A Secure Communication Protocol for Unmanned Aerial Vehicles

: Mavlink is a lightweight and most widely used open-source communication protocol used for Unmanned Aerial Vehicles. Multiple UAVs and autopilot systems support it, and it provides bi-directional communication between the UAV and Ground Control Station. The communications contain critical information about the UAV status and basic control commands sent from GCS to UAV and UAV to GCS. In order to increase the transfer speed and efficiency, the Mavlink does not encrypt the messages. As a result, the protocol is vulnerable to various security attacks such as Eavesdropping, GPS Spoofing, and DDoS. In this study, we tackle the problem and secure the Mavlink communication protocol. By leveraging the Mavlink packet’s vulnerabilities, this research work introduces an experiment in which, first, the Mavlink packets are compromised in terms of security requirements based on our threat model. The results show that the protocol is insecure and the attacks carried out are successful. To overcome Mavlink security, an additional security layer is added to encrypt and secure the protocol. An encryption technique is proposed that makes the communication between the UAV and GCS secure. The results show that the Mavlink packets are encrypted using our technique without affecting the performance and efficiency. The results are validated in terms of transfer speed, performance, and efficiency compared to the literature solutions such as MAVSec and benchmarked with the original Mavlink protocol. Our achieved results have significant improvement over the literature and Mavlink in terms of security.

bytes) independent of the platform. Mavlink's binary serialization approach is lightweight and low overhead as compared to other serialization methods like XML and JSON.
The sMavlink draft version is a stable version that ensures confidentiality and integrity by using symmetric key authenticated encryption of relevant details [40]. To the best of our knowledge, the sMavlink is not implemented yet.
Furthermore, Mavlink messages are usually small and can be transmitted over a range of wireless networks, including Wi-Fi or even serial telemetric systems with low data rates, due to its Binary Serialization features. A double checksum verification guarantees message durability and accuracy in the packet header. The Mavlink protocol is the most widely used by its peers for communication between unmanned systems and ground control stations (GCS) due to these characteristics.
Despite being robust and most widely used, the Mavlink communication protocol lacks a subtle security mechanism, making it vulnerable to several attacks, such as Denial of services attacks (DDoS), Eavesdropping, and Man-in-the-middle attack [41,42]. These vulnerabilities are apparent because the Mavlink protocol does not encrypt the messages in communication. That means that the binary communication between the GCS and the UAV is happening over an unencrypted channel, making it an easy target for different security attacks. Thus, compromising the security of Unmanned Aerial Vehicles. This work's main contribution is an additional security layer added to the Mavlink communication protocol to secure the binary directional communication between the UAV and GCS. Our research produced three algorithms. The other contributions and three algorithms are described below I. Developed an algorithm to relaunch the captured Mavlink packets for attacks. II. Developed an algorithm to retrieve meaningful information from captured Mavlink packets. III. Developed an algorithm to encrypt the Mavlink packet to secure the communication.
(1) We performed and tested the experiment in a simulating environment using Ardupilot and Mission planner, which use the same Autopilot software as used in real UAVs. (2) We secured the Mavlink protocol for communication between UAV and GCS without affecting performance and efficiency.
The rest of the paper is organized as follows. Section 1 presented the Introduction. Section 2 presents the literature review and related work. A detailed overview of the Mavlink protocol is given in Section 3. Section 4 describes the Security issue of the Mavlink protocol. In Section 5, the Mavlink protocol has been exploited in terms of security attacks and vulnerabilities. Two algorithms have been proposed in this section to exploit the Mavlink protocol vulnerabilities. Section 6 presents the proposed solution to secure the Mavlink protocol. The encryption algorithm and our security technique are illustrated in this section. Section 7 demonstrates the experimental results and our solution's benchmarking with the original Mavlink protocol in terms of performance and efficiency. Finally, the conclusion of the paper is presented.

