Introduction

Modern drones are sophisticated computing platforms that generate, transmit, and store sensitive dataโ€”flight logs, GPS coordinates, camera imagery, and personal information. Cyber security threats to drones include signal hijacking, data theft, GPS spoofing, and unauthorized access. The Civil Aviation Authority (CAA) of New Zealand expects operators to implement security practices that protect drone systems, flight data, and client information. This guide covers cyber security best practices, data protection, wireless security, and compliance requirements for New Zealand drone operators in 2026.

Types of Cyber Security Threats to Drones

1. Signal Hijacking (Unauthorized Control)

Threat: Attacker intercepts drone's radio signal and takes control of the aircraft. How it happens:
  • Attacker uses software-defined radio (SDR) to capture and replay control signals
  • Weak encryption allows signal decoding
  • Drone switches to attacker's signal if more powerful than operator's
  • Attacker gains full control: altitude, direction, return-to-home abort

Impact:
  • Loss of aircraft (crash or loss of signal)
  • Injury to persons below drone
  • Property damage
  • Data loss (flight data, imagery)

Prevention:
  • Use modern encryption (AES-256 or stronger)
  • Ensure transmitter and drone firmware are current
  • Keep drone physically secure (prevent tampering)
  • Use frequency-hopping transmission (harder to intercept)
  • Maintain short communication distance (less interception window)

Evidence of hijacking:
  • Drone doesn't respond to control inputs
  • Unexpected altitude/heading changes
  • Loss of video feed
  • Motor sounds but no control response

2. GPS Spoofing

Threat: Attacker transmits false GPS signals, deceiving drone about its location. How it happens:
  • Attacker broadcasts stronger GPS signal from nearby location
  • Drone's receiver locks to false signal instead of real GPS
  • Drone believes it's at wrong location
  • Autonomous flight (waypoint missions) goes to wrong place

Impact:
  • Aircraft flies to unintended location
  • RTH (Return-to-Home) lands at wrong location
  • Drone may fly into obstacles or hazards
  • Loss of aircraft if it flies beyond recovery range

Prevention:
  • Use GPS with receiver integrity checking (SBAS corrections)
  • Monitor GPS accuracy; abort if signal quality low
  • Verify flight plan matches actual position
  • Don't rely solely on GPS for critical navigation
  • Use visual landmarks to verify position

Detection:
  • GPS accuracy suddenly degrades (e.g., 50+ meters error)
  • Actual position doesn't match displayed position
  • Altitude hold becomes erratic despite good GPS signal

3. Firmware Vulnerabilities

Threat: Attacker exploits bugs in drone or transmitter firmware. How it happens:
  • Malicious code in firmware update compromises security
  • Backdoor (hidden access) installed in operating system
  • Attacker gains remote access to drone systems
  • Control system, camera, or data functions compromised

Impact:
  • Unauthorized access to flight data or imagery
  • Loss of control during flight
  • Camera hijacking (unauthorized recording)
  • Data exfiltration (flight logs, images downloaded by attacker)

Prevention:
  • Keep firmware updated (security patches released regularly)
  • Download firmware only from official manufacturer sources
  • Verify firmware authenticity (digital signatures)
  • Don't install third-party/modified firmware
  • Subscribe to manufacturer security notices

Detection:
  • Unexplained system behavior
  • Unexpected network connections
  • Slow performance or crashes
  • Battery drains faster than normal

4. Data Theft and Unauthorized Access

Threat: Attacker gains access to flight data, imagery, or operator credentials. How it happens:
  • Unsecured cloud storage accessible to anyone
  • Weak passwords easily guessed or brute-forced
  • Malware on operator's computer steals credentials
  • Unencrypted data transmission intercepted by attacker
  • Disgruntled employee shares access credentials

Impact:
  • Client proprietary data exposed (aerial surveys of sensitive facilities)
  • Privacy violation (personal imagery disclosed)
  • Intellectual property theft
  • Regulatory compliance violation (privacy law)
  • Reputational damage

