Researchers at Ruhr University Bochum and the CISPA Helmholtz Center for Information Security have detailed a range of security flaws in popular commercial drone models — and, to prove the point, have released a tool for receiving, decoding, and tracking a drone's unique ID using a software-defined radio, providing a precise location via GPS.
"We showed that the transmitted data is not encrypted," explains project lead Nico Schiller, from the Horst Görtz Institute for IT Security at Ruhr University Bochum, of the problem behind the proprietary drone ID implementation from DJI, "and that practically anyone can read the location of the pilot and the drone with relatively simple methods."
Using a software-defined radio (SDR) to snoop on signals sent from the controller to the drone and vice-versa, Schiller and colleagues were able to reverse-engineer DJI's proprietary communication protocol — including a protocol section dubbed "Drone-ID." This, the team explains, encodes not only a unique identifier for the drone in question but the location, gathered via GPS, of both the drone and its operator.
That wasn't the team's only discovery, either. In testing four commercial off-the-shelf drones — the DJI Mini 2, Air 2, Mavic 2, and Mavic 3 — using a fuzzing tool the researchers were able to find a total of 16 vulnerabilities. Several of these resulted in the very literal crash of a drone in flight, while four were rated as serious in severity. "An attacker can thus change log data or the serial number and disguise their identity," says co-author Thorsten Holz of the impact of these flaws. "Plus, while DJI does take precautions to prevent drones from flying over airports or other restricted areas such as prisons, these mechanisms could also be overridden."
Before the flaws were publicly disclosed, the researchers communicated their findings to DJI — which, to its credit, has released updates fixing the majority of the vulnerabilities. The ability to decode the Drone-ID protocol and retrieve drone information and location, however, remains — and the researchers have published a tool for doing just that, either live with an SDR dongle or using pre-captured radio traffic.
The team presented its findings at the Network and Distributed System Security Symposium (NDSS) in San Diego this week, with a copy of the paper available as a PDF download under open-access terms. The researchers have also pledged to release the source code of the fuzzer used to discover the security vulnerabilities, though this was not yet available at the time of writing.
Main article image, Nico Schiller with DJI drone, courtesy of RUB/Marquard.