DJI Drone DroneID Signal Hacked Using SDR - Identifies Operator Location

[TomKatt]

Remote ID for drones has been a hot topic, especially with many global regulators including the US FAA mandating this tracking signal feature be included in all consumer drones.  The RID subject has caused a lot of concern on all sides, including drone operators concerned that transmitting their control location on the ground and possibly even identifying individuals could introduce personal security risks.  DJI, the largest consumer drone manufacturer based in China, has claimed this information is encrypted.  However, it appears that some German researchers have use SDR components to reverse engineer the DJI broadcast and have proven this information is transmitted unencrypted.

As an electronics enthusiast, I always find reverse engineering interesting.  As a drone hobbyist I find the results a bit concerning, but not completely unexpected.  And as always, there is a China component involved and you can never really know what the firmware in your products is doing.  As it is now, the DJI mobile app is not permitted on the Google Play store for reasons that have never been officially identified, but surmised to be due to DJI updating their software from their own servers rather than through the Google Play store which prevents Google from analyzing the software for any malicious content.  This forces Android users to sideload the official app, which is not a good security practice IMO.

Project GitHub with link to whitepaper: https://github.com/RUB-SysSec/DroneSecurity

Edit - I mischaracterized DJI's 'DroneID' as the legal requirement RemoteID.  These are not the same thing, and DJI is basically transmitting this information for it's own purposes rather than to meet any legal requirement.  To some degree, that only seems to add further intrigue to the issue.

[Faranight]

I'm surprised there aren't more hardware hackers present on this forum who'd be very keen to dive into this stuff. I did a quick read of the paper, and there seems to be some pretty interesting stuff in there. Specially the part where the company went through the trouble to implement their own radio IC and the packet structure of the transmitter frames. Reverse engineering these can be pretty fun, and the fact that you can uncover many manufacturer's dirty secrets (i.e. frames weren't encrypted at all like they initially claimed).

[TomKatt]

Consumer electronics already has a rather poor track record for any type of data security...  Like anything else, good design engineering costs money.   I'm guessing that anything wireless might possibly be designed with even less scrutiny due to the perception that it's difficult to intercept or decode the data stream.  But as this topic shows, SDR technology has made RF transmission nearly just as easily accessed as anything with a direct wired connection.

Police and other emergency services broadcast unencrypted in the state that I live in.  My $20 TV dongle SDR receiver works just as well as my Uniden scanner, and actually has a wider frequency range.  Toss in some open source software and you can even decode digital broadcasts.  Really quite interesting.

[buta]

Most of the Drones use 2.4 GHz, however a $20 TV dongle SDR does not work at 2.4 GHz.

[tomnut]

There's quite a lot written about this in Wired and Verge. Also I found a detailed procedure for Ukrainian soldiers to avoid being targetted. Something like this:

1. Turn off location services, GPS etc on your phone
2. Walk 100 m down the road, put down drone, turn on.
3. Walk back to your foxhole, then only turn on the remote.
4. Don't fly it right back to you either...

And they attach this quire dramatic video of someone doing it wrong: