to physical key access.

2. Secure Physical Access

Protect access to the SD card. The signing key is stored at /mavlink/mavlink-signing-key.bin and can be read or removed by anyone with physical access.
USB connections bypass signing when MAV_SIGN_CFG=1. Ensure USB ports are not exposed in deployed configurations.

3. Secure Network Links

Do not expose MAVLink UDP/TCP ports to untrusted networks or the internet.
Place MAVLink communication links behind firewalls or VPNs.
Segment MAVLink networks from business or public networks.
When using companion computers, audit which network interfaces MAVLink is bound to.

4. Understand the Limitations

No encryption: Message signing provides authentication and integrity, but messages are sent in plaintext. An eavesdropper can read telemetry and commands but cannot forge them.
Allowlisted messages: A small set of safety-critical messages (RADIO_STATUS, ADSB_VEHICLE, COLLISION) are always accepted unsigned.
Key management: There is no automatic key rotation. Keys must be reprovisioned manually via USB if compromised.

Integrator Responsibility

PX4 is open-source flight controller firmware used by manufacturers and system integrators to build commercial and custom drone platforms.

Securing the communication links for a specific deployment is the responsibility of the system integrator. This includes:

Choosing appropriate radio hardware and link security
Enabling and managing MAVLink message signing
Restricting network access to MAVLink interfaces
Applying firmware updates that address security issues
Evaluating whether the default configuration meets the security requirements of the target application

PX4 provides the tools for securing MAVLink communication. Integrators must enable and configure them for their deployment context.

Flight Modes

Setpoint Tuning (Trajectory Generator)

MindRacer BNF & RTF

Pixhawk Series

Pixhawk Standard Autopilots

CUAV Pixhawk V6X (FMUv6X)

Holybro Pixhawk 6X (FMUv6X)

Holybro Pixhawk 6C (FMUv6C)

Holybro Pixhawk 5X (FMUv5X)

Holybro Pixhawk 4 (FMUv5)

mRo Pixracer (FMUv4)

mRo Pixhawk (FMUv3)

Manufacturer-Supported Autopilots

CUAV V5+ (FMUv5)

CUAV V5 nano (FMUv5)

CubePilot Cube Yellow (CubePilot)

Holybro Durandal

Holybro Pix32 v5

Experimental Autopilots

Raspberry Pi 2/3/4 PilotPi

Pixhawk Autopilot Bus (PAB) & Carriers

Bootloader Update

Accelerometer

Gyroscope

Magnetometer (Compass)

Airspeed Sensors

Distance Sensors (Rangefinders)

Lightware Lidars (SF/LW/GRF)

GNSS (GPS)

RTK GNSS

Septentrio GNSS Receivers

INS (Inertial Navigation/GNSS)

Optical Flow

Tachometers (Revolution Counters)

ESCs & Motors

DroneCAN ESCs

Radio Control (RC)

Telemetry Radios

SiK Radio

Telemetry Wifi

Microhard Serial Telemetry Radio

Power Modules/PDB

Smart/MAVLink Batteries

Camera

Grippers

Pixhawk + Companion Setup

Computer Vision

Visual Inertial Odometry (VIO)

Video Streaming

Drive Modes

Configuration/Tuning

Complete Vehicles

Toolchain Installation

PX4 Flight Stack Architecture

Gazebo Simulation

Vehicles

Gazebo Classic Simulation

Flight Controller Porting Guide

Airframes

Telemetry Radio

Sensor and Actuator I/O

UART/Serial Ports

uORB Message Reference

Versioned

Unversioned Messages

MAVLink Messaging

Protocols/Microservices

uXRCE-DDS (PX4-ROS 2/DDS Bridge)

Drivers

Consoles/Shells

Debugging with GDB

Flight Log Analysis

Computer Vision

Neural Networks

MC NN Control Module (Generic)

Windows Cygwin Toolchain

Simulators

FlightGear Simulation

jMAVSim Simulation

Test Flights