 Dec. 25th, 2021 Flight near Marmet, WV- DJI Mavic Mini Note: This post is for academic and professional awareness only. It explores real-world drone capabilities to highlight emerging security risks- not to promote or enable unauthorized use. If you try any of this without legal clearance, you are not a red teamer- you are a future federal inmate. Bad actors already think this way. The point is to make sure defenders do too. Anyways, Me in the context of this The other night on the SimplyCyber public-speaking discord I presented my second talk on drones, and decided I would submit this to several CFPs after some suggestion. Anyways this is the long-form of that talk and the youtube series I haven't posted yet. First off, I didn’t invent anything. I didn’t design these drones, I didn't come up with concepts. I just started paying attention a long time ago. I dabbled in hacking in high school. A lot of wardriving. Not glamorous, but when you grow up where broadband is rare, mapping SSIDs becomes more necessity than curiosity (ethical? Probably not, but I was 16). That was my entry point into wireless recon: driving backroads, antenna strapped to the dash, logging APs in CSV files just to see what was out there. I come from the John Robb / Brave New War school of thought (as you know reading any of my earlier posts). I read Global Guerrillas early, followed Robb’s work, and viewed most of my polisci and intel coursework since 2007 through that lens: hybrid warfare, networked insurgency, collapse by system failure, resilient communities and distributed redundancy, etc. It was clear even back then that drones would play a central role in that kind of conflict e.i., cheap, distributed, and hard to defend against. Back in 2013, I watched a geology grad student use a DJI Phantom to map pit mines in Africa. She demoed it during a remote sensing class, flying autonomous loops and generating 3D terrain models. That stuck with me. I’d already been following 3D printing by then but couldn’t afford to get involved in it at the time, but I watched it evolve. Same with drones. I tracked both fields for years before I had the tools to build anything myself. Since then I’ve worked in supply chain, federal procurement, defense contracting (not in a cool capacity), and eventually cybersecurity. I’ve also spent time as an artilleryman, a HAZMAT responder, and a bar bouncer, so I’ve seen problems from more angles than just behind a keyboard  Kitbashed Ukrainian Drones The Drone Renaissance: Why I Call It ThatI call it a renaissance because we’re not witnessing the birth of drone warfare. We’re witnessing its decentralization, and radical acceleration. Drones aren't new. Militaries have been flying UAVs since the Cold War. What’s changed isn’t that unmanned systems exist- it’s who can use them, how fast they evolve, and how cheap they’ve become to build and deploy. What was once the domain of nation-states is now accessible to individuals with a soldering iron, a 3D printer, and a GitHub account. This is a renaissance in the same way the original Renaissance was: not a moment of invention, but of transformation. Knowledge spreads. Tools get democratized. Power shifts. The ability to conduct long-range reconnaissance, deliver kinetic effects, or passively monitor RF emissions has moved from classified facilities to backyards, garages, and online developer communities. The means of production and the operational imagination have expanded simultaneously. Everyone has access to what was once elite capability and they're modifying it, scaling it, and sharing it in near real-time. It’s being driven by open systems, not closed ones. The innovation isn’t coming from defense firms with classified contracts. It’s coming from YouTube builders, Telegram tinkerers, and volunteer engineers adapting civilian tech for battlefield use. A few years ago, “drones” meant military hardware or hobbist camera rigs. Now it means a Raspberry Pi sniffing Wi-Fi from a rooftop, an FPV quad crashing into a trench with a $50 warhead, a fixed-wing platform flying GPS waypoints across denied terrain, or a hobbyist designing a glide kit for a salvaged munition. It means 3D-printing a nosecone overnight to mount a directional antenna. The term no longer describes a tool- it describes a method. Why Ukraine Mattered We saw flashes of what drone warfare could become during earlier conflicts; ISIS using modified quadcopters to drop grenades, Azerbaijan deploying loitering munitions against Armenian armor, but it was Ukraine that turned tactical experimentation into a global proving ground. Since 2022, Ukraine has served as a live-fire lab for the evolution of unmanned systems. Every kind of drone has been deployed there: off-the-shelf DJI quads for recon, FPV racers wired for direct hits, fixed-wing scouts for artillery spotting, and long-range autonomous platforms used for deep strikes. What matters isn't just the variety- it’s the scale, speed