Prevention:
  • Encrypt data at rest (saved files encrypted)
  • Encrypt data in transit (use HTTPS, VPN)
  • Strong passwords (16+ characters, mixed case, symbols)
  • Multi-factor authentication (requires second authentication method)
  • Access controls (limit who can access data)
  • Regular backups (protects against ransomware)

5. Malware on Operator Device

Threat: Operator's computer or mobile device is infected with malware. How it happens:
  • Operator downloads infected software or attachment
  • Malware installs keylogger (captures passwords)
  • Malware installs screen capture (captures data)
  • Malware installs remote access tool (attacker controls device)
  • Operator loses control of device; credentials compromised

Impact:
  • Operator credentials stolen; attacker gains access to accounts
  • Flight data and imagery copied by attacker
  • Device becomes part of botnet (used for attacks on others)
  • Regulatory compliance violations if client data compromised

Prevention:
  • Use antivirus/anti-malware software (updated regularly)
  • Only download software from official sources
  • Don't click suspicious links or email attachments
  • Keep operating system and applications patched
  • Use reputable VPN if operating on public WiFi
  • Regular malware scans

Drone Flight System Security

Transmitter and Receiver Encryption

Modern drones use encryption to prevent signal hijacking: Encryption strength by generation:
  • Older drones (pre-2015): Weak or no encryption; vulnerable to hijacking
  • Mid-range (2015โ€“2020): Proprietary encryption; moderate security
  • Modern drones (2020+): AES-256 or stronger; industry standard

How to verify:
  • Check manufacturer specifications for encryption standard
  • Older drones (DJI Phantom 3 or earlier): Consider replacement for security
  • Newer drones: Typically adequate; ensure firmware updated

User responsibility:
  • Keep firmware updated (manufacturer releases security patches)
  • Don't disable security features (even if they seem inconvenient)
  • Use transmitter pairing correctly (prevents unauthorized receivers)

Firmware Update Security

Critical for cyber security; should be mandatory practice: Best practices:
  1. Subscribe to manufacturer security notices โ€“ Get alerts of vulnerabilities
  2. Update immediately when security patches released โ€“ Don't delay
  3. Download from official sources only โ€“ Fake updates exist online
  4. Verify authenticity โ€“ Check digital signature if provided
  5. Test in controlled flight โ€“ Verify functionality after update
  6. Keep backup of previous firmware (if rollback needed, though rare)

Process:

`` FIRMWARE UPDATE PROCEDURE

  1. Check manufacturer website for latest firmware
  2. Download firmware to computer (not on drone)
  3. Verify firmware file integrity (checksum if available)
  4. Ensure battery is fully charged (update requires power)
  5. Connect transmitter to computer
  6. Launch firmware update tool
  7. Follow on-screen instructions (do NOT disconnect during update)
  8. Wait for completion (15โ€“30 minutes typical)
  9. Verify update successful (check firmware version)
  10. Test drone in controlled environment
  11. Resume normal operations

`

Physical Security of Equipment

Prevent tampering with drone or transmitter: Security measures:
  • Secure storage (locked cabinet)
  • Serial number recording (identify if stolen)
  • Identification marks (make drone identifiable as yours)
  • Transport security (don't leave in vehicle)
  • Backup equipment (if primary device compromised)
  • Inventory control (know where every device is)

Flight Data and Imagery Protection

Data at Rest (Stored Data)

Protect data saved to storage devices: Encryption methods:
  1. Full-disk encryption โ€“ Entire hard drive encrypted; requires password to boot
  2. File-level encryption โ€“ Individual files encrypted (folder or file level)
  3. Cloud encryption โ€“ Data encrypted before uploading to cloud

Implementation:
  • Windows: BitLocker (built-in)
  • Mac: FileVault (built-in)
  • Linux: LUKS (open-source)
  • Cloud: Most providers offer encryption (AWS, Google Drive, Dropbox)

Best practice:
  • Encrypt all computers and storage devices
  • Use strong passwords (16+ characters)
  • Test restore/recovery process regularly

Data in Transit (Moving Data)

