Client overview
A government agency responsible for environmental monitoring and disaster response, operating in hazardous and high-risk zones.
Challenge
The agency needed a reliable way to access environments that were too dangerous for humans, including toxic spill sites and structurally unstable areas. They chose to deploy a DJI Matrice M30 Thermal for this task. However, they faced several critical concerns before full implementation:
- Data Security: Could the drone’s telemetry or video data be accessed by unauthorized parties, especially given its connection to the (Chinese) manufacturer’s cloud systems.
- Operational Safety: With a weight of approximately 4 kilograms and a wingspan of 30 centimetres, the drone posed a physical risk if it malfunctioned mid-flight. What if it lost connectivity or veered out of visual range?
- Resilience to Tampering: Could the drone be manipulated, either remotely or physically, by bad actors, compromising the mission or public safety?
- Limitations for testing: The team had to carefully sequence tests to ensure critical ones weren’t missed due to early damage.
- Limited Equipment: Only one drone was available for testing, valued at approximately £10,000, which meant testing had to be conducted with extreme caution to avoid damage.
Approach taken
• The engagement was framed as a case study in unconventional penetration testing.
• The drone tested resembled a spider-like model with multiple sensors (“eyes”), indicating a complex IoT system.
• The testing was exploratory in nature, not benchmarked against a formal certification or compliance standard.
• The focus was on simulating realistic attack scenarios rather than validating against predefined security baselines.
Regulatory context
The drone did not need to comply with a specific regulation or standard, as the client was not seeking certification. However, the discussion acknowledged that drone classification affects applicable legislation:
• Consumer drones typically fall under the Radio Equipment Directive (RED) in Europe.
• Heavier or more complex drones may fall under aviation safety regulations, similar to commercial aircraft.
• There is a regulatory grey area between IoT and aviation systems, depending on drone weight and technology.
Flexibility of the methodology
The testing methodology was deliberately flexible, allowing the team to tailor their approach to the client’s specific concerns and attack scenarios. Rather than following a rigid compliance framework, the team focused on practical, scenario-based testing that could be adapted to other unconventional security assessments. This adaptability ensures relevance across a range of technologies and client needs.
Findings
- The drone security testing was exploratory and scenario-driven, not compliance-based.
- The client defined the attack scenarios and questions, which shaped the testing scope.
- The drone was treated as an IoT system, with attention to its unique architecture and potential vulnerabilities.
- There is ambiguity in regulatory coverage for drones, especially between consumer-grade and aviation-grade systems.
- The team has experience and flexibility to adapt the testing approach to different drone types and regulatory requirements.
Why Resillion
The client selected Resillion for our deep expertise in cyber security, UAV safety testing, risk mitigation in high-stakes environments, device testing and recognised us as a trusted partner. Our ability to combine technical testing with regulatory and threat awareness gave the client a solution. Our transparent approach, clear documentation, and proactive communication earned the client’s confidence and ensured the success of the engagement.
Client feedback
The client expressed a preference for an exploratory security assessment rather than a formal compliance audit. They did not require certification or adherence to a specific regulatory standard, which allowed the team to focus on realistic attack scenarios tailored to the drone’s intended use. This flexibility enabled a more targeted and insightful evaluation of potential vulnerabilities. While no direct feedback quotes were shared in the session, we noted the client’s openness to a scenario-driven approach and their appreciation for the adaptability of the testing methodology.
Blog
For more information regarding the drone testing, read our blog, Lessons from the sky: What Amazon’s drone experience reveals about security testing in unmanned systems
Get in touch with our experts
Our Accreditations and Certifications