Literature Review and Related Work
The threat against UAVs is often targeted at the Unmanned Aerial System. It can be any components from the three, the UAV, the Ground Control Station, or the communication link between the two [43]. In this study, the focus is on communication link attacks, as shown in Tab. 1. As Unmanned Systems has seen tremendous growth in recent years, therefore their security has become very crucial. Many researchers have contributed to this field, and much work has been done. The contributions can be mainly divided into two approaches 1) Hardware and 2) Software.
In order to protect the Mavlink protocol, many embedded and hardware security technologies have been implemented. In the work proposed in [44], the researchers used additional encrypted communication channels with Raspberry Pi's help to the UAV security issue. In this solution, the hardware has to communicate with GCS to regain control if an attack occurs. The downside of this approach is the time difference between the GCS and the Raspberry and the higher CPU consumption. Another drawback of the analysis is that it is just a theory that has yet to be tested on real UAVs. Our study implements the solution on a case study, and the results are given in Section 7.
In another study [45], the authors secure the communication between the GCS and UAV through a proposed AES protocol with hardware implementation. The main focus of this study is confidentiality and authentication. However, the given hardware solution harms the system's efficiency, CPU, and energy consumption because of the additional hardware weight.
On the other hand, contributing to the software solutions of the Mavlink protocol, the authors consider using Caesar cipher cryptography for data encryption and authentication of Mavlink messages between the ground station and the UAV [46]. One limitation of this study is that they didn't give the results in the study. Another drawback of their work is that they are sending the secret Key in plain text. In [47], with efficient symmetrical key encryption algorithms, four effective cryptographic solutions were applied to reduce the confidentiality vulnerabilities in the Mavlink Protocol. Rabbit stream cipher, Salsa20 stream cipher, and XXTEA stream cipher are the four algorithms that have been proposed. All of them can conveniently encrypt Mavlink messages while keeping GCS and UAV communications private. The research articles [46,48] use the Caesar cryptography algorithm to encrypt Mavlink messages between GCS and UAV for cryptographic data purposes. However, in this solution, the hidden Key is sent to the UAV in plain text during the establishment process. It is effortless to find the Key at the time of capturing the packet. Thus, it is very easy to break its security. Moreover, there is no empirical evaluation of the study. Our research work implements the solution on a case study, and the results are presented below. In another study, another encryption RC5 is used to ensure that the communication is secure, but there are no details or validation of the experiment [49]. Our study secured the communication between UAV and GCS and analyzed and validated the performance with clear results. The research [50] suggests using the UAV's Private Key to add a digital signature to the data packing. In [51], another author proposed cryptographic encryption for authentication to ensure the integrity of data. However, both these studies are just proposed work. The author [47] conducted a vulnerability analysis and suggested a cryptographic algorithm to protect the Mavlink protocol without defining which algorithm to use. In [37], the authors proposed a solution called MAVSec to secure Mavlink communication. They compared four encryption algorithms, including AES-CBC, AES-CTR, RC4, and ChaCha20. Based on their result, ChaCha20 seems to be giving good results compared to others in terms of performance. However, in their proposed method, the encryption is only applied to the payload messages. The rest of the packet is the same. In our solution, we provided an extra layer of security that secures the whole packet. Several other studies have been carried out to secure the Mavlink communication protocol. Still, most of the studies are just proposed solutions or are in their early development.

Overview of the Mavlink Protocol (Mavlink System Architecture)
The Mavlink protocol specifies the framework for message composition and how to serialize messages on an application layer. The serialization process involves converting into a later stored or distributed format of a data structure or object state. After serialization, these messages are transferred to the lower layers, i.e., the transport layer and physical layer, to be sent over the network. The lightweight construction allows it to accommodate a number of transport layers and media. The Mavlink protocol can be transmitted over sub-GHz frequencies like 433, 868, and 915 MHz using Wi-Fi, TCP/IP, or low-bandwidth serial telemetry networks [52].
The second option is to use normally a Wi-Fi or Ethernet network interface to stream Mavlink messages through IP networks. In the transport layer, the Mavlink autopilot accepts both UDP and TCP links between the ground control station and the UAV, depending on the application's configuration. A connection between the client and the server is not needed for the datagram protocol UDP [53]. Therefore, it is unreliable in terms of message delivery. The advantage is that it provides a fast, light alternative weight for streaming real-time, loss-tolerant communication. In contrast to UDP, TCP is a connection-oriented protocol, which ensures it has a mechanism for acknowledging that the request has been sent [54]. This means that TCP is reliable in terms of communication. Depending on the requirements, the user has to choose whether to use UPD or TCP protocol.
The communication between the UAV and Ground Station occurs through binary serialized messages. Since the communication is bidirectional, the message's serialization and deserialization take place at both the sender and recipient ends. In comparison to other serialization approaches, Mavlink serialization uses fewer transmission messages and is significantly lighter. The Mavlink protocol has two available versions Mavlink 1.0 and Mavlink 2.0 [52]. There's another version of Mavlink called sMavlink. To the best of our knowledge, the sMavlink is not implemented yet.

