Drones, locating the pilot is easier than you think

Drones

There's a reason consumer drones have morphed from expensive toys into tools of war: remotely piloted aircraft are capable of high-altitude surveillance or reconnaissance, and can now even use weapons, all while the human controlling them remains hidden miles away. However, some hackers are demonstrating that, at least for the quadcopters sold by the world's largest drone manufacturer, the position of the pilots is less hidden than one might think. In fact, while they are in the air, these small flying machines continuously transmit the exact position of the operators, allowing anyone with cheap radio equipment and recently released software to eavesdrop on the transmissions and decode them to obtain coordinates.

In on the occasion of the recent Network and distributed system security symposium (NDSS) in San Diego, California, researchers from the Ruhr University in Bochum and the Cispa Helmholtz center for information security demonstrated that they can reconstruct the radio signals of the drones sold by DJI, the leading manufacturer of consumer quadcopters, and decode the radio protocol they use, called DroneId . By breaking down the signal, the researchers found that communications made via DroneId from each DJI drone transmit not only the GPS position and a unique identifier of the aircraft, but also the GPS coordinates of its operator.

Privacy and security breach

The DroneId system was designed to allow governments, regulators and law enforcement agencies to monitor drones and prevent abuse. But hackers and security researchers have been reporting for a year now that DroneId is not encrypted and is accessible to anyone who can intercept its radio signals. Now a group of German researchers, together with a colleague from the University of Tulsa, have demonstrated how the signal can be completely decoded and read, allowing any hacker capable of intercepting DroneId to locate the drone operator, even if he were to be found miles away.

To publicly demonstrate their conclusions, the German team deployed a prototype of its system for receiving and decoding DroneId data. The discovery of the researchers - and their public tool - are proof of the serious problems in terms of privacy and operational security that DroneId presents for operators, especially considering that today Dji's drones are often used in war zones, where revealing an operator's location can draw enemy fire.

Although DJI holds a huge share of the consumer drone market, the problem is also set to grow when new US Federal Aviation Administration (FAA) rules come into effect in September, requiring all drones that can be used by the public to equip themselves with systems similar to DroneId .

"It is a big problem – explains Moritz Schloegel, one of the researchers from the Ruhr University who presented the research results at the Ndss –. You may think your drone is broadcasting its location. But suddenly it's broadcasting yours too. Whether you're privacy conscious or you're in a conflict zone, unpleasant things can happen" .

Ukraine's allegations

DroneId was already at the center of a controversy last spring, when the Ukrainian government criticized Dji because Russia's military forces were using the company's drones to target their missiles and used radio signals transmitted by Ukraine's DJI drones to locate the country's military personnel. DJI, which is headquartered in China, has long sold to government authorities and law enforcement agencies the Aeroscope, a suitcase-sized device that allows DroneId data to be received and decrypted, determining the location of any drone and its operator up to approximately 30 miles away.

Dji advertises DroneId and Aeroscope for civilian security-related applications, such as preventing problems on airport runways, securing public events, and tracking attempts to smuggle into prisons . In a letter to Dji, however, the Ukrainian Deputy Defense Minister wrote that Russia has used Aeroscope devices from Syria to track Ukrainian drones and their operators, with potentially lethal consequences.

Dji responded condemning any military use of its consumer drones and subsequently halting sales to both Ukraine and Russia. Initially, responding to an investigation by The Verge into the dispute, the company also claimed that DroneId was encrypted and therefore inaccessible to anyone without Aeroscope. However, Dji later admitted to the site that the transmissions were not actually encrypted, after security researcher Kevin Finisterre demonstrated that he could intercept some DroneId data thanks to Ettus, a commercially available software defined radio (SDR) technology. .

German researchers have gone one step further. By analyzing a DJI drone's firmware and its radio communications, they reverse engineered the DroneId and built a tool capable of receiving DroneId transmissions via Ettus or HackRf, a much cheaper transceiver. With this low-cost configuration and the software developed by the researchers, it is possible to fully decode the signal and pinpoint the position of the drone operator, just like Aeroscope does.

An opaque system

sportsgaming.win US has sent several emails to Dji to get a comment from the company, but received no response. The former Dji executive who came up with DroneId, however, offered a surprising answer in response to sportsgaming.win's questions: DroneId works exactly as it should.

Brendan Schulman, former Dji VP for Policy and legal affairs, he says he led the development of DroneId in 2017, following the US government's request for a drone tracking system, which was never intended to be encrypted. At the time, the FAA, federal security agencies, and Congress were pushing hard for a system that would allow anyone to identify a drone and its operator's location as a public safety mechanism, not with the tools of hackers or those owning Dji, but through mobile phones and tablets that would have allowed easy monitoring by citizens. “The US government wanted citizens to have access to this information, just like a license plate on a car is accessible to all who can see it, so they could report it to the authorities if they were unsure how to use it. of a drone," says Schulman.

Schulman notes that he endorsed this transmission system, in preference to what he considered a much more invasive suggestion from the US government, which required drone manufacturers to transmit the location of the operators and connect all drones to a network of monitoring services that would log each pilot's flight data in a database accessible to the government. Schulman adds that the DroneId problem isn't unique to DJI, and that he imagines all consumer drones will have a similar feature when the new FAA regulations go into effect later this year.

But all this It doesn't change the fact that DJI drone operators don't expect their location to be revealed by radio transmissions from their vehicles, Bender points out: "The average drone user has absolutely no knowledge that their location is being broadcast and that anyone has a cheap receiver can see it in real time," he says, adding that DJI's handling of the matter has further confused users: "I don't know if they intentionally marketed Aeroscope like this, but they led to believe that it could intercept DroneId only with this device. And it wasn't like that " .

Regardless of the reasons that led Dji to include the position of the operators in the data of the drones, the fact that pilots' location information can be intercepted – not just with Aeroscope, but by any skilled hacker – will have a significant impact on how the world's most common quadcopters are used in war zones and beyond of conflict, says August Cole, a member of the Atlantic Council's Scowcroft Center for Strategy and Security. “The ability to identify the operator of a drone is something of a holy grail in terms of targeting – comments Cole -, and being able to do it so easily [….] is a rather profound revelation for this new type of warfare "

This article originally appeared on sportsgaming.win US.