Protect data while being transferred between devices: Security methods:
  1. HTTPS/SSL โ€“ Encrypted web connections
  2. VPN (Virtual Private Network) โ€“ Encrypted tunnel for all traffic
  3. Encrypted messaging โ€“ Signal, ProtonMail, etc.
  4. Secure file transfer โ€“ SFTP instead of FTP

Avoid:
  • Public WiFi without VPN (attackers can intercept)
  • Unencrypted email for sensitive data
  • Cloud storage over unencrypted connection
  • USB drives with unencrypted data (if lost, data compromised)

Example: Uploading flight data to cloud

` SECURE UPLOAD PROCEDURE

  1. Connect to private WiFi (home or office)
  2. Open VPN connection (adds encryption layer)
  3. Use HTTPS cloud service (check URL starts with https://)
  4. Upload file (encrypted end-to-end)
  5. Verify upload complete
  6. Delete local copy (if backup exists elsewhere)
  7. Close VPN connection

``

Imagery and Flight Data Privacy

Protect client data and personal information: Compliance requirements:
  • Privacy Act 1993 (NZ) โ€“ Protects personal information
  • GDPR (if clients in EU) โ€“ Strict data protection requirements
  • Australian Privacy Act (if clients in Australia)

Best practices:
  • Obtain written consent before imagery capture
  • Secure client data with encryption
  • Limit access to authorized personnel
  • Destroy data when no longer needed (secure deletion)
  • Incident response plan (if breach occurs)

Red flags for privacy violation:
  • Photographing private homes without consent
  • Recording inside buildings without knowledge
  • Collecting personal information beyond project scope
  • Sharing imagery without client permission

Operator Credential Management

Strong Passwords

Passwords are first line of defense; use strong ones: Password strength criteria:
  • Length: 16+ characters (longer = more secure)
  • Complexity: Mix uppercase, lowercase, numbers, symbols
  • Uniqueness: Different for each account
  • Entropy: No dictionary words, birthdates, or predictable patterns

Example:
  • Weak: "password123" (common, predictable)
  • Better: "MyDrone!2024NZ$" (mix of types, specific)
  • Best: "k7$Xm!Q2bL@nP9wR" (random, unpredictable)

Tools:
  • Password manager (1Password, LastPass, Bitwarden) โ€“ Stores passwords securely
  • Password generator โ€“ Creates random strong passwords

Multi-Factor Authentication (MFA)

Two-step verification adds security layer: How MFA works:
  1. Enter username/password
  2. System sends code via SMS, email, or authenticator app
  3. User enters code to verify identity
  4. Account access granted

Types of MFA:
  • SMS code โ€“ Code sent to phone via text message
  • Authenticator app โ€“ App like Google Authenticator generates code
  • Email code โ€“ Code sent to email address
  • Hardware token โ€“ Physical device generates code (most secure)

Recommendation: Use authenticator app instead of SMS (SMS can be intercepted).

Credential Storage and Sharing

Protect account credentials: Do NOT:
  • Write passwords on paper or sticky notes
  • Share passwords via unencrypted email
  • Use same password across multiple accounts
  • Log in using auto-fill on shared computers

Do:
  • Use password manager (central encrypted vault)
  • Share credentials securely (password manager sharing feature)
  • Change passwords regularly (quarterly minimum)
  • Revoke access when employee leaves
  • Log out of accounts when done

Incident Response: Data Breach

Detecting a Breach

Signs of unauthorized access:
  • Unusual account activity (login from unknown location)
  • Data missing or modified
  • Unexpected emails from your account
  • Slow device performance or crashes
  • Antivirus alerts

Response Procedure

If you suspect a breach:
  1. Isolate affected device โ€“ Disconnect from network
  2. Change passwords โ€“ All accounts, especially critical ones (email, cloud)
  3. Enable MFA โ€“ Add two-factor authentication to all accounts
  4. Scan for malware โ€“ Run updated antivirus/anti-malware
  5. Review account activity โ€“ Check login history, authorized devices
  6. Monitor credit โ€“ Watch for fraudulent activity if financial data compromised
  7. Notify affected parties โ€“ If client data was in breach, inform them
  8. Document incident โ€“ Record what happened, timeline, response taken

Data Breach Notification Requirements

If client data was compromised: Privacy Act requirements (NZ):
  • Notify affected individuals
  • Describe what data was compromised
  • Explain steps you're taking to prevent recurrence
  • Provide support (credit monitoring if relevant)

Timeline: Notify as soon as practicable (typically within 5โ€“7 days). Documentation: Keep incident report for regulatory review.

