Protocol drone

Drone Protocol


n more than 40 years as a referee at the high school, college and professional levels, Bruce Maurer has seen his share of the unexpected on a football field.

Then last summer, something he had never seen before popped onto his radar above a 7-on-7 football skills camp in Dublin, Ohio.

General Advertisement – (Secondary Pages)

“We were just officiating, and I was the back judge, and I started to hear this whirring noise,” said Maurer, who has worked major college and NFL games, and now officiates football, basketball and lacrosse. “I see this thing, and my brain is in officiating mode, and I go, ‘Oh, my Lord, that’s a drone.’ That’s the first time I’ve ever seen a drone.”

Drones are making headlines and newscasts as their popularity grows. They are used in various ways, including in the military, for commercial use and in sports, in practices and/or games. The small, unmanned aircraft systems that resemble radio-controlled helicopters have been spotted at prominent professional, college and high school events. They’ve created a stir in the air over jam-packed college football stadiums in Wisconsin, Tennessee and Texas, at the U.S Open tennis tournament in New York and at an NFL preseason game in Charlotte.

Equipped with a camera, drones are giving operators a look at the field of play from a new perspective at a reasonable cost. Drones range from less than $50 to advanced models that can cost thousands of dollars.

After Maurer’s first sighting, it didn’t take him long to realize a serious issue was hovering overheard — for administrators, fans and officials who work the games.
“Obviously, some people would have an issue with safety,” Maurer said. “The thing I saw was literally flying directly overhead while (the teams) were playing. Then there is a cost issue: if one school can afford it and another school can’t, that creates a problem.”

Next Level Baseball Officiating Email Series

Maurer’s sighting turned out to be a drone used to get promotional video of the football camp. But as drones continue to fill the air, sports administrators and officials, and even the Federal Aviation Administration (FAA), are scrambling to keep pace.

General Advertisement – Referee Officiating News

Big Stadiums a Big No-No

While drones are being used at practices for sports teams of all different levels to give coaches a new perspective on play, the FAA has made it clear for major college and professional events: No drones allowed.

In October, the FAA issued an updated ban on flights over open-air college and professional stadiums with seating capacities of 30,000 or more. The FAA’s guidelines now ban unmanned or remote-controlled aircraft “where either a regular or postseason MLB, NFL or NCAA Division I football game is occurring.” The FAA update also banned flights at NASCAR and Indy Car races.

Sports-Basketball Interrupter – 2021 Complete Basketball Training Package (640px x 150px)

Among the few exceptions: authorized flights for broadcast coverage. The ban includes the area within a three-mile radius of the event and is in effect from one hour before the event begins until one hour after it concludes.

The NCAA Soccer Rules Committee also has addressed the issue of drones, declaring last year that they “may not be used to monitor or record intercollegiate soccer games.”
More recently, drones were banned from flying overhead at the Masters golf tournament. An ordinance includes the punishment for any such violation: up to 60 days in prison and a fine of up to $1,000.

The FAA guidelines, though, don’t address drones showing up at smaller events, including those at the college and high school levels, and some are dealing with the proliferation of drones in different ways.

High Schools Take Action

State high school associations have taken markedly different stances, or no stance at all. Some states, like Virginia, defer to local laws.

“It’s a local governance issue to determine if it is allowable,” said Virginia High School League spokesman Mike McCall.

Elsewhere, state associations are taking steps to catch up as drones appear overhead at their games.

In New York, drones are prohibited at all public school athletic events after the New York State Public High School Athletic Association (NYSPHAA) issued a memo to its membership in September.

NFHS football rules require a restricted two-yard imaginary restraining line around the field on the sidelines. Robert Zayas, the NYSPHAA’s executive director, said he interpreted that to include the space above the field to “go straight up vertically to infinity.”

NASO Interrupter – Every Dollar Counts (640px x 165px)

A drone hovering above “would violate being inside the two-yard line,” Zayas said.
Zayas added that the NYSPHAA — with nearly 800 member schools — saw the arrival of drones in athletics becoming more common and decided to be proactive, comparing the trend to the rise of social media.

“I started to worry about what we would do if multiple drones showed up at a game and people are competing for airspace over the field,” Zayas said. “And if a drone was to fall and injure someone, and then there’s the idea of ‘Who’s operating this drone and how experienced are they?’ We just wanted to be way out on the front end of it.”

In Ohio, drones are permitted during regular-season contests only, “and that is at the host site’s discretion,” said Tim Stried, director of information for the Ohio High School Athletic Association (OHSAA).

“We don’t really step into policing that at the regular-season level because the host sites can decide if they’re going to allow that,” Stried added.

The OHSAA, though, has banned drones during any playoff contests. The association adopted the ban last school year when schools inquired about the use of drones for football, and a new policy will ban drones in all sports during postseason beginning next school year.

The reasoning was simple.

“It was entirely safety-related,” Stried said. “Since we control the postseason, we adopted it for the postseason. Before that, it’s up to the schools, but if they want to do that they would be liable for damage.”

In Delaware, a drone sighting over a soccer game last year spurred the Delaware Interscholastic Athletic Association (DIAA) to take action. The unidentified flying object caught referees by surprise.

“The officials weren’t sure what it was up there for,” said Tommie Neubauer, coordinator of officials and events for the DIAA, which oversees 110 high schools. “The officials asked the home team if they knew who was flying the drone and they didn’t.”

The drone, it turned out, was being operated by the school’s television station, which was shooting footage of the game to go with its morning news program.

That innocuous incident, though, started a discussion at the DIAA, and soon the association had banned drones for all postseason events.

“We talked about it, polled our board, and with not being able to tell where they’re coming from and who’s controlling them, we decided to forbid them over any state championship events,” Neubauer said. “It was almost 99 percent for safety reasons.”

The DIAA didn’t extend the ban to the regular season, instead leaving that up to the schools involved.

“They control their regular season, and it’s up to them,” Neubauer said. “If it’s up there, they’ll want to find out who’s doing it. To be in control of it, somebody’s usually standing out there with a controller that you can see.”

What if a Drone Appears?

While some states take action to deal with drones, as their popularity grows, officials can expect to see them. Should officials be worried about liability if one drops out of the sky and causes injury?

NASO’s insurance application from its provider, American Specialty Insurance and Risk Services, Inc., includes the following: “The General Liability policy excludes the ownership or use of aircraft, which a drone would be considered. So long as the officials themselves are not hiring, owning, supervising, maintaining, operating the drones, etc., this limitation should not apply for them. Therefore, if a drone fell from the sky and hit a participant, and the participant, in turn, sued the official, this exclusion would not apply for the official so the coverage could apply.”

But officials can take steps to ensure everyone’s safety if a drone appears during a game they are working.

In the Delaware case, the issue was resolved quickly and effectively.

“Officials handled it very well that day,” Neubauer said. “They went to the home team bench and asked if they knew who it belonged to. And they found out who was controlling it and for what reason.”

Sometimes, though, it is not easy to figure out who’s operating the drone or why.

“From the officials’ point of view — absent some particular conference or league directive — I think it’s pretty simple,” said Alan Goldberger, attorney and author of Sports Officiating: A Legal Guide. “If I’m out on the field and I see one of those things overhead, if it’s going to come down low where I can read the numbers on it, I’m probably going to call time and wait till it goes away. I don’t think it’s any more complicated than that.”