of adaptation, and open-source nature of the tooling. You’re seeing warfighters iterate in real time. Build kits tested one week show up in Telegram channels the next. 3D-printed fins, gimbals, and bomb releases. GoPro cameras wired to cheap transmitters. Raspberry Pi modules mounted inside low-end airframes. It’s not just DIY, it’s distributed innovation under pressure. The closest analogy is post–World War I aviation. That war introduced aircraft into conflict. But it wasn’t until the interwar years- when doctrine caught up with capability that we saw the full impact: long-range bombers, close air support, carrier ops. Ukraine is playing the same role for drones. The technology existed before, but doctrine hadn’t yet hardened around it. Ukraine forced that shift. And because the whole world was watching; militaries, hackers, hobbyists- none of it stayed regional. What worked in Mariupol or Bakhmut became global in weeks. Tactical drone use became a global conversation.  Autonomous Reconnaissance and Aerial Threat Vectors “What can be done with a drone is limited only by the laws of physics and imagination.” — Me, in Discord, last year again, I’m not breaking new ground here. The idea of using drones for passive surveillance, Wi-Fi recon, or even offensive cyber operations isn’t theoretical. It’s been done. Multiple times. Publicly. There are writeups, case studies, and forensic artifacts to prove it. Case in point: U.S. Financial Services Company Targeted by Hackers Using DJI Drones Drone Hacking with Raspberry-Pi 3 and WiFi Pineapple: Security and Privacy Threats for the Internet-of-Things But most of what’s out there is focused on small quadcopters with short flight times, noisy rotors, and limited reach. Effective, yes, but constrained. They hover close, land nearby, and require real-time operator oversight. That model works for brief engagements or tactical hits. It doesn’t scale for deep recon or long-duration surveillance. That’s where the platform I'm working on comes in. What I’m working on is a fixed-wing VTOL drone that merges two roles: Perch and Stare- a rooftop passive node that blends into its environment- and Warflying- a long-endurance, autonomous aerial reconnaissance platform. It launches vertically, transitions to fixed-wing flight for efficiency, loiters silently while collecting, and can land itself with precision to begin passive collection. Everything is off-the-shelf. Nothing exotic. Raspberry Pi. RTL-SDR. GPS. 3D-printed mounts. Open-source software. This isn’t an experiment. It’s a working system. The war-driving payload has already been validated on ground and vehicle-based runs over the past two decades. The airframe has been demonstrated online numerous times. This is not a speculative concept. It’s a modern threat vector that already exists in practice, just under different names, using different tools. My goal here is simple: take what’s already been proven possible and build it into something longer-range, more autonomous, more repeatable, and more operational. If you're defending networks, this is your wake-up call. If you're red teaming, this might soon your toolkit. If you're a threat actor, well, you might already be using it (and you're a bad person). This is the Drone Renaissance. The sky isn’t empty anymore. It's part of the attack surface.  Perch and Stare The original idea behind Perch and Stare was simple: don’t loiter, don’t hover, don’t make noise. Land. Power down. Watch and listen. That’s it. Drones built around this concept aren’t meant to be visible or agile. They're meant to disappear into the architecture. Rooftops, ledges, canopy lines anywhere that grants a line-of-sight view or scanable APs. These platforms are typically small multirotors equipped with lightweight payloads: a Raspberry Pi, an SDR, a GPS module, and some kind of storage or uplink path. Once deployed, they cut thrust and enter a low-power state. From there, they operate as passive nodes collecting Wi-Fi beacon frames, observing signal strength patterns, even logging BLE traffic in some builds. Some versions have launched Evil Twin attacks or executed MITM traffic capture using preloaded scripts. Others go further by spoofing SSIDs, forcing deauths, or intercepting device reauth handshakes for offline cracking. But the real power of Perch and Stare isn’t the payload. It’s the operational profile. A motionless node on a rooftop likely wont trip a camera system. It doesn’t cross badge readers. It doesn’t need to penetrate a traditional security perimeter. It doesn’t even need a stable uplink. It just needs proximity and a few hours of proximity to your infrastructure. What makes this model work and what makes it hard to detect is its absolute minimalism. No RF noise beyond passive scanning. No movement. No transmissions. It’s quiet by design. The only real constraint? Range. Multirotors don’t travel far. They drain power fast. They’re loud in low ambient environments and can get flagged on security cams when descending into high-walled zones. Once you factor in limited flight time, they’re best used for short-range, urban insertions. What I’m working on now is removing that constraint. By moving this concept onto a fixed-wing VTOL platform, I’ve taken the same operational profile- silent, low-power, passive- and given it endurance, altitude, and range. Now the same Perch and Stare function can be executed dozens of kilometers away from the launch point, deployed autonomously, and extracted without line-of-sight piloting. This isn’t replacing the original concept. It’s building upon it.  