Assessment
CFSE Consequence Paths assesses GPS/GNSS Spoofing Safe-Hijacking of Consumer Drones (Adaptive GPS Spoofing / Tractor Beam class) at CRITICAL — the worst of 2 risk paths (perception, safety). The dominant consequence is manipulated perception that drives action.
Vulnerability
GPS/GNSS Spoofing Safe-Hijacking of Consumer Drones (Adaptive GPS Spoofing / Tractor Beam class). Reported attack vector: RF / wireless (GNSS signal injection within radio range; no network or credentials).
CFSE Consequence Paths analysis
The vulnerability is decomposed into one risk path per terminal consequence. Each path is scored on its exposure (reachability × execution complexity) and the authority, perception, and physical/safety it reaches, together with its scale of reuse, scale of execution, and recoverability.
PERCEPTION_TO_ACTION → CRITICAL
CPATH:1.0-candidate/TT:PERCEPTION_TO_ACTION/RE:2/EC:2/EX:2/PH:4/DP:4/AT:2/CH:4/SR:4/SX:3/OR:4/EV:3/LS:ACTIVE
Exposure EX=2 (reachability and complexity-bound) · bands PH=CRITICAL · DP=CRITICAL · AT=ELEVATED → base CRITICAL · uplift recall-class recovery → assessed CRITICAL.
- Primary path: spoofed GNSS corrupts the position estimate (DP:4 nav/world-model state) that the autopilot trusts and acts on, driving physical actuation.
- perception_feeds_action — true because the deceived location estimate directly drives flight control, fail-safe transitions, and trajectory. PH:4: forced fly-away, steering to attacker location, crash/forced landing are credible dangerous actuation. RE:2: RF/proximity within line-of-sight, no network/creds. EC:2: advanced-but-reproducible adaptive signal shaping with COTS SDR, multiple groups replicated. AT:2: no signing/firmware root or fleet control plane is captured; attacker controls a trusted sensor input (bounded component-level deception), not a credential or trust root, so not AT:3/4. CH:4 and boundary_crossing: RF/physical -> perception -> control/safety domains. SR:4: technique reuses against any unauthenticated civilian GNSS receiver (no per-device secret). SX:3: one spoofer affects all in-range receivers, deployment/area-wide but requires RF setup/proximity, not remote cloud fleet. OR:4 and recovery_needs_fleet_action: root cause is unauthenticated L1 C/A; no software patch, recovery is operational/sensor-fusion/authenticated-GNSS fleet-level redesign. EV:3 reproduced.
DEVICE_CONTROL_SAFETY → CRITICAL
CPATH:1.0-candidate/TT:DEVICE_CONTROL_SAFETY/RE:2/EC:2/EX:2/PH:4/DP:3/AT:2/CH:3/SR:4/SX:3/OR:4/EV:3/LS:ACTIVE
Exposure EX=2 (reachability and complexity-bound) · bands PH=CRITICAL · DP=HIGH · AT=ELEVATED → base CRITICAL · uplift recall-class recovery → assessed CRITICAL.
- Terminal safety/control consequence: attacker commandeers vehicle trajectory or forces fail-safe (RTH/land/fly-away), yielding effective control over a safety-critical actuator without any software credential. PH:4: dangerous actuation/crash credible. RE:2 RF proximity. EC:2 reproducible adaptive spoof with SDR. AT:2: control influence via trusted sensor input, no credential/firmware/trust-root captured. DP:3: manipulated sensitive operational/navigation state feeding control (not exfiltration).
- perception_feeds_action — true. CH:3 cross-domain influence;
- boundary_crossing — true. SR:4 portable technique. SX:3 area-wide with RF setup. OR:4 no root-cause patch, operational/fleet mitigation. EV:3 reproduced takeover demonstrated. Distinct from perception path in that the terminal effect is the unsafe device control/safety outcome itself.
Published baseline
No public baseline score has been published for this finding. It belongs to a perception/control harm class that is often outside published vulnerability-scoring coverage. The registry records the reachable consequence path for review.
Sources
- source citation pending public URL