Goldberger, who officiated football, baseball and basketball for more than 30 years, likened a drone appearance to other distractions a referee might encounter during a game, like weather, a troublesome fan or an animal.

“If there’s any type of interference, you don’t play, you get rid of it,” Goldberger said. “I think you deal with it like any other potential hazard. That would be part of our responsibility as officials.

What's Your Call? Leave a Comment:


Note: This article is archival in nature. Rules, interpretations, mechanics, philosophies and other information may or may not be correct for the current year.

This article is the copyright of ©Referee Enterprises, Inc., and may not be republished in whole or in part online, in print or in any capacity without expressed written permission from Referee. The article is made available for educational use by individuals.

Referee, the world’s original sports officiating magazine, educates, challenges and inspires officials at all levels.

Tips For Using A Protocol Director Drone Distance

One of the most prominent questions asked by a Protocol Director Drone Distance rider is how far can it go? There are two ways you can accurately measure the range which a drone can cover. First, you need to know how far away from you the drone can get and you may also be referring to the number of miles of ground which the drone can cover before the battery gets exhausted. Several drones offer enough flight time and speed to cover at least ten miles of the ground even though they can only cover lower than a mile from the remote control.

What makes the Protocol Director Drone unique?

This drone got designed to give you an edge in your drone piloting experience. You can use it to create videos with 3 different camera angles with good audio quality. It comes with unique features such as auto-launch, hover, and land coupled with altitude sensors. This drone has 6-axis motion-sensitive stabilizers and three selectable speeds.

Furthermore, the Protocol Director is made using crash-resistant materials and can get recharged using the USB. Also, it has a 2.4GHz remote and 3 camera shoot and records audio. The drone is fitted with live streaming capabilities and has a camera resolution of 720p with simultaneous photo and video. You can easily navigate this drone using your Smartphone.

What is the Protocol Director Drone Distance covered?

The distance you can navigate your drone through is dependent on the unobstructed line of sight that exists between the drone and the remote. Also, these values are often calculated within a low interference environment using the remote antenna positioned optimally for maximum results. The world has many places riddled with metals on the ground hence the need for interference warnings. In such places, you begin to see video lag as well as stutter distances which are less than the range reported by the drones.

Always have it at the back of your mind that the video signal and the control signal may have4 different frequencies 2.4GHz and 5GHz. Hence, you will have to maintain control even after the video gets cut off. Stuttering video may well serve as a perfect indicator that the connection you are using is not good enough.

In a practical scenario, you have to expect the drone you are flying to get to a distance of 4 miles before any real issue could arise. Depending on the rules governing drone usage where you are, you may likely limit the flight to about 2,000 feet out. The essence of the legal line of sight in most countries is to keep the drone visible to the eyes.

Tips to help you extend the flight distance and time

One of the major drawbacks of drones is that they do not stay in the air for as long as we may desire. Here are some tips that should help make your drone stay longer in the air:

If you intend flying just for fun, the ideal way to fly higher and longer is to cut the weight of the drone. With less weight, the motors will have less to lift hence less power consumed. You may remove the prop guard, camera, and any other thing you may not need.

The moment you disconnect the battery from the charger, you will begin to lose some of the charges. To optimize your battery, you should use it only when it is well charged. Also, do not expose the battery to the sun or cold.

  • Replace the batteries where needed

If you have been flying for a while, you will begin getting less flying times than you used to. The reason for this is that batteries have a pre-defined lifespan. Hence, when you have been flying for a while, make sure you get replacement batteries.

What happens when your drone loses connection?

The easiest way to avert a situation where you lose connection when your Protocol Director Drone is going the distance is to ensure the tools are in good shape. Each drone manufacturer often has unique solutions to a loss of connection with some of them automatically returning to base. Some other drones will automatically hit the emergency stop and cause the drone to base while others simply land the drone where it is.

However, some drones will keep on operating using the settings last received from the controller. Hence, before you take off from the base, make sure you are familiar with the actions which you can take to recover your lost drone. Wait for the drone to get close to where the connection can get recovered.

Last line

The Protocol Director Drone Distance covered is dependent on a few factors some of which have been shown in this piece. Ensure your drone is in proper shape and all accessories are well taken care of before embarking on your next flight.

  1. Zodiac sign leggings
  2. Reddit mtg
  3. Oncolytics biotech
  4. Jedha star wars

Drone Secure Communication Protocol for Future Sensitive Applications in Military Zone

Yongho Ko,1,Jiyoon Kim,2,Daniel Gerbi Duguma,2Philip Virgil Astillo,2Ilsun You,2,* and Giovanni Pau3

Jingon Joung, Academic Editor

Author informationArticle notesCopyright and License informationDisclaimer

Received 2021 Jan 29; Accepted 2021 Mar 10.

This article has been cited by other articles in PMC.


Unmanned Aerial Vehicle (UAV) plays a paramount role in various fields, such as military, aerospace, reconnaissance, agriculture, and many more. The development and implementation of these devices have become vital in terms of usability and reachability. Unfortunately, as they become widespread and their demand grows, they are becoming more and more vulnerable to several security attacks, including, but not limited to, jamming, information leakage, and spoofing. In order to cope with such attacks and security threats, a proper design of robust security protocols is indispensable. Although several pieces of research have been carried out with this regard, there are still research gaps, particularly concerning UAV-to-UAV secure communication, support for perfect forward secrecy, and provision of non-repudiation. Especially in a military scenario, it is essential to solve these gaps. In this paper, we studied the security prerequisites of the UAV communication protocol, specifically in the military setting. More importantly, a security protocol (with two sub-protocols), that serves in securing the communication between UAVs, and between a UAV and a Ground Control Station, is proposed. This protocol, apart from the common security requirements, achieves perfect forward secrecy and non-repudiation, which are essential to a secure military communication. The proposed protocol is formally and thoroughly verified by using the BAN-logic (Burrow-Abadi-Needham logic) and Scyther tool, followed by performance evaluation and implementation of the protocol on a real UAV. From the security and performance evaluation, it is indicated that the proposed protocol is superior compared to other related protocols while meeting confidentiality, integrity, mutual authentication, non-repudiation, perfect forward secrecy, perfect backward secrecy, response to DoS (Denial of Service) attacks, man-in-the-middle protection, and D2D (Drone-to-Drone) security.

Keywords: drone, security, formal verification, vulnerability, D2D, D2GCS, attacks

1. Introduction

Unmanned Aerial Vehicles (UAVs) occupy an essential place in both military and civilian applications by playing a core role in criminal investigations, public safety organizations, transportation management facilities, and surveillance forces [1]. With the ability of dynamic mobility, quick reaction, and ease of deployment, UAVs offer new possibilities for different applications at a viable expense. In the last few years alone, networked UAVs have been a dominating area of research for different business organizations, such as Google, Facebook, Boeing, and Amazon.

