MAVLink Security Hardening for Production Deployments

PX4 v1.17

MAVLink is an open communication protocol designed for lightweight, low-latency communication between drones and ground stations. By default, all MAVLink messages are unauthenticated. This is intentional for development and testing, but production deployments must enable message signing to prevent unauthorized access.

WARNING

Without message signing enabled, any device that can send MAVLink messages to the vehicle (via radio, network, or serial) can execute any command, including shell access, file operations, parameter changes, mission uploads, arming, and flight termination.

What Is at Risk

When MAVLink signing is not enabled, an attacker within communication range can:

Capability	MAVLink mechanism
Execute shell commands	`SERIAL_CONTROL` with `SERIAL_CONTROL_DEV_SHELL`
Read, write, or delete files	MAVLink FTP protocol
Change any flight parameter	`PARAM_SET` / `PARAM_EXT_SET`
Upload or overwrite missions	Mission protocol
Arm or disarm motors	`MAV_CMD_COMPONENT_ARM_DISARM`
Terminate flight (crash)	`MAV_CMD_DO_FLIGHTTERMINATION`
Trigger emergency landing	Spoofed `BATTERY_STATUS`
Reboot the vehicle	`MAV_CMD_PREFLIGHT_REBOOT_SHUTDOWN`

All of these are standard MAVLink capabilities used by ground control stations. Without signing, there is no distinction between a legitimate GCS and an unauthorized sender.

Hardening Checklist

1. Enable Message Signing

Message signing provides cryptographic authentication for all MAVLink communication. See Message Signing for full details.

Steps:

Connect to the vehicle over a trusted link (USB or other secure connection).
Provision a 32-byte secret key using the SETUP_SIGNING message. This works on any link, but use a trusted one for initial provisioning.
Provision the same key on all ground control stations and companion computers that need to communicate with the vehicle.
Verify that unsigned messages from unknown sources are rejected.

INFO

Once a key is provisioned, signing is enforced automatically on all links (including USB). Changing or disabling the key requires a signed SETUP_SIGNING message. Signing changes are rejected while the vehicle is armed. Signing can also be disabled by physically removing the key file from the SD card.

2. Secure Physical Access

SD card: The signing key is stored at /mavlink/mavlink-signing-key.bin. Anyone with physical access to the SD card can read, modify, or remove the key file.
USB ports: USB follows the same signing rules as all other links. When signing is active, USB requires signed messages.
Debug ports (SWD/JTAG): If exposed, Debug Ports allow full firmware reflash and bypass all software security. Not all vehicles expose debug connectors.

WARNING

Signing protects all MAVLink links. The primary physical attack surface is the SD card (key file extraction or deletion). If your threat model includes physical access, secure the SD card slot and debug ports.

3. Secure Network Links

Do not expose MAVLink UDP/TCP ports to untrusted networks or the internet.
Place MAVLink communication links behind firewalls or VPNs.
Segment MAVLink networks from business or public networks.
When using companion computers, audit which network interfaces MAVLink is bound to.

4. Understand the Limitations

No encryption: Message signing provides authentication and integrity, but messages are sent in plaintext. An eavesdropper can read telemetry and commands but cannot forge them.
Allowlisted messages: A small set of safety-critical messages (HEARTBEAT, RADIO_STATUS, ADSB_VEHICLE, COLLISION) are always accepted unsigned on all links. An attacker could spoof these specific messages.
Key management: There is no automatic key rotation. Keys must be reprovisioned manually via a signed SETUP_SIGNING message.
Lost key recovery: If the signing key is lost on all GCS devices, the only recovery is physical: remove the SD card and delete the key file, or reflash via SWD/JTAG. There is no software-only recovery path. See Message Signing: Lost Key Recovery for details.

Integrator Responsibility

PX4 is open-source flight controller firmware used by manufacturers and system integrators to build commercial and custom drone platforms.

Securing the communication links for a specific deployment is the responsibility of the system integrator. This includes:

Choosing appropriate radio hardware and link security
Enabling and managing MAVLink message signing
Restricting network access to MAVLink interfaces
Applying firmware updates that address security issues
Evaluating whether the default configuration meets the security requirements of the target application

PX4 provides the tools for securing MAVLink communication. Integrators must enable and configure them for their deployment context.

Flight Modes

Setpoint Tuning (Trajectory Generator)

MindRacer BNF & RTF

Pixhawk Series

Pixhawk Standard Autopilots

CUAV Pixhawk V6X (FMUv6X)

Holybro Pixhawk 6X (FMUv6X)

Holybro Pixhawk 6C (FMUv6C)

Holybro Pixhawk 5X (FMUv5X)

Holybro Pixhawk 4 (FMUv5)

mRo Pixracer (FMUv4)

mRo Pixhawk (FMUv3)

Manufacturer-Supported Autopilots

CUAV V5+ (FMUv5)

CUAV V5 nano (FMUv5)

CUAV X25 EVO

CubePilot Cube Yellow (CubePilot)

Holybro Durandal

Holybro Pix32 v5

Experimental Autopilots

Raspberry Pi 2/3/4 PilotPi

Pixhawk Autopilot Bus (PAB) & Carriers

Bootloader Update

Accelerometer

Gyroscope

Magnetometer (Compass)

Airspeed Sensors

Distance Sensors (Rangefinders)

Lightware Lidars (SF/LW/GRF)

GNSS (GPS)

RTK GNSS

Septentrio GNSS Receivers

INS (Inertial Navigation/GNSS)

Optical Flow

Tachometers (Revolution Counters)

ESCs & Motors

DroneCAN ESCs

Radio Control (RC)

Telemetry Radios

SiK Radio

Telemetry Wifi

Microhard Serial Telemetry Radio

Power Modules/PDB

Smart/MAVLink Batteries

Camera

Grippers

Pixhawk + Companion Setup

Computer Vision

Visual Inertial Odometry (VIO)

Video Streaming

Drive Modes

Configuration/Tuning

Complete Vehicles

Toolchain Installation

PX4 Flight Stack Architecture

Gazebo Simulation

Vehicles

SIH Simulation

Gazebo Classic Simulation

Flight Controller Porting Guide

Airframes

Telemetry Radio

Sensor and Actuator I/O

UART/Serial Ports

uORB Message Reference

Versioned

Unversioned Messages

MAVLink Messaging

Protocols/Microservices

uXRCE-DDS (PX4-ROS 2/DDS Bridge)

Drivers

Consoles/Shells

Debugging with GDB

Flight Log Analysis

Computer Vision

Neural Networks

MC NN Control Module (Generic)

Windows Cygwin Toolchain

Simulators

FlightGear Simulation

MAVLink Security Hardening for Production Deployments

What Is at Risk

Hardening Checklist

1. Enable Message Signing