Remote ID for drones has been a hot topic, especially with many global regulators including the US FAA mandating this tracking signal feature be included in all consumer drones. The RID subject has caused a lot of concern on all sides, including drone operators concerned that transmitting their control location on the ground and possibly even identifying individuals could introduce personal security risks. DJI, the largest consumer drone manufacturer based in China, has claimed this information is encrypted. However, it appears that some German researchers have use SDR components to reverse engineer the DJI broadcast and have proven this information is transmitted unencrypted.
As an electronics enthusiast, I always find reverse engineering interesting. As a drone hobbyist I find the results a bit concerning, but not completely unexpected. And as always, there is a China component involved and you can never really know what the firmware in your products is doing. As it is now, the DJI mobile app is not permitted on the Google Play store for reasons that have never been officially identified, but surmised to be due to DJI updating their software from their own servers rather than through the Google Play store which prevents Google from analyzing the software for any malicious content. This forces Android users to sideload the official app, which is not a good security practice IMO.
Project GitHub with link to whitepaper:
https://github.com/RUB-SysSec/DroneSecurityEdit - I mischaracterized DJI's 'DroneID' as the legal requirement RemoteID. These are not the same thing, and DJI is basically transmitting this information for it's own purposes rather than to meet any legal requirement. To some degree, that only seems to add further intrigue to the issue.