High portability is one reason for interface twisting in UAV networking. Regardless of this, UAV-enabled systems support remote networks in the regions where physical interaction is troublesome or costly. It is apparent from the current research that UAVs are suitable for plenty of use cases, yet their deployments face a ton of difficulties and criticisms. Initially, the majority of the researches contend on the architectural structure of drone communication, which at present comes up short with regard to standard and unification. In addition, UAV-aided communication systems experience the ill effects of issues related to spectrum sharing [2].

Aside from these, UAV communications face specific issues identified with the architectural plan, deployment, and consistency, with broad and dependable networks alongside their security [3]. Normally, UAVs function remotely by receiving commands from the ground control stations. These command and control messages are transmitted over various channels with a variable transmission rate [4]. Since that information transmitted to/by UAVs is mainly over the air, and most of the information transferred are highly sensitive and critical [5], security is a primary concern in UAV communications. Therefore, the security of these channels in UAV systems is one of the essential requirements for robust communication between UAVs and/or between UAVs and the Ground Control Station (GCS).

The security vulnerabilities can prompt an assault on confidentiality, trustworthiness, validness, and accessibility of UAVs. Generally, cryptographic mechanisms accomplish message security and control signal assurance. Consequently, security concerns like unauthorized access, malicious control, unlawful association, or other malevolent attacks need to be mitigated effectively with limited or no consequences on the performance [6]. Recognizable proof of threats and their defense in UAV systems are critical issues to be dealt with by comprehensive and proficient methodologies.

Recently, a vulnerability has been discovered in the DJI UAVs that an attacker was able to exploit to gain user account information, which then led to UAV hijacking [6]. The attack is succeeded by intercepting users’ identification tokens by logging into the DJI forums and acting as a legitimate user. It is often the case that the administrator of the UAVs maintains information related to flight history, photographs taken during the flight, payment information, real-time access rights of UAV cameras, and location information. Accordingly, attacks on these devices, apart from other damages, may enable adversaries to leak such crucial information and violate the security and privacy of users. In general, UAVs lack suitable security mechanisms that protect them from various attacks while taking a good balance between performance and safety [7].

Such security issues, especially in a military setting, may bring devastating effects that put classified information in jeopardy. For instance, a session hijacking attack orchestrated in a military scenario enables an attacker to extract previously exchanged information and use it for different malicious activities. Additionally, communication among UAVs needs to be secured since they usually work in collaboration to achieve a specific objective, such as passing information in an ad-hoc manner. Another critical issue in the military environment, where sensitive information is transmitted and commands are triggered, is maintaining tractability. That is, any entity (UAV or GCS) should be accountable for its actions and should not be able to repudiate it. Consequently, the main aim of this paper is to design a secure UAV communication that is specially designed for military environments by which perfect forward secrecy is maintained, UAV-to-UAV (and UAV-to-GCS) communications are secured, and nonrepudiation is supported. The key contributions of this paper are listed as follows:

  • A new protocol for UAV-to-UAV and UAV-to-GCS is proposed,

  • A formal security analysis of the proposed protocol using BAN-logic and Scyther tool is carried out,

  • A detailed comparative analysis based on security property and computational overhead between the proposed and existing protocols is given,

  • The protocol is also implemented on a real UAV (powered by Raspberry Pi) and a Linux-based ground control station.

  • The remainder of the paper is organized as follows: In Section 2, the state-of-the-art study of existing drone communication protocols is described. In Section 3 and Section 4, the proposed protocol is presented in detail, and a formal security analysis of the protocol is provided, respectively. In the final three sections, performance analysis, simulation results, and conclusion of the paper are provided, respectively.

2. Related Works

The development era of drones and communication technologies are tremendously growing, where the various specialist service providers and equipment sellers are bringing constant flow of new advancements, such as network accessibility [8], offloading strategies [9], path planning [10], and various applications [11,12,13]. These enhancements go hand in hand with industrial advancements, such as in References [14,15]. In particular to UAVs, the ongoing improvements emphasize the information rate and security, which includes secrecy, honesty, verification, and non-denial of transmitted information. UAVs have a risk of information leakage as they are remotely controlled or operated through predetermined missions in a resource-limited environment. With this regard, the cryptographic mechanisms are well-known solutions against the attacks in most UAV-based communications, which help to design robust security services. UAV communication, in general, involves the drones, network providers, ground control stations, and trusted third parties for authentications. Every entity plays a significant role in the entire communication process to safeguard the system from security breaches. To this end, various researchers have studied multiple security issues concerning UAVs, such as eavesdropping, network jamming, weak authentication, and mobility management issues [16,17].

Seo et al. [18] proposed a security solution for drone-enabled delivery service by utilizing White-Box Cryptography (WBC) as a product assurance instrument for UAV landing points and cryptographic resources, alongside Public Key Infrastructure (PKI) as a verification and non-repudiation technique. The principal goals of the proposed protocol are assurance of a secret key, information protection during capturing, and secure storage of information. The authors considered different security properties, such as confidentiality, integrity, non-repudiation, authentication, and software protection. Kriz and Gabrlik [19] proposed the UranusLink packet-oriented communication protocol with both non-reliable and reliable transfer mechanisms that allow secure connection and packet loss detection. The authors discussed various related issues such as security, low data throughput, ability to data loss detection, and low latency. Won et al. [20] proposed a secure communication protocol for drones and smart objects that depend on an efficient Certificateless Signcryption Tag Key Encapsulation Mechanism (eCLSC-TKEM). Islam et al. [21] presented a group key distribution protocol for FANETs (Flying Ad hoc NETworks), which relies on a group leader that discharges the base station for other operations. The authors considered different FANET requirements, such as node mobility and changes in the topology. Maxa et al. [22] provided a protected UAV ad hoc reactive routing protocol (SUAP; Secure Uav Ad hoc routing Protocol) that depends on public-key cryptography, hash chains, and geological lashes. It is utilized to ensure the route discovery component giving trustworthiness, verification, and non-repudiation services, which is the expansion of the SAODV (Secure Ad hoc On-demand Distance Vector) routing protocol.

Other related researches such as Blazy et al. [23] proposed UAV-GCS Secure Communication Protocol by using efficient cryptographic techniques to ensure the confidentiality of sensed data. The authors highlight various interesting requirements, such as forensic-resistant property of captured UAVs should not compromise the security of UAS (Unmanned Aerial System) or the freshness of keys, to name a few. In addition, Wang et al. [24] proposed a handover key management scheme for the LTE (Long-Term Evolution)-based UAV control system to stress on the robust and secure connection to direct and control the UAVs. The paper further discussed security prerequisites such as authentication, access control, confidentiality, integrity, and user plane traffic. A certificateless group authenticated key agreement (CL-GAKA) scheme for secure communication among untrusted parties is also proposed by Semal et al. [25]. The authors considered confidentiality, message integrity, and authenticity requirements in UAV communication along with UAV-to-UAV secure channel establishment, whereas UAV-to-Infrastructure communication, as well as the routing problem, are not discussed.

