Featured image: North Central Telephone Cooperative Corporation (NCTC) Central Office Technician Eddie Blankenship installs a fiber optic jumper cable. Photo by Lance Cheung, USDA, is in the public domain.
This information is for educational and informational purposes only. Attempting to access systems without prior explicit authorization, affixing a dangerous weapon to a UAS, and recording people on private property where they have a reasonable expectation of privacy are illegal. The author is not responsible for any misuse of this information or damages resulting from its use. Always practice on systems you own or have explicit permission to test.
I’ve talked a lot about defense here, so in honor of the late Spirit Airlines let’s have a quick talk about offense. “Think like a criminal” is a common mantra in physical security, and “think like a hacker” is a common equivalent for cybersecurity. Complaints about the meaning of the word “hacker” aside, the point is that implementing security measures without considering what they’re securing against is rarely helpful. Instead of thinking about how a system should work, a strong defender should instead think about how to exploit it.
For the sake of practicing what we preach, let’s go over a couple examples of ways a UAS could be used offensively. The four main categories of hostile uses I’ll be covering are intelligence, surveillance, and reconnaissance (ISR), kinetic attack, signals intelligence (SIGINT), and computer network exploitation (CNE).
Intelligence, Surveillance, and Reconnaissance
From the moment the military was exposed to powered flight with the 1909 Wright Military Flyer, aircraft have been a tool for surveillance. Aircraft offer good vantage points, the ability to make detailed maps of a target area while in flight, and are difficult or impossible to attack or dissuade.
A UAS has all of the benefits of a regular ISR craft and then some. In addition to regular zenith photography, a UAS can capture photos or videos from unconventional angles, operate without a pilot, and potentially hide itself within an adversary’s property undetected for as long as its power source is able to sustain it.
Kinetic Attack
For a particularly spicy brand of adversary, the logical followup to an ISR operation is a kinetic attack. Depending on the target, these could be simple ramming attacks (against small aircraft or humans), mounted explosive attacks (often referred to as “suicide drones” or “flying IEDs”), or mounted weapon systems (such as air-to-ground missiles or deployable bombs).
While ISR operations don’t always lead to kinetic attacks (and luckily, for civilians they almost never do), ISR and kinetic attacks are directly linked and naturally lead to one another. Reconnaissance must have already been carried out to locate and identify a target prior to the attack, and another round of reconnaissance is required to confirm if the desired effect has been achieved by an attack.
Signals Intelligence
SIGINT is effectively the electronic equivalent of ISR. A modern sUAS has a lot in common with the platonic ideal of a SIGINT device: autonomous, computerized, radio-equipped, and small in size. The payload capacity and ability of rotorcraft to land and shut off motors can allow us to carry software-defined radio packages into unexpected locations to intercept and log radio traffic or make disruptive transmissions.
Our options for remote SIGINT are as varied as the types of signals our adversary could emit. Unencrypted radio communications can be recorded and retransmitted (or written to local storage to be carried) home, schedules of the adversary’s agents could be deduced from regular encrypted radio traffic, or types and locations of equipment on the adversary’s property could be identified by RF fingerprinting (Riyaz et al., 2018). Other attacks may be possible if we have access to the right equipment, such as laser microphones, and previous CNE missions may have given us the ability to remotely deploy more exotic strategies such as the Mic-E-Mouse side channel attack (Fakih et al., 2025).
Computer Network Exploitation
If SIGINT is the electronic equivalent of ISR, CNE is the electronic equivalent of a kinetic attack. Rather than listening to or manipulating an adversary’s radio emissions or communications, the goal of CNE is to make active intrusions on their networks or computer systems. Similarly to how ISR both precedes and follows a kinetic attack, SIGINT operations often precede and follow an instance of CNE. We must have a basic understanding of the target network’s topology before it can be exploited, and an exploited network is often opened up for more invasive SIGINT techniques.
Imagine a scenario where we’re tasked with exfiltrating a file from a server located on an adversary’s property. The server is on the same network the adversary’s agents use for laptops and tablets, but is segregated from the internet connection itself. One potential attack vector would be to equip a small rotorcraft with an ESP32 or similar SoC, land it within range, and remotely carry out an evil twin/evil portal attack to capture credentials for the network. Once the credentials are captured, the payload can connect to the network and either attempt to exfiltrate the data directly or scan the network for vulnerabilities that could be exploited after returning with another payload.
Intrusion Countermeasures
Since the 80s, science fiction writers have been infatuated with a concept they call “intrusion countermeasure electronics,” or “ICE,” which is a hypothetical program that acts as a sort of digital guard dog that detects and fights hackers in cyberspace. While we don’t have anything like that today (though AI agents may be able to bring that fiction to life soon enough), we do have a major factor on our side: these hostile uses tend to be symmetrical. If an ISR platform can see us, we have the opportunity to see it. If a drone can attack us, we can attack it. A drone carrying out a SIGINT operation must transmit or physically exfiltrate collected data, during which it can be interacted with. A drone exploiting our networks and computers is itself a computer with networking capabilities that can also be exploited.
That being said, it’s worth noting that if you aren’t the military or police, physically interfering with a drone or exploiting its computer systems are very, very illegal (18 U.S.C. § 32, 2006; Van Buren v. United States, 2021). If you are however, it’s also worth noting that many low cost consumer and hobby-grade drones are made with cheap electronic components that lack the security measures of professional, police, or government-grade platforms. Many easily-implemented strategies such as deauthentication attacks, replay attacks, or unencrypted control link hijacking are likely to be effective in this case.
Of course, if we’re looking for countermeasures with a little more visual spectacle, I mentioned some more destructive options in this previous post.
References
Destruction of Aircraft or Aircraft Facilities, 18 U.S.C. § 32 (2006).
Fakih, M., Dharmaji, R., Mahmoud, Y., Bouzidi, H., & Faruque, M. A. A. (2025). Invisible ears at your fingertips: Acoustic eavesdropping via mouse sensors. arXiv. https://doi.org/10.48550/arXiv.2509.13581
Riyaz, S., Sankhe, K., Ioannidis, S., & Chowdhury, K. (2018). Deep learning convolutional neural networks for radio identification. IEEE Communications Magazine, 56(9), 146–152. https://doi.org/10.1109/MCOM.2018.1800153
Van Buren v. United States, 593 U.S. 374 (2021). https://www.oyez.org/cases/2020/19-783