This is Part 2. In Part 1 we introduced the Iron Rodent, our cybersecurity testbench for the MOUSE small unmanned aircraft system. Here we take it to DEF CON 31's Aerospace Village and let people break it.
Why sUAS security needs hands-on practice
Operating a small unmanned aircraft system safely takes more than good intentions. It takes strong encryption, automated security testing, access controls, and regular updates. Operators need the knowledge to build resilient frameworks that mitigate risk and allow responsible deployment. The fastest way to teach that is to let people see what happens when it is missing.
The Iron Rodent CTF
At DEF CON, the Iron Rodent ran as a capture-the-flag built on custom AWS infrastructure. Players joined a fictional faction, COVERT (Coalition for Observing and Verifying Extraterrestrial Real Threats), and worked to protect their "extraterrestrial allies" by finding the vulnerabilities in COVERT's sUAS, an aircraft fielded with trained alien-object-recognition.
As players solved challenges, they saw the consequences in real time:
- Deactivating the gimbal servos that control the EO/IR camera
- Manipulating sensor readings
- Modifying flight waypoints
Each success came with the matching best practice, so the lesson landed with the exploit.
The best practices it taught
- DevSecOps: security integrated across the software development lifecycle, automated security testing, and continuous monitoring.
- Communication links: strong encryption for telemetry; minimize SSID exposure.
- On-board systems: regular firmware updates; data encryption; disable unused ports and protocols.
- Payload: encrypt transmitted data; enforce access controls; disable unused protocols.
- Software and applications: integrity checks and secure coding practices.
The takeaway is the same one the Iron Rodent was built to make: the failures that matter on an unmanned system are ordinary engineering failures, and you can teach them safely on the bench before they ever fly.