Another study that examined the security requirements of UAV communications is presented by He et al. [7]. The authors discussed specific attacks like GPS jamming, spoofing, and Wi-Fi attacks along with the countermeasures. Likewise, Kim et al. [26] proposed a mechanism to confirm deletion activities in the wake of eradicating information, regardless of whether control of a remotely conveyed UAV is lost. The authors utilized a countdown-based approach and a hash chain to validate the sender of the received messages to trigger the deletion activity, significantly after UAV communication was lost. In connection to this, the security and privacy concerns of the Internet of Drones (IoD) is studied by Wazid et al. [27]. The authors also proposed a centralized authentication and key agreement scheme. The authors cover various security requirements but lack emphasis on the forward and backward perfect secrecy and non-repudiation, which are the essential requirements in critical and sensitive drone-oriented missions.

3. The Proposed Protocol

This section describes a security protocol used for UAVs to communicate with monitoring UAVs and GCS. The protocol is mainly designed to serve in a military environment with two sub-protocols: SP-D2GS (Security Protocol for Drone-to-Ground Control Station) and SP-D2MD (Security Protocol for Drone-to-Monitoring Drone).

3.1. Preliminary

Apart from their widespread usage in many application areas, UAVs have been extensively used in military settings, especially for the purpose of surveillance, search and rescue, national intelligence programs, reconnaissance, etc. [28]. Clearly, such operations are sensitive by nature, due to the fact that they almost always involve national secrets. Consequently, if exchanged information between the UAVs and the ground station are disclosed, it may bring a lot of damages—from risking international relationships to serious conflicts and wars. Thus, it is important to design a scheme that enables communicating entities to establish a secure channel before exchanging any sensitive information. In this section, such a security protocol that is particularly designed to operate in a military environment is described.

The intended communication between the UAVs and the GCS can be arranged in a direct or hierarchical fashion. In the former case, each of the participating UAVs exchange information with the GCS independently. That is, the UAVs establish a secure channel with the GCS first, and send the collected data through a wireless channel. Such arrangements can be secured with the SP-D2GCS protocol (shown as the golden colored arrows in Figure 1). For the hierarchical organization, a dedicated monitoring drone is responsible to collect and transmit various data from each of the assigned UAVs to the GCS. The monitoring drone, hence, acts as a middleman that executes the SP-D2MD protocol (shown as the blue colored arrow in Figure 1) between the UAVs and itself, and then transmits the collected data to GCS by using the SP-D2GCS security protocol. The details of these sub-protocols will be described in Section 3.3 and Section 3.4.

Prior to the execution of the proposed protocol, however, the UAVs and the GCS need to be configured with the necessary information. First, the GCS generates the long-term private and public keys for each UAV. Then, it prepares a certificate request (CSR), based on their respective public keys and other information, and sends it to the Certificate Authority (CA). Next, it prepares unique identities (ID) for each of the participants. Once the key pairs, the certificates, and the IDs are ready, they will be securely delivered to each UAV, as shown by the green arrows in Figure 1. Furthermore, GCS and UAVs are assumed to be pre-configured with various cryptographic functions, such as digital signature algorithms (e.g., ECDSA; Elliptic Curve Digital Signature Algorithm), encryption and decryption function, cryptographic hash functions (e.g., HMAC; Hash-based Message Authentication Code), pseudo-random number generators (PRNG), etc. It is also assumed that the GCS and the UAVs are time-synchronized, and that the elliptic curve domain parameters (p, a, b, G, n, and h) are decided ahead of the communication, and are known by each of the communicating entities. Additionally, important information such as pre-shared keys (for instance PIN), IP address, type of UAV (monitoring or general drone), and operation ID (IDMISSION) are configured by the user before the UAVs start their mission.

3.2. Threat Model

In computing, a threat can be understood as any incident that has the potential to bring loss or harm to a system. Substantially, threats are events that aim at violating the confidentiality, integrity, and availability properties of a computing system. Such threats can happen due to different vulnerabilities, which are weaknesses in the system as a consequence of design flaws, configuration mistakes, security policy inaccuracies, to name a few. Consequently, anyone with malicious intent and technical capability can exploit these vulnerabilities to launch an attack, thereby realizing the threats. Attacks can be orchestrated by two classes of an adversary: insider or external. The former refers to malicious attacks, such as replay, falsification, and masquerading, repudiation, or obstructions [29]. These attacks are typically carried out by a foe with legitimate or authorized system access. The latter represents attacks committed on a system network or computer system mainly either by exploiting a vulnerability of the system or by social engineering. These are threat actors that attempt to exploit security exposures, and they are generally located outside the firewall.

More often than not, cryptographic protocols are intended to work in an open environment where adversaries are capable of accessing the ciphered information exchanged between communicating peers. Such security schemes are often modeled with the Dolev-Yao (DY) threat model [30]. This model assumes an insecure public channel (which makes the communicating entities untrustworthy) and powerful adversaries that are capable of obtaining messages passing through the network, initiate and receive a conversation to and from other participants, and able of impersonating other entities. Despite all these capacities of the attacker, there is off-limits information. Some of this information is guessing random numbers generated from sample space and deciphering a ciphertext, enciphering a plaintext, or getting the same HMAC value without the proper key. Consequently, the protocol proposed in this work is modeled using the DY threat model, and only GCS is assumed to be fully trusted.

The assumptions we took in designing this protocol are described as follows. It is assumed that the elliptic curve domain parameters (p, a, b, G, n, and h) are decided ahead of the communication and are known by each of the communicating entities. The GCS and all affiliated drones can obtain a timestamp value indicating the current time, and have time synchronization to verify the given timestamp value from the other party. The GCS and all its drones have public/private key pairs and certificates supporting Elliptic Curve Digital Signature Algorithm (ECDSA), GCS assigns IDs to the drones and monitoring drones, and the user plans the operation through the related application and selects the drones included in the operation by using IDMISSION (the ID of the operation) and P (PIN number), which are provided before the execution of the protocol.

The proposed protocol is required to satisfy important security requirements to withstand various attacks. Some of the most important requirements are:

  • Mutual Authentication: for secure communication among a drone, a monitoring drone, and a GCS, the communicating entities need to authenticate each other mutually.

  • Strong Key Exchange: in order to assure the perfect forward secrecy of the protocol, a strong key exchange should be executed in a way that generated session keys cannot be recovered.

  • Confidentiality: the information exchanged between the drones and between the drone and the GCS should be protected from being accessed by unauthorized parties.

  • Integrity: it is critical to assure the authenticity of the information (that the information is not changed in between, and the source of information is genuine) exchanged between the communicating ends.

  • Non-repudiation: one of the essential security requirements in such scenarios is to make sure that the action done by one party cannot be successfully denied without others knowing about it.

  • Perfect Forward Secrecy: this property assures communicating parties that even if an adversary discloses a master key, old session keys will not be compromised.

  • Perfect Backward Secrecy: this property assures the communicating entities that even if an adversary discloses a master key, future session keys will not be compromised.

  • Protection against Denial of Service: legitimate users, such as legitimate drones, should not be denied service from a service provider, such as a GCS.

  • Protection against MITM (Man-In-The-Middle) attack: the protocol prevents an attacker from secretly relaying messages between the communicating ends.

