JI DRONE OPERATOR’S LOCATION CAN EASILY BE INTERCEPTED
Hackers, or security researchers, have figured out how to decode the radio signals that every DJI drone sends out. This lets them know exactly where the DJI drone operator is.
At the Network and Distributed System Security Symposium (NDSS) in San Diego last week, security researchers from Ruhr University Bochum and the CISPA Helmholtz Center for Information Security showed how they could decode the radio signals of DJI drones.
By reverse engineering the drone’s radio protocol, called Drone ID, they discovered that every DJI drone’s Drone ID communications broadcast not only its own GPS location and a unique identifier but also the GPS coordinates of its operator.
This means that anyone with cheap radio hardware and access to a new software tool can intercept and decode the drone’s broadcasts to pinpoint the operator’s location, potentially posing serious security and privacy concerns.
The Drone ID system (better known as DJI Aero-scope) was developed to give governments, regulators, and law enforcement agencies the ability to track drones and stop the inappropriate use of them.
But, hackers and security researchers have been warning for a year that Drone ID is not encrypted, contrary to what DJI originally stated, and is accessible to anyone who can intercept its radio transmissions. This vulnerability exists because Drone ID does not use a public key infrastructure.
Along with a researcher from the University of Tulsa, researchers from Ruhr University Bochum and the CISPA Helmholtz Institute for Information Security have proven how the signal can be fully decoded and read.
This enables any hacker to monitor the drone’s operator, even if they are miles away, WIRED reports.
The German research group has made their preliminary results on how to collect and decode Drone ID data publicly available through the deployment of a prototype tool.
Their findings have published in a report, titled: “Drone Security and the Mysterious Case of DJI’s Drone ID.”
In the reports, the researcher conclude that: “We show that the transmitted data is not encrypted, but accessible to anyone, compromising the drone operator’s privacy. Second, we conduct a comprehensive analysis of drone security: Using a combination of reverse engineering, a novel fuzzing approach tailored to DJI’s communication protocol, and hardware analysis, we uncover several critical flaws in drone firmware that allow attackers to gain elevated privileges on two different DJI drones and their remote control.”
Having such complete access to the system makes it possible to disable or get around countermeasures and abuse drones.
“In total, we found 16 vulnerabilities, ranging from denial of service to arbitrary code execution. 14 of these bugs can be triggered remotely via the operator’s smartphone, allowing us to crash the drone mid-flight,” the researchers explain.
In April last year, DJI confessed to The Verge that the broadcasts were, in fact, not encrypted after it was demonstrated by security researcher Kevin Finisterre that certain Drone ID data could be intercepted using a commercially available Ettus software-defined radio.
Professional drone operators should take note when flying drones at locations that are vulnerable to a targeted drone failure.