Security Issues of Mavlink Protocol
The research and development in Unmanned Systems is relatively a new area, and still, a lot of research and development work is in progress. In parallel, the hackers and attackers find it an opportunity to explore new vulnerabilities and compromise these systems' security with various intentions. To address security issues and challenges, many researchers have contributed to Unmanned Systems security at different levels. One of the issues with those solutions is that they are only in the early stages of implementation and either or only proposed work. Before providing the solution to exploit the Mavlink protocol's vulnerabilities, we need to understand the security challenges. In what follows, the security challenges of the Mavlink protocol can be divided into 1) Security Requirements, 2) Security Threats/Attacks. This will help the practitioners and researchers in the future to develop security frameworks and threat models for Unmanned Aerial Vehicles.

Security Requirements
Overall, there has been much research done in terms of unmanned aerial systems security, but less work has been done on communication level security, particularly on the Mavlink protocol. A medical term is best suited for the security requirements as it says, "prevention is better than cure." To avoid security threats and attacks, it is most important to understand the security requirements and avoid these unwanted situations. The Mavlink's security requirements are summarized as confidentiality, integrity, availability, authentication, non-repudiation, authorization, and privacy [3] to secure the communication between the UAV and GCS and avoid threats. Fig. 1 below presents the Mavlink security requirements.

Confidentiality
Integrity Availability Authentication Authorization Non-Repudiation Privacy

Security Threats
The connectivity between the UAV and GCS occurs through a wireless channel with the communication protocol's help. In the case of the Mavlink protocol, this communication is vulnerable because the Mavlink protocol does not have standard security procedures. The only security check is that it checks if the packet is authentic and comes from an authentic source. The rest of the security requirements, such as confidentiality, is not natively available. The Mavlink does not have a subtle security mechanism and does not encrypt the messages. That means that the UAV and Ground Control Station communication is not secure and can be compromised very easily. Any hacker or attacker with an appropriate transmitter device can intercept the communication and communicate with the UAV. The intruder can use this vulnerability for their intended purpose, such as inject false commands into an existing mission or hijack the UAV completely. Further, these attacks are classified in terms of their outcome as follows. The classification is given in Tab. 2. Based on the above security threats, we present our threat model and exploit the vulnerabilities of the Mavlink communication protocol. The threat model consists of two steps 1) to exploit the Mavlink packet and use it for active attacks 2) exploit the Mavlink packets and later use it for passive attacks. For this purpose, two algorithms are developed and presented in the next section. The threat model is illustrated below in Fig. 2. As shown in Tab. 1, our focus here is to target the UAV against the communication link attacks and hijack the UAV. Based on our proposed algorithm to exploit the Mavlink vulnerabilities in our experiment. First, we carried out a Man-in-the-middle attack to capture the packets. When the packets are captured, Algorithm 1 relaunches the captured Mavlink packets for a replay attack. This can be used for two purposes: 1) relaunch the packets for a replay attack or an eavesdropping attack if it is an ongoing mission. If the intention here is to inject false data, a false injection attack can be carried out too by inserting false data into the captured packets. Our experiment, based on Algorithm 1, hijacked the UAV and took full control of it. Similarly, Algorithm 2 is basically developed to understand the captured packets communication between the UAV and GCS. It can be launched for passive attacks.

Exploiting the Mavlink Protocol
The experiment is carried out in a simulated environment using ArduPilot Software in the loop (SITL) and a simulating UAV. The Adrupilot SITL uses the same autopilot which is used in a real UAV. It replicates the real UAV in a simulated environment, and it also can operate a plan or a land rover without using any hardware. For the Ground Control Station, Mission Planner is selected, so at this moment, when we open Mission Planner, it automatically connects to the UAV via Mavlink protocol. If it does not connect automatically, it can be connected manually by clicking the connect button on the top right corner of the Mission Planner application. After Successful execution, the Unmanned Aerial Vehicle can be seen on the Mission Planner map as well. Here we can define a new mission, load an old mission and perform some other required tasks required for the mission.