3.3. SP-D2GCS

The drones and GCS should establish a secure channel and mutually authenticate each other before exchanging any sensitive information. For this, a security protocol, SP-D2GCS (Security Protocol for Drone-to-Ground Control Station), is needed that operates between the drones and the GCS. In SP-D2GCS protocol, drones and a GCS securely communicate to exchange telemetry and status information (from the drone to GCS) and commands and controls (from GCS to the drones). The D2GCS protocol consists of four message exchanges and is also compatible with the defacto MAVLink packet structure [31]. The notations used in both sub protocols (SP-D2GCS and SP-D2MD) are described in Table 1. The communication and packet structure of the D2GCS protocol is shown in Figure 2, and the details of the proposed protocol are shown in Figure 3.

Table 1

Notations and their meaning.

MDMonitoring Drone.
GCSGround Control Station.
ECDHElliptic Curve Diffie–Hellman.
ECDSAElliptic Curve Digital Signature Algorithm.
HMACHash-based Message Authentication Code
PPIN number.
dXX’s ECDH Private key.
QXX’s ECDH Public key: dX • G.
PU(X)X’s ECDSA Public key.
PR(X)X’s ECDSA Private key.
HM(K, M)An HMAC function where K is a secret and M is an input message.
CERTXX’s Digital Certificate.
CMDOperation command.
SKSession key.
MSKX-YMaster session key shared between X and Y.
EKX-YEncryption key shared between X and Y.
AKX-YAuthentication key shared between X and Y.
ST(X)X’s Authentication Ticket.
LTKey life cycle (Lifetime).
E(K, M)An encrypt function where K is a secret key and M is an input message.
D(K, C)A decrypt function where K is a secret key and C is a cipher message.

Open in a separate window

  • (1)

    The first thing that happens in the SP-D2GCS protocol is for D to get the operation ID (IDMISSION) and PIN (P) from the user. While doing so, or even before the actual protocol session starts, it can generate a random ECDH private key dD ∈ {1… n − 1}, where n is the order of the group generated by G. It then calculates the ECDH public key QD = dD • G. Now, D is ready to create a message M1, containing IDMISSION, its certificate (CERTD), the computed public key QD, and the current timestamp ts1, which is accompanied with the signature S1 computed by the ECDSA private key PR(D). To allow GCS to prevent the resource exhaustion attacks caused by the expensive public key operation, an HMAC is computed over the message M1 and signature S1 using the PIN number, P. Finally, the message M1, with the signature S1 and the message digest, is sent to GCS.

  • (2)

    Upon receiving the message, GCS first checks its freshness by checking the included timestamp ts1. Once ts1 is in the acceptable threshold, it then computes HM(P, M1||S1), which is then compared with the received HMAC value. Note that doing two such verifications before the expensive public key operation, i.e., the S1 verification, helps to defend against resource exhaustion denial of service attacks. In a positive case, GCS checks the validity of the received certificate CERTD and verifies the digital signature S1 by using the public key that belongs to CERTD. If the verification of S1 holds, GCS successfully authenticates D. Now, GCS uses the same procedure D followed to prepare the ECDH private key (dGCS) and public key (QGCS = dGCS • G). It then computes the master session key MSKD-GCS = dGCS•dD•G to produce the encryption and authentication keys. While the encryption key EKD-GCS (=HM(MSKD-GCS, “D-GCS Encryption Key”||ts1)) is used to protect the confidentiality of the command CMD sent to D, the authentication key AKD-GCS (=HM(MSKD-GCS, “D-GCS Authentication Key”||ts1)) assures the authenticity and integrity of this command. GCS then arranges a message M2 (containing IDMISSION, CERTGCS, QGCS, and ts2) and signs that message with its ECDSA private key PR(GCS), followed by encrypting the command CMD with the encryption key EKD-GCS and computing HM(AKD-GCS, M2|| E(EKD-GCS, CMD)). Finally, GCS sends the message M2, the signature S2, the encrypted command, and the HMAC value to D.

  • (3)

    Once D gets the message, it verifies the timestamp ts2 and the digital signature S2 to authenticate GCS. Next, it generates the master session key MSKD-GCS, from which the encryption and authentication keys EKD-GCS and AKD-GCS are derived using the same procedure as shown in step (2). Afterward, D computes the HMAC value and verifies if it is the same as the one it received. In turn, it extracts the operation command CMD by decrypting the received cipher using EKD-GCS. To proceed with the next step, D further composes a message M3 (containing IDMISSION, IDD, IDGCS, and ts3), concatenates it with the deciphered CMD, and signs the result by computing S(PR(D), M3||CMD). It also calculates HM(AKD-GCS, M3||S3), which is, in turn, sent together with the message M3 and the digital signature S3 to GCS.

  • (4)

    Upon receipt of the message, GCS verifies the timestamp ts3 and the HMAC value before confirming the validity of the digital signature S3. If S3 is valid, GCS can be sure that D has successfully received the operation command CMD. S3 also plays an important role in fulfilling the non-repudiation property of the protocol by making sure that D cannot deny that it received the CMD. Similarly, GCS allows D to prove that it has sent an operation command CMD via the digital signature S4 (=S(PR(GCS), M4||CMD)). Besides, the HMAC value is calculated based on AKD-GCS to counter the threat of the resource exhaustion attacks due to the public key operation. Note that in the SP-D2GCS protocol, GCS computes and transmits optional parameters that will be used for scenarios where drones communicate with their monitoring drone. In such scenarios, it prepares for a ticket that contains a session key SK and its lifetime LT along with the IDs of D and its monitoring drone MD. In more detail, GCS computes ENC(D) = E(EKD-GCS, IDD||IDMD||IDGCS||SK||LT||ts4) and ST(D) = E(EKGCS-MD, IDMISSION||IDD||IDMD||IDGCS||SK||LT||ts4) for D and MD, respectively. Finally, the GCS sends the message M4 (optionally including ENC(D) and ST(D)), the digital signature S4, and the HMAC value. The protocol is concluded after D validates the included ts4, HMAC value, and S4, respectively. Similar to S3, S4 supports non-repudiation. If ENC(D) and ST(D) are given, D recovers the session key SK by decrypting ENC(D) with EKD-GCS.

3.4. SP-D2MD

For cases where a dedicated monitoring drone is required to collect information from different general drones and pass this information to the ground station, a separate security protocol is required. Consequently, the SP-D2MD (Security Protocol for Drone-to-Monitoring Drone) protocol is used between a general drone D and a monitoring drone MD to perform mutual authentication and key exchange, thereby protecting their subsequent communications. Once all the information is collected by the MD, the MD uses the SP-D2GCS protocol to pass this information to GCS and receive different commands and controls from it. The communication and packet structure of this sub-protocol is shown in Figure 4, and the details are depicted in Figure 5.

  • (1)

    Note that during the D2GCS protocol session, D received the session key SK and the corresponding ticket ST(D) that allow itself to execute mutual authentication and key exchange with MD. To start this protocol, D first generates its ECDH public key pair dD and QD, before composing a message M1 containing IDMISSION, IDGCS, ST(D), IDD, QD, and ts1. It, in turn, calculates HM(SK, M1), which is sent to MD along with M1.

  • (2)

    On receiving the message, MD verifies its freshness and decrypts ST(D) with EKGCS-MD to extract SK, which is then used to verify the received HM(SK, M1). After that, it generates the ECDH public key pair dMD and QMD, computes a master session key MSKD-MD, and computes EKD-MD and AKD-MD. Finally, D generates the two HMAC values, HM(AKD-MD, M2) and HM(SK, M2|| HM(AKD-MD, M2)), which are then sent to MD along with M2.

