DJI drone’s radio signals can reveal the pilot’s GPS coordinates in real-time, researchers from Ruhr University Bochum and the CISPA Helmholtz Center for Information Security found out when they managed to reverse engineer DJI’s DroneID communications system by capturing drone radio signals, revealing the drone pilot’s GPS coordinates in real-time.
The researchers showed off this tool at the Network and Distributed System Security Symposium (NDSS) held in San Diego between February 27 and March 3.
DroneID is a radio protocol used by DJI that transmits the drone’s GPS location, a unique identifier and its operator’s GPS coordinates as well. The system was designed as a way to let governments, regulators and law enforcement agencies track drones to prevent abuse. However, hackers and security researchers alike have warned that its lack of encryption can reveal sensitive information to anyone who manages to catch the radio signal.
The aforementioned German researchers, as well as an individual researcher working separately at the University of Tulsa have successfully demonstrated that captured radio signals can be decoded and read, letting hackers in on DroneID to locate a drone’s operator, regardless of their location. The tool is available publicly over on Github, and their research paper was demonstrated at NDSS 23.
Additionally, the researchers were able to analyse DJI’s drone firmware and radio communications to reverse engineer DroneID itself, building a tool that can receive DroneID transmissions with either an Ettus software-defined radio or a cheap HackRF radio. This effectively means that for a cost ranging from a few hundred to a few thousand dollars, anyone can fully decode DroneID transmissions, much like DJI’s own Aeroscope.
Aeroscope is a suitcase-sized device that DJI sells to government regulators and law enforcement to allow them to receive and decode DroneID data which can determine any drone and its operator’s location from as far as 30 miles away. DJI advertises DroneID and Aeroscope as civilian security devices.
With the increasing use of DJI drones in warzones, especially in the Russia-Ukraine conflict, DJI maintained that DroneID was always encrypted meaning no one without Aeroscope devices could read DroneID signals. The statement was a direct response to the Verge’s reporting on Russian drone operators tracking Ukrainian troops by capturing DroneID signals from Ukrainian drones themselves.
DJI later ended up admitting to the Verge that DroneID was in fact, unencrypted after security researcher Kevin Finisterre demonstrated that DroneID data could be intercepted with an Ettus software-defined radio, a commercially available device that sells for a little over $1000.
In the News: GitHub’s secret scanning alerts is now generally available for free