The Attack Surface Now Includes the SkyMost organizations defend laterally. Their security models focus on horizontal boundaries, entry points, physical perimeters, credentialed access, and VLAN segmentation. Wi-Fi audits happen at the floor level. Sensors live inside the walls. Defense stops at the edge of the building. Those signals don’t respect drywall. They don’t stop at windows. They don’t care about fence lines or property boundaries. RF propagates in all directions- out, up, and through. A drone doesn’t need to be in your lobby to hear your network. It just needs to be within range of your signal leakage. And modern buildings leak RF in all directions, especially upward. Rooftop glass, HVAC exhausts, high-rise balconies, poorly shielded conference rooms all act as transmission points for signals you didn’t mean to share. The real failure isn’t that these platforms exist. It’s that most threat models don’t account for them. Drones operate in an airspace that corporate security rarely monitors. There’s no alarm for a small fixed-wing platform flying 100 feet overhead. There’s no alert for a passive SDR that logs your Wi-Fi SSIDs from a rooftop. And unless you're explicitly looking for thermal or EM signatures, there’s nothing to detect a powered-down node collecting quietly for hours at a time. Meanwhile, the data they collect is actionable. It maps real-world network exposure. It shows which access points are misconfigured. It identifies signal overlap between secured and guest networks. It reveals infrastructure you didn’t even know was active.  Flightory Stallion V2 VTOL Project Overview: Building a DIY Warflying Recon Drone The goal of this platform is straightforward: build a low-cost, autonomous drone that can collect wireless broadcast metadata at altitude, over range, and without operator input. No manual piloting. No remote control. No onboard transmission. Just launch, fly, log, land, and recover. The platform is the Flightory Stallion V2: a fixed-wing vertical takeoff and landing drone with long flight endurance and a modular frame. It lifts vertically from constrained spaces, transitions to efficient horizontal flight, and can loiter or land on rooftops for passive surveillance. VTOL is non-negotiable: if you're landing on HVAC units or narrow rooftops, you need the precision of vertical descent. The core payload is built around a Raspberry Pi 4, running headless Linux. It manages scan cycles, GPS sync, log storage, and power management. No GUI. No bloat. Just scripted recon and timed scan intervals. Sensor Stack:
The entire payload is bracketed using custom 3D-printed housings to reduce vibration, shield RF interference between modules, and maintain clean cable routing inside the fuselage. Every component is modular. Every bracket is replaceable. The design is meant to be iterated. Mission Workflow:
The goal is for no live data is transmitted during the mission. Everything is stored onboard. Post-flight, logs can be processed through Kismet, GIS overlays, or custom visualization scripts to generate heatmaps of SSID coverage, signal leakage, and AP misconfiguration.  What the Drone Collects: Passive Wireless Metadata at Altitude This purpose of this drone isn't to interact with anything. It shouldn't transmit. It shouldn't connect. It shouldn't probe, inject, or interfere. It will listen. Specifically, it will passively capture broadcast metadata from wireless access points- data that is already being emitted into the environment by design. These are the same beacon frames that Wi-Fi networks send out continuously to announce their presence. Every device sees them. The drone logs them. Each scan cycle produces records like this:
