tech-weaponsby The Ghost in The Prompt2026-04-217 min read

DuckHunter: A Tactical OS for Drone Security Research

A consumer drone is a flying computer with a radio stack, a GPS receiver, a flight controller running open-source firmware, and a telemetry link broadcasting its position and status in plaintext. Most of them ship with the same protocol trust assumptions that plagued enterprise networks in 2005.

The attack surface isn't theoretical. MAVLink — the dominant telemetry and command protocol for commercial and hobbyist drones — was designed for ease of integration, not security. It has no mandatory authentication. Commands are accepted from any source that can reach the vehicle's radio link. A sufficiently motivated researcher with a software-defined radio and a laptop can, in a controlled environment, do things to a drone that the manufacturer's documentation would strongly prefer you didn't know about.

DuckHunter is the research platform for understanding that surface before someone less friendly does.

The Protocol Problem

MAVLink was designed for the ArduPilot ecosystem in 2009. It solved a real problem elegantly: a lightweight binary protocol for passing telemetry and commands between a ground control station and an aircraft. Simple, efficient, widely adopted. The drone industry built on top of it and never looked back.

The security posture of that original design reflects the context it was built for: hobbyist researchers flying in open fields, not adversarial RF environments. There was no authentication layer because the assumption was physical proximity implied authorization. That assumption no longer holds.

MAVLink 2 added signing support in 2016. Adoption remains inconsistent. A significant portion of commercial and hobbyist vehicles in the field today either don't implement message signing, implement it incorrectly, or disable it for compatibility with older ground stations. The HEARTBEAT message that every MAVLink vehicle broadcasts continuously — announcing its presence, system type, firmware version, and operational state — is unsigned by default on most hardware.

This is the entry point DuckHunter's CMD_INJECT module is built around.

// Simulated MAVLink HEARTBEAT capture
// Passive monitoring — no transmission required

const packet = await pulseSniff({
  band: "2.4GHz",
  protocol: "MAVLink2",
  filter: ["HEARTBEAT", "POSITION"]
});

console.log(packet);
// {
//   type: "HEARTBEAT",
//   system_id: 1,
//   autopilot: "ArduCopter",
//   base_mode: "GUIDED | ARMED",
//   custom_mode: 4,
//   signed: false   // <-- most common finding
// }

A passive HEARTBEAT capture tells you the vehicle is present, what firmware it's running, whether it's armed, and whether its command link is authenticated. That's a complete target profile without transmitting a single byte.

RF as Reconnaissance

Before you can interact with a drone's protocol stack, you have to find it. SKY_SWEEP handles the spectrum side — real-time signal identification across the three bands drone control links actually use.

2.4GHz is where most consumer and prosumer links live: DJI OcuSync, legacy Spektrum DSMX, ExpressLRS in its most common configuration. 5.8GHz carries a smaller subset of control links and most FPV video downlinks. 900MHz is the long-range tier — TBS Crossfire, ExpressLRS 900, systems designed to maintain link integrity at distances where 2.4GHz degrades.

Each protocol has a signature. Frequency-hopping spread spectrum links like ELRS and Crossfire use pseudorandom hop sequences that look like noise to a naive scanner but have detectable statistical properties. Consumer OcuSync links have characteristic burst patterns. The PSD visualization in SKY_SWEEP maps signal power against frequency in real time, turning the RF environment into something you can actually read.

The practical value is triangulation: if you know what a target link looks like spectrally, you can track signal strength to determine proximity and approximate bearing. That's target acquisition without GPS.

GPS Integrity and the Spoofing Problem

TRACK_LOCK is the module that addresses a different class of attack — not injection into the control link, but manipulation of the navigation data the drone trusts.

HACK LOVE BETRAY
OUT NOW

HACK LOVE BETRAY

The ultimate cyberpunk heist adventure. Build your crew, plan the impossible, and survive in a world where trust is the rarest currency.

VIEW LISTING

GPS spoofing works by transmitting a counterfeit GNSS signal stronger than the genuine signal from orbit. The receiver can't distinguish the spoof — it just sees a stronger signal and locks to it. The vehicle then navigates to wherever the spoof says it is, which may have nothing to do with where it physically is.