  • (3)

    After verifying the received ts2 and HM(SK, M2|| HM(AKD-MD, M2)), D computes MSKD-MD, EKD-MD, and AKD-MD. With AKD-MD, HM(AKD-MD, M2) is verified, followed by sending MD a message M3 (= IDMISSION, IDD, IDMD, ts3) with HM(AKD-MD, M3). Finally, MD concludes this protocol by verifying the included ts3 and HM(AKD-MD, M3). The positive result enables MD to confirm the valid key exchange.

4. Formal Security Analysis

This section puts forward the formal analysis of the proposed security protocols described in Section 3. The formal security analysis verifies whether the security protocol actually satisfies the targeted security requirements and services or not. In the past few years, the research on formal security analysis has been continuously conducted. In this paper, the proposed protocols are formally verified through modal-logic-based analysis, such as BAN Logic [32], and automation tool, such as Scyther [33].

4.1. Formal Verification with BAN-Logic

Named after its three authors, Burrows, Abadi, and Needham, BAN logic has become one of the most used verification methods to analyze security protocols formally. BAN-Logic consists of different notations and rules that are used for formal verification.

In general, formal verification through BAN-Logic is carried out in four steps: (1) idealization, (2) assumption, (3) goals, and (4) derivation. The analysis starts by idealizing the messages exchanged between the communicating parties by representing them into suitable format by which only encrypted (non-plaintext) messages are considered. Once the messages are put in this format, underlying assumptions regarding the original messages are made and formally expressed. Next, the goals are defined and expressed formally. Finally, the goals are derived by using the BAN-Logic rules, the assumptions, and the intermediate results. Here, ‘I’, ‘A’, ‘G’, and ‘D’ are used to denote idealizations, assumptions, goals, and derivations. Table 2 and Table 3 summarize the BAN-Logic notations and rules, respectively.

Table 2

BAN-Logic Notations.

P believes that the message X is true
P receives the message X at any point in time
P previously sent the message X
P has jurisdiction over X
X is fresh
K is a secret key shared between P and Q
K is the P’s public key and L is the P’s private key
K is a shared secret between P and Q
X is encrypted with a key K
X is combined with Y

Open in a separate window

Table 3

BAN-Logic Rules.

Rule NamesRules
Message Meaning Rule
Nonce Verification Rule
Jurisdiction Rule
Freshness Rule
Decomposition Rule
Belief Conjunction Rule
Diffie–Hellman Rule

Open in a separate window

4.1.1. SP-D2GCS

The SP-D2GCS protocol is formulated into the following four idealizations.

  • (I1
  • (I2
  • (I3
  • (I4

The assumptions taken in the process of verification are listed below. While the assumptions A1–A4, A6, and A10 are with respect to GCS, the rest are taken by D.

  • (A1
  • (A2
  • (A3
  • (A4
  • (A5
  • (A6
  • (A7
  • (A8
  • (A9
  • (A10

The goals that are expected to be met by the SP-D2GCS protocol are listed below. They primarily illustrate mutual authentication and secure key exchange between D and GCS.

  • (G1
  • (G2
  • (G3
  • (G4
  • (G5
  • (G6
  • (G7
  • (G8
  • (G9
  • (G10
  • (G11
  • (G12
  • (G13
  • (G14
  • (G15
  • (G16

Based on the idealizations, the assumptions, the BAN-logic rules, and the intermediate results of the derivations, the goals set are deduced.

From (I1):

  • (D1
  • (D2
  • (D3
  • (D4
  • (D5
  • (D6
  • (D7

From (I2):

  • (D8
  • (D9
  • (D10
  • (D11
  • (D12
  • (D13
  • (D14
  • (D15
  • (D16
  • (D17
  • (D18
  • (D19
  • (D20

From (I3):

  • (D21
  • (D22
  • (D23
  • (D24
  • (D25
  • (D26
  • (D27

From (I4):

  • (D28
  • (D29
  • (D30
  • (D31
  • (D32
  • (D33

From the above analysis, it is shown that the SP-D2GCS protocol fulfills each of the goals (G1~G16). Moreover, the following lemmas can be derived while showing that the target security requirements are satisfied.

Lemma 1.

The SP-D2GCS protocol provides a mutual authentication between D and GCS.


Through the beliefs (D4) and (D17), both D and GCS can believe IDMISSION. Also, they can believe ID of another from derived beliefs (D24) and (D31). Accordingly, this proves that D and GCS mutually authenticate each other. □

Lemma 2.

The SP-D2GCS protocol enables a secure exchange of AK and EK keys between D and GCS.


As shown in the derivations (D5) and (D11), both GCS and D believe the session key (gXY) is a secret key shared between them and only known to them. There are direct beliefs that AK and EK are securely exchanged between GCS and D, as shown in (D6) and (D7) and (D12) and (D13). Also, indirect beliefs of GCS and D are shown in (D19) and (D20) and (D26) and (D27). Accordingly, it can prove that D and GCS securely exchange AK and EK. □

Lemma 3.

The SP-D2GCS protocol enables a secure exchange of SK key between D and GCS.


The session key SK, which is used for communication between D and MD, is generated by GCS. According to (D32) and (D33), D believes SK as a secret key between itself and MD. Note that we cannot reason about the MD’s belief on SK because it is not involved in this protocol. However, the above-obtained belief can be evolved to allow MD to be sure of SK with the help of ST(D) during the SP-D2MD protocol. Therefore, we can prove that SK is securely exchanged between D and MD. □

Lemma 4.

The SP-D2GCS protocol has resistance against denial-of-service attacks.


(D3) shows that GCS authenticates message and its freshness prior to the expensive computations, thus protecting the protocol from resource exhaustion attacks. □

Lemma 5.

The SP-D2GCS protocol supports non-repudiation.


Every message of the SP-D2GCS protocol contains the public key encryption. Thus, the message can prove who transferred messages with the public key. □

Lemma 6.

The SP-D2GCS protocol supports confidentiality of CMD.


In the case of GCS, (D18) and (D25) can verify that D believes the operation command CMD. Besides, D can verify that GCS sends the operation command CMD as it is encrypted by EK (which is generated by the session key gXY that both D and GCS believe). Thus, D and GCS support confidentiality for operational command CMD. □

Lemma 7.

The SP-D2GCS protocol supports the integrity and data authentication of messages.


Concerning GCS, (D3) and (D23) show that D verifies (I1) and (I3), which illustrates the integrity and data authentication of the message. In the case of D, (D10) and (D30) show that the GCS confirms the trust of (I2) and (I4) (respectively) to support the integrity and data authentication of the message. Accordingly, it can be shown that SP-D2GC supports integrity and data authentication for messages. □

Lemma 8.

The SP-D2GCS protocol prevents the man-in-the-middle attacks.


The ECDHE public keys exchanged between D and MD are protected by the digital signatures that are also sent along with the keys. Also, it can be confirmed from (D5) and (D11) that both parties can trust the ECDHE public key. Accordingly, the SP-D2GCS protocol is secure against man-in-the-middle attacks. □

Lemma 9.

