Follow-up to my MAVLink post. Same caveat: I'm a beginner doing this as a hobby. The results below come from two small experiments in ArduPilot SITL on a simple setup, so please don't read too much into the exact numbers.

The weak link: a GPS that believes everything

We secure the comms, encrypt the telemetry… and often forget the drone has another vital sense that's just as exposed: GPS.

The issue is structural. Civilian GPS isn't authenticated — the receiver has no cryptographic way to check that the signals really come from satellites. So two attacks target it:

Spoofing: broadcasting fake navigation signals, stronger than the real ones, so the drone thinks it's somewhere it isn't.