The detection method that works relies on sensor fusion. A drone in flight has inertial measurement unit data — accelerometers and gyroscopes tracking actual physical movement — that is independent of GNSS. If the GPS coordinate stream claims the vehicle is stationary while the IMU says it's moving, or claims a velocity vector that contradicts accelerometer data, that divergence is the spoof signature.

// GPS integrity cross-validation
// Divergence between GNSS position and IMU movement vector

const integrity = await trackLock.validateParity({
  gnss_position: { lat: 40.7128, lon: -74.0060, alt: 120 },
  gnss_velocity: { vx: 0, vy: 0, vz: 0 },  // GPS says stationary
  imu_accel:     { ax: 2.3, ay: 1.1, az: 0.2 }  // IMU says moving
});

console.log(integrity.spoof_detected);  // true
console.log(integrity.divergence_score); // 0.94

Meaconing — the electronic warfare technique in EW_CENTRAL — is the offensive counterpart to spoof detection. Instead of injecting a false position, meaconing captures legitimate GPS signals and rebroadcasts them with a delay. The receiver locks to the rebroadcast, which appears to originate from the same satellite geometry but carries time-delayed data. The vehicle drifts from its actual position without the hard discontinuity that naive spoof detection looks for.

It's a subtler attack. The divergence score climbs slowly rather than spiking. The countermeasure is tighter IMU cross-validation thresholds and timestamp integrity checking — both of which DuckHunter's research mode lets you tune and test.

Hardware Integration

The simulation layer is where you build the understanding. The SDR hardware integration is where you validate it.

HWD_BRIDGE uses WebUSB to connect directly to RTL-SDR and HackRF One hardware from the browser environment — no driver installation, no intermediary daemon, USB claiming handled natively. The I/Q sample pipeline routes raw radio data from the hardware into the visualizer, turning the simulation interface into a live instrument.

RTL-SDR is the entry point: a $30 receiver that covers the frequency range drone links operate in. Receive-only, but sufficient for passive reconnaissance — spectrum analysis, protocol identification, HEARTBEAT capture, PSD visualization. HackRF One adds transmit capability for controlled injection exercises, which is where the legal framework in the Tactical Disclaimer becomes relevant. Transmitting on drone control frequencies outside a shielded environment is a federal offense in most jurisdictions. The Faraday cage requirement is not a suggestion.

The architecture matters here. Browser-native SDR access via WebUSB means the entire research stack runs locally with zero external dependencies. No cloud backend, no telemetry, no data leaving the machine. For research involving sensitive RF environments or proprietary protocol data, that's the correct posture.

What This Is Actually For

The drone security research community is small and the attack surface is underexamined relative to its real-world exposure. Commercial drone deployments are accelerating across logistics, infrastructure inspection, agriculture, and public safety. The protocols those drones run on were designed for hobbyists. The gap between deployment scale and security maturity is significant and widening.

DuckHunter exists to give researchers a high-fidelity environment for understanding that gap — what the RF surface looks like, how MAVLink actually behaves under interception, where GPS integrity breaks, what electronic warfare techniques look like in practice. The simulation layer means you can develop that understanding without transmitting a single watt. The hardware bridge means you can validate it in a controlled environment when you're ready.

The legal perimeter is yours to secure. The platform is the research.

github.com/ghostintheprompt/duckhunter-drone-defense-laboratory

GhostInThePrompt.com // The HEARTBEAT was unsigned. The rest was methodology.

Continue Reading

tech-weapons

The LinkedIn Timing Bomb

LinkedIn does not just reward performance. It rewards synchronized performance. Once you notice the weekly rhythm, the site starts looking less like a professional network and more like a scheduled theater with very anxious lighting.

tech-weapons

GHOST_PROXY: The Browser Is the Terminal

The perimeter isn't a firewall anymore. It's a behavioral signature — the way your script touches the DOM, the timing of your API calls, the fingerprints your environment leaves before you've done anything. GHOST_PROXY is a full-stack UserScript workshop and offensive security sandbox built for the 2026 detection landscape. Neural intercepts, Shadow DOM obfuscation, AI-assisted payload hardening. The hardest vulnerabilities aren't in the code. They're in the assumptions.