This study exposes a critical security vulnerability in deep reinforcement learning (DRL)-driven UAV navigation systems under GPS spoofing attacks. To address the Extended Kalman Filter (EKF)-based sensor fusion architecture in PX4 flight controllers, we propose the first hierarchical GPS spoofing model explicitly designed for physical feasibility and stealth. Our work is the first to systematically characterize the signal propagation mechanism through which DRL navigation policies—when tightly coupled with low-level flight control—amplify and misinterpret spoofed GPS measurements. Leveraging a lightweight spoofing model, co-designed attack scenarios, and dual validation via high-fidelity simulation and real-world flight tests on authentic PX4 hardware, we successfully induce DRL navigation failure and catastrophic collisions. Results demonstrate that current AI-based navigation systems exhibit severe security weaknesses at the localization layer, and that the EKF fusion process inadvertently exacerbates spoofing impact. This work establishes a new paradigm and empirical foundation for security assessment and robustness enhancement of AI-enabled UAVs.

Recently, approaches using Deep Reinforcement Learning (DRL) have been proposed to solve UAV navigation systems in complex and unknown environments. However, despite extensive research and attention, systematic studies on various security aspects have not yet been conducted. Therefore, in this paper, we conduct research on security vulnerabilities in DRL-based navigation systems, particularly focusing on GPS spoofing attacks against the system. Many recent basic DRL-based navigation systems fundamentally share an efficient structure. This paper presents an attack model that operates through GPS spoofing attacks briefly modeling the range of spoofing attack against EKF sensor fusion of PX4 autopilot, and combine this with the DRL-based system to design attack scenarios that are closer to reality. Finally, this paper experimentally demonstrated that attacks are possible both in the basic DRL system and in attack models combining the DRL system with PX4 autopilot system.