These records are stored in both CSV and KML formats. CSV supports post-processing and filtering. KML enables quick geospatial visualization using tools like Google Earth, QGIS, or custom RF mapping overlays. In a single flight, the system builds a top-down RF footprint of a target area revealing exactly how wireless signals bleed across floors, rooftops, and adjacent properties. From the air, patterns become visible that ground-based audits can’t detect: overlapping coverage zones, unsecured guest networks bridging into production space, directional antennas leaking off-axis, and APs broadcasting into public spaces that were assumed to be shielded. And hopefully it does all of this with zero touch. There’s no handshake interception. No deauth packets. No packet injection. Nothing that would trigger intrusion detection systems or trip alarms. This is pure signal intelligence, gathered passively from the air by a node the network never sees. In dense urban environments, even a short 10-minute flight at moderate altitude can yield hundreds of SSIDs, dozens of networks, and enough metadata to map out which access points are misconfigured, duplicated, or extending beyond their intended coverage zone. And from a red team perspective, that metadata becomes targeting intelligence, just look at Wigle for an example. From a blue team perspective, it’s a visibility gap most orgs didn’t know existed or ignore.  Why 3D Printing Matters This platform doesn’t work without additive manufacturing, aside from the 3D printed airframe. Off-the-shelf components rarely fit together cleanly, especially when you’re mounting SDR modules, antennas, GPS units, and Raspberry Pi boards inside an airframe designed for hobbyist payloads. Vibration causes data loss. RF coupling skews signal strength readings. Poor cable routing introduces interference. In flight, small mechanical problems become mission failures. 3D printing solves all of it. Every component on this drone is mounted in a custom-printed bracket, modeled for exact dimensions, tuned for flight weight, and optimized for electrical separation. Brackets snap into the Stallion V2’s fuselage with precision-fit tolerances. The designs isolate power rails, suppress RF bleed between the GPS and SDR, and lock down fragile USB connections under vibration load. Need to swap antennas? Print a new housing with different polarity. Need to adjust the Pi orientation to improve airflow? Redesign in CAD, reprint, remount in the same day. These aren’t cosmetic mods. They’re structural integrations; if the payload isn’t bolted on. It’s embedded. This matters in flight. A misaligned antenna drops signal fidelity. A loosely mounted SDR vibrates under G-forces and corrupts logs. Poor grounding turns telemetry into noise. A field-ready platform can’t tolerate that kind of failure chain. With 3D printing, you can fix those problems without a machine shop. It also makes the system replicable. STL files can be shared, remixed, adapted to different airframes. If you have a printer and a few spools of filament, you’re not just building a drone, you’re building an RF recon lab you and others can iterate on in however long it takes to refine and print the new parts.  Why Now? Ten years ago, this kind of platform belonged in a white paper like the one I posted earlier in this post. Today, it’s a week of building, less if you have more than one printer running hot and nothing but free time. Not because the laws of physics changed. Because everything around the drone did. The war in Ukraine proved that DIY drones are viable in active combat zones. What started as hobbyist gear has evolved into battlefield infrastructure equipped with ISR (intelligence, surveillance and reconnaissance) payloads, shaped-charge warheads, and telemetry links built from repurposed consumer hardware. They’re cheap. They work. And they’ve rewritten the doctrine for how small, expendable platforms are used in contested environments- which might include all environments if you adhere to the concept of grayzone/ 5th gen warfare theory. That mindset bled into security research. At the same time, the open-source ecosystem exploded. GitHub is now full of wireless recon tools, SDR drivers, automated attack frameworks, and Raspberry Pi-based flight controllers. STL files for precision brackets, gimbal mounts, and airframe mods are published on demand. Discord channels replaced vendor support. The barrier to entry has collapsed. And the window of exclusivity is gone. You no longer need proprietary hardware or closed documentation. You need commodity parts, cheap compute, and time. That’s it. We’re not looking at the future. We’re looking at an unevenly distributed present. This is what threat actors are already doing with less power, less range, and fewer constraints. This platform just makes it modular, scalable, and autonomous. This build is 100% legal. Every component is commercially available. The software is published under permissive licenses. And every technique has precedent- documented in security conferences, proof-of-concepts, and academic papers. This isn’t edge-case theory. It’s a repackaging of known tools into a more capable platform. And that’s the inflection point. The only difference between a red team recon platform and an adversarial payload delivery system isn’t code or hardware- it’s intent, and intent is hard to detect when the system never transmits, that said this platform could very easily and quickly be retooled for offensive cyber in which case it would be detectable and damaging.  