With a cheap radio system and homemade software, German researchers managed to capture the signal from a DJI drone and analyze it. Among the data collected is the precise geolocation of the operator. A good point to unmask the author of an unauthorized overflight for the authorities, a bad one for the Ukrainian fighters who use these drones.
With the war in Ukraine, consumer drones have lost their share of innocence. The somewhat expensive toy has multiplied into a low-cost weapon of war. Drones like the DJI Mavic, or the Autel EVO, and sometimes even the French Parrot, find themselves close to the front line to carry out surveillance operations at high altitude, then detect the enemy and adjust artillery fire.
Some models can even load and drop light ammunition to bombard groups of soldiers, logistics vehicles and armored vehicles whose hatches have been left open. The operator is miles from the contact zone. Knowing he is vulnerable, he must quickly leave his position when his drone returns. But the threat could well increase for the remote pilot in the coming times.
During the Network and Distributed System Security Symposium (NDSS), a security forum held in San Diego (USA) this week, German researchers from Ruhr University, Bochum, and Cispa Helmholtz Center for Information Security ont show that they were able to pick up and decipher communications between a drone and the operator’s radio control.
The researchers specifically targeted the DJI brand, which is by far the most widespread. When the drone is in the air, it transmits both its GPS position and a unique identifier, and also communicates the coordinates of the operator. This system, called DroneID, also allows the authorities to detect drones and find their operator during “wild” flights, that is to say unauthorized, as has happened several times in France. The problem is precisely that, contrary to what DJI claimed, this DroneID module is not encrypted and anyone with a suitable radio receiver can intercept the signal.
The equivalent of DJI’s Aeroscope case
For researchers, this lack of encryption presents a real flaw because, once you know how to read the data that passes through, it is possible to precisely geolocate the remote pilot. To capture this data, the researchers used a radio that costs only a few hundred dollars. This is an Ettus or HackRF model. With their in-house software, they contented themselves with intercepting communications on a DJI drone at very low altitude and at a short distance. But, there is no reason the system can’t work at a greater distance by making changes to the radio receiver.
If DJI drones find themselves primarily concerned by this lack of confidentiality, this is above all a problem for the soldiers who use them on the front in Ukraine. For other brands, this identifier is already mandatory in Europe, but remains optional for other countries. On the other hand, the identifier, equivalent to this DroneID, will also be imposed on manufacturers of drones for the general public from September, in the United States. Suffice to say that all brands will integrate it.
Whether it’s about being concerned about your privacy, or whether you’re in a war zone, the result will obviously not be the same. In any case, the Chinese DJI is not particularly satisfied with the use of its drones on the Ukrainian war field, whether by the Ukrainian or Russian military. The latter also use a tool which precisely makes it possible to collect the DroneID of the brand’s aircraft. This case, called Aeroscope, is sold by DJI to governments, it can identify the position of the drone and its operator up to a distance of nearly 50 kilometers. This case, normally designed to detect the intrusion of drones near airports, or in the context of public events, ultimately offers the same thing as the equipment designed by German researchers.