The SP-D2GCS protocol supports PFS and PBS.


Lemmas 2 and 8, above, show that gXY is securely set up between D and GCS. The private keys X and Y are immediately removed from both parties so that gXY will not be recovered in any case. Accordingly, it can be seen that the AK and EK derived from gXY support PFS and PBS. □

Hence, it can be concluded from the proofs that the SP-D2GCS protocol fulfills the security requirements outlined in Section 3, which enables it to withstand known attacks.

4.1.2. SP-D2MD

The idealized forms of the SP-D2MD protocol are shown below:

  • (I1
  • (I2
  • (I3

The following are the assumptions considered while preparing the derivation process. The assumptions (A1)~(A6) are related to MD and the rest are related to D.

  • (A1
  • (A2
  • (A3
  • (A4
  • (A5
  • (A6
  • (A7

The goals that are expected to be achieved by SP-D2MD are shown below:

  • (G1
  • (G2
  • (G3
  • (G4
  • (G5
  • (G6
  • (G7
  • (G8
  • (G9
  • (G10
  • (G11
  • (G12
  • (G13
  • (G14

The following derivations show the steps taken to realize the goals:

From (I1):

  • (D1
  • (D2
  • (D3
  • (D4
  • (D5
  • (D6
  • (D7
  • (D8
  • (D9
  • (D10
  • (D11
  • (D12
  • (D13
  • (D14

From (I2):

  • (D15
  • (D16
  • (D17
  • (D18
  • (D19
  • (D20
  • (D21
  • (D22
  • (D23

From (I3):

  • (D24
  • (D25
  • (D26
  • (D27

From the above analysis, it is shown that the SP-D2MD protocol satisfied the goals (G1~G14). Also, the following lemmas can be derived through the satisfied requirements.

Lemma 10.

The SP-D2MD protocol provides mutual authentication between D and MD.


The derivation result (D10) shows that the MD authenticates D. Similarly, D authenticates MD, as shown in (D17). Hence, mutual authentication between D and MD is realized in the SP-D2GC protocol. □

Lemma 11.

The SP-D2MD protocol provides a secure key exchange of AK and EK.


As shown in the derivations (D13) and (D14) and (D18) and (D19), both MD and D believe that the session key (gXY) is a secret key shared between them and also believe that it is a shared secret that is only known to them. Accordingly, there is a direct belief that AK and EK are securely exchanged between GCS and D, as these keys are computed from the session key gXY. Also, the indirect belief was secured by trusting beliefs in AK and EK through (D22), (D23), (D26), and (D27). Thus, AK and EK are exchanged securely between D and MD. □

Lemma 12.

The SP-D2MD protocol prevents denial-of-service attacks.


In the case of MD, M1 shows freshness through (D10) and does not issue a message without knowing SK, thus supporting defense against denial-of-service attacks. In the case of D, M2 is protected by AK, which is derived from the master session key (gXY). As a result, the next message will not be processed by MD since the sender has no knowledge of the master session key; thus, supporting denial-of-service attacks. □

Lemma 13.

The SP-D2MD protocol supports confidentiality of AK and EK.


In the case of MD, (D13) and (D14) show the secure exchange of AK and EK, which indicates the confidentiality of AK and EK. Similarly, D can be sure about the confidentiality of AK and EK, as shown in (D18) and (D19). □

Lemma 14.

The SP-D2MD protocol supports confidentiality of SK.


The proof for Lemma 3 of the SP-D2GCS protocol shows that SK is exchanged between D (MD) and GCS securely. The proof of Lemma 8 shows the confidentiality of SK between D and GCS. Similarly, it can be shown that the SP-D2MD protocol supports the confidentiality of SK, as indicated in the derivations (D6) and (D7). □

Lemma 15.

The SP-D2MD protocol supports integrity and data authentication of messages.


The derivations (D10) and (D25) show that D supports the integrity and data authentication of the message by verifying the trust of M1 and M3. MD also verifies the trust of M2, through the derivation (D17), to support the integrity and data authentication of the message. Hence, we can verify that D and MD support the integrity and data authentication of the message. □

Lemma 16.

The SP-D2MD protocol provides defense against man-in-the-middle attacks.


The ECDHE public keys exchanged between D and MD are protected by the digital signatures that are also sent along with the keys. Also, it can be confirmed from (D10) and (D17) that both parties can trust the ECDHE public key. Accordingly, the SP-D2MD protocol is secure against man-in-the-middle-attack. □

Lemma 17.

The SP-D2MD protocol supports PFS and PBS.


As per Lemma 11 and Lemma 12 of the SP-D2MD protocol, the master session key gXY is securely set up through the Diffie–Hellman key exchange between M and MD. The private keys X and Y are immediately removed from both parties so that gXY is not recovered under any circumstances. Hence, the authentication and encryption keys derived from gXY support PFS and PBS. □

From the above proofs, we can conclude that SP-D2MD, like SP-D2GCS, is proven to satisfy mutual authentication, secure key exchange, integrity and data authentication of messages, and supports PFS, which makes it secured against known attacks.

4.2. Formal Verification with Scyther

Although the formal verification carried out by BAN-Logic validates the proposed protocol, highlighting that it meets the security goals and is secure against known attacks, BAN-Logic has found to have a limitation in pointing out some flaws [34]. Hence, for a complete formal analysis of security protocols, it is often necessary to combine BAN-Logic with automated tools such as Scyther and AVISPA (Automated Validation of Internet Security Protocols and Applications) [35]. In this paper, the automated formal verification tool Scyther is used to formally verify the SP-D2GC and SP-D2MD protocols.

Scyther, developed by Cremers in 2007, provides a graphical user interface that integrates the Command Line tool and the python scripting interface as an automated tool for formal validation. It provides validation, presentation, analysis, specification, and derivation of protocols. In particular, by providing protocol behavior classes, Scyther points out security problems through straightforward formalization and verification of protocols. The Security Protocol Description Language (SPDL) used in Scyther has a similar syntax to C/JAVA language (although case-insensitive), and defines roles as a series of events, consisting of events representing transmission and reception of information.

For protocol verification, Scyther can be used in three ways. Verification claim: verified or falsified security attributes, automatic claims: Scyther automatically generates and confirms a claim when security attributes are not specified as a claim event, and characterization: Scyther analyzes protocols and provides a finite representation of all traces, including the execution of protocol roles, so that each protocol role can be characterized. During the protocol verification process, Scyther creates an attack graph for unsafe protocols, and displays an individual attack graph for each claim. Claim events used for verification in this paper can be categorized by the functions shown in Table 4, and the details are described in Reference [26].

Table 4

Claim event description.

EventSecurity Attribute
Alive, Nisynch, Niagree, Weakagree, CommitAuthentication

Open in a separate window

At first, each role is modeled in SPDL scripts. The basic roles include the D’s role, the GCS’s role, and the MD’s role, as shown in Figure 6a–c, respectively. In addition, we included the claim events to each modeling, such as Alive, Nisynch, Niagree, Weakagree, Commit/Running, and Secret. Each roles are communicated with each other through the channel set through ‘send’ and ‘recv’. These events check whether modeling can provide authentication and secrecy. If the proposed protocol is secure, the status of the result will show that every claim is OK. Otherwise, the result will show the process of leading to a vulnerable modeling state.