Capturing the Mavlink Packets
The Mavlink packets are captured by intruders using specific transmitters. Since we are simulating, the packets are captured on the local Wi-Fi network using the packet capturing tool Wireshark. We filtered the port numbers in Wireshark to get only our desired port number for Mavlink. It is effortless for a knowledgeable person to recognize the Mavlink packet structure. Once the packet structure is identified, it is easy to find the port from where the packets are coming and then filter only that port to get information of Mavlink packets.
The detailed structure of the Mavlink packet is shown in Fig. 3 above captured through Wireshark. The information displayed here is in binary and hex form. The packet is saved in a text file with proper formatting. In the next step, Algorithm 1 is developed to retrieve the useful information from this packet and relaunch it for an attack to get unauthorized access to the UAV.
Algorithm 1 is implemented using Java code. When the code is run, it gets the data from the Mavlink packet that we captured via Wireshark, stored in a text file. It reads the buffers and the start sending the data on a defined port number (14450 in our case). As long as it is reading the data from the packet, it keeps sending the data. Since we are using a mission planner on our side, the Mission Planner received the data via the specified port number. All the UAV information from which the packet was captured is now visible, such as mission data and GPS location. If it's an ongoing mission, the UAV can completely hijack from Mission Planner as now it has control of the UAV. Moreover, any other intended attack can be launched, such as eavesdropping, GPS Spoofing, False mission data injection.

Converting the Packet into a Human-Readable Form
The next step is to exploit the Mavlink protocol's vulnerability that it is not secure and the data transmitted is not encrypted. For this purpose, we developed Algorithm 2, which converts the information captured by the Wireshark to a human-readable format in plain text and retrieves the meaningful information from that. This algorithm is also implemented using Java Coding.

Algorithm 2: Getting secret information in plain text Input: Captured_Packets
Packet ← Get (length, addr, port) 6 Response (Mavlink_Library) ← read (Mavlink_Messages) 7 For Unpack (Packet) 13 Received_Data (Binary, Hex) 14 Plain_Text ← Convert (Binary, Hex) 15 Sec_Inf ← Get (GPS, payload, alt, etc., ) 16 End procedure In this algorithm, first, a connection is established, and then a Mavlink message handler is defined, which checks the Mavlink messages and understands what type of Mavlink message it is handling. Then the connection is checked if it is connected to the drone object. As long as the connection is built, first, it will read the data block and save it. Then we have our library, which understands the Mavlink message. After this, the data is parsed, and the hex value 0x00ff is added, which checks which type of Mavlink packet it is, the actual hex value is received. Then we parse the data from the derived hex characters. An object is made for the Mavlink packet and checks if the packet is not null (real packet). If the packet is real, it unpacks the Mavlink packet and fetches the data into human-readable form. All attributes can be fetched from here, such as sensors data, roll, pitch, radio frequency, GPS, etc.

Proposed Solution
In this section, we propose our solution for the runtime security of the Mavlink protocol for an ongoing mission between UAV and GCS. Our approach is based on a cryptographic mechanism and our mapping technique. A security layer is added to the original Mavlink protocol, and the overall proposed model is given in Fig. 4. We encrypt the information in the Mavlink packet and make sure that when the packet is captured through Wireshark or any transmitter device, 1) it can't be relaunched to take control of the UAV, i.e., the captured packet is useless for the intruder. 2) to encrypt the packets so that even if an intruder captures the packet, he/she still would not be able to get the meaningful information from this packet. We take a case study for our solution. As stated earlier, the experiment is carried out in a simulated environment. We assume that the ongoing mission is a minimum of ten minutes and a maximum of 3 h, mostly the case in terms of the UAV's civilian applications. The UAV and GCS are connected through Wi-Fi.
First, we apply custom mapping to the Mavlink packet, which replaces the character's ASCII. The data is basically bytes that are in binary and hex form. It will give us an ASCII string that is composed of random characters. This can be reverted only with the same mapping technique. Our approach introduces the concept of lists on both UAV and GCS sides, as shown in Fig. 5. The list has two columns, a serial number, and a key. A serial number is a representation number from the list to match the Key, while the key column contains the actual Key for the Caesar cipher through which the message will be encrypted. For instance, if the Key against serial number 2 is selected from the UAV side, it means that the GCS should decrypt the same serial number 2 to decrypt the message. In communication, instead of sharing the Key, the serial number is sent. So that even if the packet is captured, the intruder won't get the Key but the serial number, which is meaningless to decrypt the cipher. The serial number is added to the start of the packet, which takes four bytes. Once the serial number is added, the Caesar cipher encryption is applied to the packet based on the Key against the selected serial number in the list. It is thenconverted into bytes and sent to the GCS. As the UAV receives the data, the first four bytes of the packets are taken as they contain the serial number. The serial number is matched with the list on the UAV side. Based on the serial number, the Key is identified, and a reverse Caesar cipher is applied to decrypt the message. When the data is decrypted, we get a character string that is still encrypted with our custom mapping and can be reverted only with our mapping reverting technique. We have also integrated the encryption technique in the Mission Planner to ensure safe communication between the autopilot of the SITL UAV and the Ground Control Station to decipher the obtained packet and to retrieve the original Mavlink message. An algorithm is developed to carry out this encryption process. The coding is implemented in Java. The pseudo-code of algorithm number 3 is given below in two steps-Algorithm 3 for Encrypting and sending the packets and Algorithm 4 for receiving and decrypting the packets.  Original Mavlink Packet 18 End procedure While exchanging the UAV and GCS data, the serial numbers are selected randomly from the table for every single request. It allows to change Key for every single request and encrypt every packet with a different key. This means that the next Mavlink packet will not send the same serial number but instead a new serial number with a new key against it to encrypt the message. When a hundred requests are completed, the serial numbers and the Key in the list are shuffled randomly in parallel on both sides so that the lists are similar on both sides. In case there at one end, the list is not updated after the iteration and sent to the other side, then the communication cannot happen, and the UAV/GCS will be considered unauthorized.

