Hackers, or security researchers, have figured out how to decode the radio signals that every DJI drone sends out. This lets them know exactly where the DJI drone operator is.
At the Network and Distributed System Security Symposium (NDSS) in San Diego last week, security researchers from Ruhr University Bochum and the CISPA Helmholtz Center for Information Security showed how they could decode the radio signals of DJI drones.
By reverse engineering the drone's radio protocol, called DroneID, they discovered that every DJI drone's DroneID communications broadcast not only its own GPS location and a unique identifier but also the GPS coordinates of its operator.
This means that anyone with cheap radio hardware and access to a new software tool can intercept and decode the drone's broadcasts to pinpoint the operator's location, potentially posing serious security and privacy concerns.
The DroneID system (better known as DJI Aeroscope) was developed to give governments, regulators, and law enforcement agencies the ability to track drones and stop the inappropriate use of them.
But, hackers and security researchers have been warning for a year that DroneID is not encrypted, contrary to what DJI originally stated, and is accessible to anyone who can intercept its radio transmissions. This vulnerability exists because DroneID does not use a public key infrastructure.
Along with a researcher from the University of Tulsa, researchers from Ruhr University Bochum and the CISPA Helmholtz Institute for Information Security have proven how the signal can be fully decoded and read.
This enables any hacker to monitor the drone's operator, even if they are miles away, WIRED reports.
The German research group has made their preliminary results on how to collect and decode DroneID data publicly available through the deployment of a prototype tool.
Their findings have published in a report, titled: “Drone Security and the Mysterious Case of DJI's DroneID.”
In the reports, the researcher conclude that: “We show that the transmitted data is not encrypted, but accessible to anyone, compromising the drone operator's privacy. Second, we conduct a comprehensive analysis of drone security: Using a combination of reverse engineering, a novel fuzzing approach tailored to DJI's communication protocol, and hardware analysis, we uncover several critical flaws in drone firmware that allow attackers to gain elevated privileges on two different DJI drones and their remote control.”
Having such complete access to the system makes it possible to disable or get around countermeasures and abuse drones.
“In total, we found 16 vulnerabilities, ranging from denial of service to arbitrary code execution. 14 of these bugs can be triggered remotely via the operator's smartphone, allowing us to crash the drone mid-flight,” the researchers explain.
In April last year, DJI confessed to The Verge that the broadcasts were, in fact, not encrypted after it was demonstrated by security researcher Kevin Finisterre that certain DroneID data could be intercepted using a commercially available Ettus software-defined radio.
Popular DJI drone models already broadcast operator's location
German researchers have now taken the investigation into DJI's initial encryption claim one step further by reverse engineering DroneID by studying the firmware of a DJI drone as well as the radio communications between the drone and its controller.
They made a device that can pick up DroneID transmissions with either an Ettus software-defined radio or a much cheaper HackRF radio.
With this set-up and their software, it is possible to correctly decode the signal and find out where the drone operator is, just like DJI's Aeroscope does.
This new data draws attention to the substantial concerns regarding privacy and operational security that are raised by DroneID, in particular for operators of DJI drones that are used in conflict zones.
Due to the fact that the DroneID broadcasts an operator's location, it is possible for it to draw the attention of hostile forces, putting the operator's safety in jeopardy.
DJI has yet to respond on the DroneID concerns
WIRED reached out to DJI for clarification on the DroneID issue and the fact that unencrypted location data of DJI drone operators is being broadcast, but the dronemaker has yet to respond.
Schulman says that DJI made DroneID because the U.S. Government wanted a system for keeping track of drones.
Under this system, drone manufacturers would send out the location of the operator and a unique identifier for the drone. This information would be easy for anyone to find.
“FAA's mandatory Remote ID will not only be unencrypted, but by design accessible to everyone nearby with a smartphone. AeroScope was from its start in 2017, a proof-of-concept for FAA/EASA drone Remote ID,” Schulman explained last year.
The Federal Aviation Administration (FAA) and other government organizations were interested in putting the system into place because it would improve public safety.
Schulman also said that the problem is not unique to DJI and that when the FAA Remote ID requirements become mandatory later this year, it is likely that all consumer drones will have a system similar to the one described above.
Schulman's answer didn't say anything about the fact that most DJI drone owners probably don't know that their drones already send out information about where the operator is located.
According to Bender of the University of Tulsa, this lack of openness from DJI has led to confusion among users.
Not only DJI's own Aeroscope devices are capable of intercepting the unencrypted location data that is provided by DJI's drones; anyone with a low-cost receiver and the appropriate software may do it as well.
This will likely have significant repercussions for the ways in which drones are utilized in conflict zones and other hostile environments.
Photos courtesy of Ruhr University Bochum and CISPA Helmholtz Center for Information Security
Get your Part 107 Certificate
Pass the test and take to the skies with the Pilot Institute. We have helped thousands of people become airplane and commercial drone pilots. Our courses are designed by industry experts to help you pass FAA tests and achieve your dreams.
FTC: DroneXL.co uses affiliate links that generate income.* We do not sell, share, rent out, or spam your email, ever. Our email goes out on weekdays around 5:30 p.m.