Original story on Wired.
Every DJI quadcopter broadcasts its operator’s position via radio—unencrypted. Now, a group of researchers has learned to decode those coordinates.
THERE’S A REASON consumer drones have evolved from an expensive toy into a tool of war: They can perform high-altitude surveillance, carry out reconnaissance, or even deploy weapons, with their operator safely hidden as far as miles away. But hackers are revealing that for quadcopters sold by the world’s biggest drone manufacturer, operators aren’t nearly as hidden as they might think. In fact, these small flying machines are continually broadcasting their pilots’ exact locations from the sky, and anyone with some cheap radio hardware and a newly released software tool can eavesdrop on those broadcasts and decode them to extract their coordinates.
At the Network and Distributed System Security Symposium (NDSS) in San Diego this week, researchers from Ruhr University Bochum and the CISPA Helmholtz Center for Information Security demonstrated that they were able to reverse engineer the radio signals of drones sold by DJI, the leading manufacturer of consumer quadcopter drones, to decode a radio protocol they use called DroneID. By deconstructing this signal, the researchers could see that every DJI drone’s DroneID communications transmit not only its own GPS location and a unique identifier for that drone, but also the GPS coordinates of its operator.
A screenshot of the German researchers’ tool shows how it decodes the radio broadcasts of a DJI drone to extract both the drone and operator locations.
That DroneID system was designed to allow governments, regulators, and law enforcement to monitor drones and prevent their abuse. But hackers and security researchers have warned for the past year that DroneID is unencrypted and open to anyone who can receive its radio signals. The German researchers, as well as another researcher working separately at the University of Tulsa, have now shown just how completely that signal can be decoded and read, allowing any hacker who can eavesdrop on DroneID to pinpoint a drone’s hidden operator, even if that drone pilot is miles away.
To publicly prove their findings, the German group has released a prototype tool to receive and decode DroneID data here.
The researchers’ discovery—and their public tool—provide new evidence of the serious privacy and operational security concerns DroneID presents for operators, especially considering that DJI drones are now often used in war zones, where revealing a drone operator’s location can draw enemy fire. And while DJI has an enormous majority share of the consumer drone market, the problem will only grow when new US Federal Aviation Administration regulations go into effect in September, mandating that all consumer drones implement systems similar to DroneID.
“This is a big problem, right?” says Moritz Schloegel, one of the Ruhr University graduate researchers presenting the DroneID findings at NDSS. “You might think your drone transmits its position. But suddenly, it’s transmitting your position as well. Whether you’re privacy-minded or you’re in a conflict zone, nasty stuff can happen.”
DJI’s DroneID became the subject of controversy last spring when the Ukrainian government criticized the company because Russian military forces were using DJI drones for their missile targeting and using the radio signals broadcast from Ukraine’s own DJI drones to locate Ukrainian military personnel. China-based DJI has long sold a suitcase-sized device called Aeroscope to government regulators and law enforcement agencies that allows them to receive and decode DroneID data, determining the location of any drone and its operator from as far as 30 miles away.
DJI’s DroneID and Aeroscope devices are advertised for civilian security uses, like preventing disruptions of airport runways, protecting public events, and detecting efforts to smuggle cargo into prisons. But Ukraine’s vice minister of defense wrote in a letter to DJI that Russia had repurposed Aeroscope devices from Syria to track Ukrainian drones and their operators, with potentially deadly consequences.
DJI responded by warning against any military use of its consumer drones and later cutting off all sales of its drones to both Ukraine and Russia. It also initially claimed in response to the Verge’s reporting on the controversy that DroneID was encrypted, and thus inaccessible to anyone who didn’t have its carefully controlled Aeroscope devices. But DJI later admitted to the Verge that the transmissions were not in fact encrypted, after security researcher Kevin Finisterre showed that he could intercept some DroneID data with a commercially available Ettus software-defined radio.
The German researchers—who also helped debunk DJI’s initial encryption claim—have gone further. By analyzing the firmware of a DJI drone and its radio communications, they’ve reverse engineered DroneID and built a tool that can receive DroneID transmissions with an Ettus software-defined radio or even the much cheaper HackRF radio, which sells for just a few hundred dollars compared to over $1,000 for most Ettus devices. With that inexpensive setup and their software, it's possible to fully decode the signal to find the drone operator’s location, just as DJI’s Aeroscope does.
While the German researchers only tested their radio eavesdropping on a DJI drone from ranges of 15 to 25 feet, they say they didn’t attempt to optimize for distance, and they believe they could extend that range with more engineering. Another hacker, University of Tulsa graduate researcher Conner Bender, quietly released a pre-publication paper last summer with similar findings that will be presented at the CyCon cybersecurity conference in Estonia in late May. Bender found that his HackRF-based system with a custom antenna could pick up DroneID data from hundreds or thousands of feet away, sometimes as far as three-quarters of a mile.
WIRED reached out to DJI for comment in multiple emails, but the company hasn’t responded. The former DJI executive who first conceived of DroneID, however, offered his own surprising answer in response to WIRED’s query: DroneID is working exactly as it’s supposed to.
Brendan Schulman, DJI’s former VP of policy and legal affairs, says he led the company’s development of DroneID in 2017 as a direct response to US government demands for a drone-monitoring system, and that it was never intended to be encrypted. The FAA, federal security agencies, and Congress were strongly pushing at the time for a system that would allow anyone to identify a drone—and its operator’s location—as a public safety mechanism, not with hacker tools or DJI’s proprietary ones, but with mobile phones and tablets that would allow for easy citizen monitoring.
“As we were told in 2017 during a summer-long FAA advisory committee process, the location of the operator is an essential aspect of remote identification for US government security purposes,” Schulman says. “And the US government wanted members of the public to have access to that information, just like how a car’s license plate is accessible to everyone who can see it, so they can file a report with authorities if they have concerns about how a drone is being used.”
Schulman notes that he advocated for that broadcasting system over what he saw as a far more invasive suggestion from the government, that drone makers should both broadcast operators’ locations and connect all drones to a network of drone-monitoring services that would record every operator’s detailed flight records in government-accessible databases. He also notes that the DroneID issue isn’t unique to DJI: He expects that all consumer drones will have a function similar to DroneID when the new FAA regulations take effect later this year.
But none of that changes the fact that DJI drone operators don’t expect to have their locations revealed by their drone’s radio broadcasts, says University of Tulsa’s Bender. “The average drone user definitely doesn’t know that their location is being broadcasted in a way anyone with a cheap receiver can view in real time,” Bender says. He adds that DJI’s handling of the issue—claiming last year that the broadcast was encrypted when it wasn’t—further confused users. “I don’t know if they intentionally marketed Aeroscope this way, but they made it seem like you could really only intercept DroneID with this one device. And that wasn’t the case.”
Regardless of DJI’s motives in including drone pilots’ location in the data their drones continually transmit, the fact that this location data can be intercepted—not just with DJI’s Aeroscope devices but by any knowledgeable hacker—will have a significant impact on how the world’s most common quadcopter drones are used in war zones and other adversarial settings, says August Cole, a futurist and fellow at the Scowcroft Center for Strategy and Security at the Atlantic Council.
“The ability to ID an operator of a drone is sort of the holy grail right now in terms of targeting,” Cole says. “And to be able to do this so easily, when a drone maker adds that through either intentional or unintentional engineering, it’s a pretty profound revelation for this new kind of warfare.”