Scyther composes a communication environment based on SPDL scripts, as shown in Figure 6, and executes verification according to claim events. As shown in Figure 7, D, GCS, and MD of the proposed protocol have not been attacked against claim events such as Alive, Nisynch, Niagree, Weakagree, Commit/Running, and Secret. Consequently, the proposed protocol is proven to be secure against known attacks.

5. Performance Analysis

In this section, the proposed protocol is compared with four state-of-the-art security protocols [18,23,27,36], that can be deployed to protect the communication within the UAV network. The comparison is made in terms of security and computation overhead, whose results are provided in Table 5


Protocol Drones Repair

Protocol manufactures a range of drones that offer various features. Protocol markets themselves as supplying “drones for everyone.” Protocol drones include drones with cameras, stunt drones, helicopters, and planes. Protocol drones come at a range of price points. For instance, the Aviator Remote Control Helicopter sells for just $29.99. On the other hand, the Kodiak GPS Wi-Fi Drone with HD Camera sells for $299.99.

Protocol does sell a range of replacement parts for their drones, including batteries, gears, shafts, landing gear, propellers, blade guards, etc.

Protocol drones have a variety of structures, but they all include a base with propellers. Usually, there are four propellers on a drone, one at each edge. Protocol RC helicopters are, instead, helicopter-like in structure. They have a main, rounded body with two large propellers housed above the base. Protocol planes are shaped like model airplanes. Protocol drones, planes, and helicopter bases come in mostly neutral colors (usually black), but their blade guards and propellers are often bright colors.

  • Kaptur GPS 11 (Wi-Fi drone with HD camera)
  • Pixie (Foldable drone with live streaming camera)
  • Director (Foldable drone with live streaming camera)
  • Vert 1 (Vertical take off/landing RC plane)
  • AeroDrone (Drone with live streaming camera)
  • Stealth One (RC plane with HD camera)

Drone protocol

Protocol Director Drone with 3 Camera Capability

Box includes:

• Drone with Camera

• Remote with Phone Mount

• USB Cable Charger

• 1 x Drone Battery

• Travel Bag

• Instruction Manual

• Spare Parts: Blades, Screwdriver

Drone & Remote Features

• Folds down to 4.75” and extends to 9”L (includes blades)

• Auto launch, hover, & land with altitude sensor

• 6-axis motion-sensitive auto stabilizers

• Maneuvers up/down, forward/backward, right/left, and side to side!

• Three selectable speeds

• Crash-resistant materials

• 2.4 Gig remote

Camera & App Features

• Create a seamless movie with 3 different camera angles + audio.

• Live streaming video capability

• Camera Resolution: 480p

• Simultaneous video and photo

• Also can control by free smartphone app

• Draw your own flight path!

• App is VR capable – VR goggles sold separately


MAVLink Developer Guide


MAVLink is a very lightweight messaging protocol for communicating with drones (and between onboard drone components).

MAVLink follows a modern hybrid publish-subscribe and point-to-point design pattern: Data streams are sent / published as topics while configuration sub-protocols such as the mission protocol or parameter protocol are point-to-point with retransmission.

Messages are defined within XML files. Each XML file defines the message set supported by a particular MAVLink system, also referred to as a "dialect". The reference message set that is implemented by most ground control stations and autopilots is defined in common.xml (most dialects build on top of this definition).

Code generators create software libraries for specific programming languages from these XML message definitions, which can then be used by drones, ground control stations, and other MAVLink systems to communicate. The generated libraries are typically MIT-licensed, and can therefore be used without limits in any closed-source application without publishing the source code of the closed-source application.

The C reference implementation is a header-only library that is highly optimized for resource-constrained systems with limited RAM and flash memory. It is field-proven and deployed in many products where it serves as interoperability interface between components of different manufacturers.

MAVLink was first released early 2009 by Lorenz Meier and has now a significant number of contributors.

Key Features

  • Very efficient. MAVLink 1 has just 8 bytes overhead per packet, including start sign and packet drop detection. MAVLink 2 has just 14 bytes of overhead (but is a much more secure and extensible protocol). Because MAVLink doesn't require any additional framing it is very well suited for applications with very limited communication bandwidth.
  • Very reliable. MAVLink has been used since 2009 to communicate between many different vehicles, ground stations (and other nodes) over varied and challenging communication channels (high latency/noise). It provides methods for detecting packet drops, corruption, and for packet authentication.
  • Many different programming languages can be used, running on numerous microcontrollers/operating systems (including ARM7, ATMega, dsPic, STM32 and Windows, Linux, MacOS, Android and iOS).
  • Allows up to 255 concurrent systems on the network (vehicles, ground stations, etc.)
  • Enables both offboard and onboard communications (e.g. between a GCS and drone, and between drone autopilot and MAVLink enabled drone camera).

Language/Generator List

The sections below lists MAVLink generators and their associated programming languages.

MAVLink Project Generators/Languages

The MAVLink organisation provides (and supports) the mavgen, mavgenerate and rust-mavlink tools.

LanguageGeneratorMAVLink v1MAVLink 2SigningNotes
CmavgenThis is the MAVLink project reference implementation. Generated libraries are also published for both protocol versions.
Python (2.7+, 3.3+)mavgenPython bindings. Library also available on PyPi: pymavlink.
Objective Cmavgen
JavaScript (Stable)mavgenOld mavgen JavaScript binding (has known bugs and no test suite).
JavaScript (NextGen)mavgenNew mavgen JavaScript library. Full test suite, resulting library produces binary compatible output compared to C bindings. Slightly incompatible with previous version, but not hard to migrate.
TypeScript/JavaScriptmavgenTypeScript classes which can be used with node-mavlink.
LuamavgenLua library. Does not support zero trimming of MAVLink 2 messages.
WLua (Wireshark Lua bindings)mavgenNAAllow MAVLink-aware packet inspection in Wireshark. Generated lua scripts should be copied to the Wireshark plugin directory (e.g. wireshark/plugins/mavlink.lua).
Rustrust-mavlinkRust MAVLink generated code. Has tests and docs.

External Generators/Languages

The following generators are delivered by independent projects (and supported by those projects).

Prebuilt MAVLink C Libraries

C MAVLink Source Files (only) are auto-generated for the latest versions of all message specifications/dialects (for both MAVLink 1 and 2):

Using C Libraries explains how to use these libraries.


The Support topic contains information about the mailing list, reporting bugs/issues, and joining the dev call.


The Contributing Guide explains the contribution model and the main areas where you can help.


The message definition XML files and the generated C-language version of MAVLink (a header-only library) are made available under the MIT-licence. MAVLink can therefore be used in any closed-source application without publishing the source code of the closed-source application. See the COPYING file for more information.

The MAVLink generator toolchain is licensed under the terms of the Lesser General Public License (version 3) of the Free Software Foundation (LGPLv3).

This documentation is licensed under CC BY 4.0 (Human readable overview | LICENSE).


The MAVLink protocol is hosted under the governance of the Dronecode Project.

Dronecode LogoLinux Foundation Logo



You will also be interested:


477 478 479 480 481