Performance Evaluation and Benchmarking
This section provides an exhaustive analysis of the Mavlink protocol's efficiency integrated with our encryption technique concerning the protocol's security. In addition, the output is evaluated in terms of resource use, such as CPU processing and memory consumption rate. We benchmark our proposed technique with the original insecure Mavlink protocol. In contrast, our technique makes sure the communication between the UAV and GCS is secured and the information shared is not vulnerable. Thus, our technique secures the Mavlink packet without affecting its performance and efficiency.
The experiment is to run a computer with an Intel 2.6 GHz Core i7 CPU; the memory or RAM is 8 GB. The operating system is Microsoft Windows 10 (64-bit) with Mission Planner 1.3.74, Ardupilot version 3.2.1, and UAV copter in SITL. The UAV is connected using UDP port number 14550.

Security
The experiment results show that the packet is encrypted with our encryption technique. The information shared cannot be retrieved when the packet is captured. To test this, we analyzed the communication between the UAV and GCS through our Mavlink encryption technique. First, the secured Mavlink packets are captured through Wireshark. Then the captured packets are sent based on Algorithm 1 to launch for attacks. The results show that when the packets are sent, the mission planner does not recognize the packets as they cannot retrieve the packet's data. Furthermore, based on Algorithm 2, it is tested whether the packets can be converted into a human-readable format or no; the results are negative. This means that the packets are useless to replicate for launching attacks as they are encrypted to secure the communication between UAV and GCS.

Transfer Speed (Packets Count)
The experimental results show that our approach sends almost the same number of packets as the original Mavlink does per second time. There's just a slight difference of one or two packets up and down which is negligible. The number of packets sent per second time by the original Mavlink protocol and our approach are given in Fig. 6.

Memory Consumption
Another important parameter for performance evaluation is memory consumptions. The results show that our technique's memory consumption is almost the same as the original Mavlink packet, as presented in in Fig. 7.

CPU Usage
Another important parameter for performance evaluation is memory consumptions. The results show that our technique's memory consumption is almost the same as the original Mavlink packet, as presented in in Fig. 8.

Conclusion
In this research work, a new approach is proposed and applied to secure the Mavlink communication protocol. The technique is based on a cryptographic encryption algorithm and custom mapping. An additional security layer is added to the Mavlink communication protocol to secure the whole packet. A new concept of lists is introduced, which sends a serial number instead of sending the secret Key for encryption. The Key against the serial number of both sides is matched, and the messages are encrypted and decrypted. The results are carried out in simulating the environment using virtual UAV via Ardupilot SITL, which uses the same autopilot as the real Planes and UAVs. The result shows that our technique makes the communication secure without affecting the original protocol's performance and efficiency. The proposed solution is compared with the existing literature, such as MAVsec and benchmarked with the original insecure Mavlink protocol to validate the results in terms of transfer speed, performance, and efficiency. The current scope and limitation of the work are that it is best suited for missions that's duration is min 10mins to a maximum of 3 h. In the future, we are working on making the protocol adaptive and self-deciding to apply different levels of encryption based on the mission requirements.