Hypothetical: How I Would Use It (If This Were an Offensive Operation and I Wanted to Spend Years in a Federal Prison) Let’s be explicit up front: this would be illegal without authorization. The FAA does not allow unlicensed drone activity over occupied buildings. (FAA Laws) Cyber intrusion laws prohibit unauthorized access to networks or devices. But threat actors- by definition- do not care about regulatory frameworks when already engaging in illegal activity. So this is not a question of if someone could do it. It’s a question of how it would be done if someone already intended to act outside the law. Here’s how I’d approach it if this were an offensive engagement and I was a very bad person who belongs in jail. Phase 1: Reconnaissance and Planning The target environment is mapped using publicly available satellite imagery, street-level photography, and open-source intelligence on corporate infrastructure i.e. Google Earth. The goal is to identify flat rooftops or exposed balconies near broadcast access points. HVAC clusters and utility boxes are preferred for concealment. Building materials are considered- light-colored gravel, black tar, concrete slab. The drone’s upper surface is painted to match. Reflective components are masked. LEDs are disabled. The underbody is dulled to blend with overcast sky tones during ingress. Flight plans are calculated to minimize noise, silhouette, and transit time. Launch occurs from a remote location, potentially inside a vehicle, using terrain masking to avoid detection. Phase 2: Insertion and Landing The drone executes vertical descent onto the target rooftop during a low-activity window—typically after 0200 hours. Weather conditions are selected for wind cover and low visibility. Once landed, the platform enters a fully passive surveillance state. The payload is dark. No RF emissions. No movement. Scan cycles are initiated periodically using internal timers or a GPIO-triggered watchdog. Logs are written locally- no telemetry, no uplink. From this perch, the drone collects beacon frames, SSID broadcast data, and BSSID metadata from nearby wireless networks. Depending on altitude and structure, this includes coverage from multiple floors and adjacent buildings. If configured, the system can also capture WPA2 handshakes during client reauth events. Phase 3: Offensive Activation (If Escalating) If the mission scope includes active exploitation, the same Raspberry Pi payload can run a secondary script set. With an additional Wi-Fi adapter capable of packet injection:
None of this requires physical presence on site. Phase 4: Power Management and Endurance During idle cycles, the drone enters deep sleep. Wake intervals are adjustable, a scan every 10, 30, or 60 minutes. A lightweight 5W solar panel mounted flush to the fuselage can sustain these cycles for multiple days, depending on environmental light conditions. Phase 5: Exfiltration and Recovery After a predefined mission duration say, 12 hours, 48 hours, or longer- the drone powers up, acquires GPS, and takes off autonomously. Return-to-home logic guides it to a remote waypoint, dead-drop zone, or mobile recovery vehicle. If telemetry confirms the drone is compromised, it deletes logs and executes a soft crash. If conditions prevent recovery, fallback logic lands it in a secondary location. Failsafe scripts can zero storage or overwrite logs. In some cases out of Ukraine, the drone self destructs via an overheated battery or worse, a small thermite or chemical charge- but on top of everything else, you're asking for several more major felonies and probably a terrorism up-charge on your already several felonies. Disclaimer This post is written strictly for academic curiosity and professional awareness. I’m a security practitioner, not an operator. Everything discussed here is grounded in publicly available information and off-the-shelf hardware, with the goal of highlighting what I believe is an emerging and underappreciated risk vector in modern security models.
It also happens to feed my nerd ego and give me an excuse to go deep on something I’ve been fixated on since undergrad- because ADHD and hyperfocus are hell of a drug. Let’s be absolutely clear: doing any of this without authorization is illegal. Deploying drones for recon or interference without FAA approval and without the consent of the property owner is a fast track to federal charges, not a hacker badge. We’re talking felony territory. Hard time. The kind of prison with fluorescent lighting, bad food, worse roommates, no Wi-Fi, and absolutely zero tolerance for “but I was just testing.” I’m not the first person to think this up. And that’s the problem. Bad people are already thinking about this. Some of them are already doing it. The goal here is to make sure defenders are thinking just as creatively before this becomes standard playbook. Think responsibly. Build legally. Get your Part 107. Don’t be an idiot.
0 Comments
Leave a Reply. |