CAA Compliance: Cyber Security Requirements

Part 101 (Recreational) โ€“ General Security Principles

Part 101 doesn't mandate specific cyber security measures, but operators should:

  • Keep firmware updated
  • Use strong passwords
  • Protect flight data
  • Be aware of hijacking risks

Part 102 (Commercial) โ€“ Formal Requirements

Part 102 certificate holders should include in Operations Manual:

  • Data security procedures โ€“ How flight data and imagery are protected
  • Firmware update schedule โ€“ When and how updates are applied
  • Credential management โ€“ Password and access control procedures
  • Incident response โ€“ What to do if cyber security incident occurs
  • Client data protection โ€“ How client data confidentiality is maintained
  • Regular security review โ€“ Periodic assessment of security measures

CAA expectations:
  • Evidence of current firmware
  • Documented data security procedures
  • Regular security updates
  • Incident response capability

MmowW: Cyber Security and Data Protection

MmowW helps operators maintain cyber security by:
  • Encrypted flight logging โ€“ Flight data stored securely
  • Access controls โ€“ Multi-user system with role-based access
  • Firmware tracking โ€“ Alerts for available security updates
  • Data encryption โ€“ Flight logs and imagery encrypted
  • Incident documentation โ€“ Secure incident record-keeping
  • Compliance audit โ€“ Verification of security measures
  • Regular backups โ€“ Data backup protection against loss

Cost: NZ$8.60 per drone per month.

FAQ: Drone Cyber Security for NZ Operators

๐Ÿฃ Can someone really hack my drone?

Yes, depending on drone age and security measures:

  • Older drones (pre-2015): Vulnerable to signal hijacking
  • Modern drones: Difficult but possible with sophisticated equipment
  • Remote attacks: Less common but possible if connected to internet
  • Physical tampering: If not stored securely, someone could modify it

Keep firmware updated; modern drones are reasonably secure.

๐Ÿฆ‰ What's the risk of GPS spoofing?

Moderate risk if:

  • Operating BVLOS (beyond visual line of sight) โ€“ you can't verify position
  • Autonomous missions โ€“ drone follows waypoints you can't override
  • Near areas with strong RF interference (military installations, etc.)

Mitigation: Monitor GPS accuracy; abort if accuracy degrades unexpectedly.

๐Ÿฃ How often should I update drone firmware?

When security updates are released (usually several per year). Subscribe to manufacturer security notices so you're alerted. Don't skip security updates thinking "if it's not broken, don't fix it." Security patches are critical.

๐Ÿฆ‰ What should I do if I suspect my drone was hacked?

  1. Immediately stop flying
  2. Update firmware to latest version
  3. Change all passwords (especially cloud accounts)
  4. Have the drone inspected by technician
  5. Don't fly commercially until you've verified security

๐Ÿฃ Is it safe to upload flight data to cloud storage?

Yes, if you:

  • Use reputable provider (Google Drive, Dropbox, AWS)
  • Enable encryption (most do by default)
  • Use HTTPS connection (check URL)
  • Use strong password + MFA
  • Don't share storage with untrusted people

Cloud storage is actually safer than local storage (backed up, encrypted).

Conclusion

Cyber security is increasingly important as drones become more connected and data-driven. Threats range from signal hijacking to data theft to malware. Operators must implement basic security practices: firmware updates, strong passwords, encryption, and secure data storage. Commercial operators should develop formal cyber security procedures and document them in their Operations Manual. Regular security reviews and incident response planning ensure preparedness.

Ready to Streamline Your Cyber Security?

MmowW provides encrypted data protection and security management tools.

NZ$8.60 per drone per month โ€“ Keep your data and systems secure. Start your free trial today