[German]Drones from the Chinese manufacturer DJI have vulnerabilities that allow third parties to read radio traffic and determine the location of the drone pilot. This vulnerability comes from a monitoring feature called AeroScope (DroneID), developed by the manufacturer for "law enforcement agencies", which allowed them to determine the location of the pilot at a distance of up to 50 km. This has been known for a year, but DJI wrotes, the DroneID protocol used for this is encrypted now. However, security researchers have proven that these "assurances of the manufacturer" are simply wrong. In addition, German security researchers have uncovered other vulnerabilities in various DJI drones, made public on March 3, 2023, that allow a drone's serial number to be altered or the aircraft to crash. This causes trouble for companies and individuals who use such drones.
Advertising
DJI leading drone manufacturer
The acronym DJI of the Chinese drone manufacturer stands for Da-Jiang Innovations Science and Technology Co., Ltd. The Chinese company was founded in 2006 by Frank Wang from Hangzhou and specializes in the development of unmanned aerial vehicles. DJI is considered the global market leader in drones for private and commercial use and reports annual sales of more than three billion euros (as of 2022).
However, it must be clear to everyone that DJI operates out of China and therefore must always be seen as a potential security risk. In 2017, the US banned its armed forces from using drones from the group, as DJI also works with the Chinese government. There was a perceived risk that the drones would be vulnerable to cyberattacks.
Beside from this political issue, I always remember DJI in the context of security issues. In 2017, I had the German blog post DJI-Drohnen bleiben ohne Update ab 1.9.2017 am Boden, which was about a new firmware update for no-fly zones. The update was to ensure that drones could not be piloted in no-fly zones. Those who didn't install the update were faced with not being able to fly their drone anymore. And in 2018, I had pointed out in the blog post Schwachstelle bei Drohnenplattform DJI entdeckt that DJI drone security was not that great.
AeroScope data unencrypted
In the context of the Ukraine war, the issue of drones and their manipulability takes on special weight. I was aware that Ukrainian drone pilots faced the risk that their position could be determined and fired upon by the enemy. A device had been developed in 2022 that virtually shifted the drone pilot's GPS location by several hundred meters to eliminate this risk.
Nevertheless, Ukrainian Deputy Prime Minister Mykhailo Fedorov last month accused DJI of helping Russia kill Ukrainian civilians in an unusual way. It said Russia was allowed to use a drone tracking system called DJI AeroScope without hindrance to pinpoint the exact location of Ukrainian drone pilots and allegedly kill them with mortar strikes and missiles.
Advertising
At issue is the AeroScope feature of DJI drones. Using a radio protocol DroneID (marketed as AeroScope), the company allowed law enforcement agencies to determine the location of the drone pilot up to 50 km away. There is special software for this purpose, which can then record the data from the protocol. DJI had actually claimed that the DroneID protocol (AeroScope) data is now encrypted so that unauthorized third parties cannot determine the position and data.
However, this is probably not the case. Already in April 2022, Kevin Finisterre pointed out (see above tweet) that the statement of the DJI management that the DroneID protocol is now encrypted is smoke and mirrors. The hacker Kevin Finisterre was able to prove that information could be read in plain text in the transmitted data.
The Verge has published more detailed in the article DJI insisted drone-tracking AeroScope signals were encrypted — now it admits they aren't. Within the article we can read, that it's not entirely surprising that the AeroScope signals are unencrypted. Manufacturer DJI originally intended to develop Drone ID (now AeroScope) as a technology that other drone manufacturers could use. And governments (e.g., the U.S.) plan to require drones to transmit their location by 2023. And that will be done unencrypted. What this means is that governments and other tech-savvy people won't need AeroScope to see the exact location of every DJI drone and the exact location of every pilot in the vicinity. It's enough to intercept the radio signals and scan for the unencrypted data.
New findings by German security researchers
What at first looks like an "exotic" topic causes tangible practical problems for people and companies using DJI drones. This is because, for regulatory reasons, drones in most countries must have a fixed ID (fixed serial number) for identification purposes and must also not be able to be piloted in no-fly zones (e.g. around airports). However, these specifications are not met by various DJI drones.
The topic was mentined in Greman media (see above tweet). Researchers from Bochum and Saarbrücken universities have recently discovered further serious vulnerabilities in several drones from the manufacturer DJI, according to the announcement here and documented on GitHub.
These vulnerabilities allow, for example, the serial number of the drone to be changed or the mechanisms to be overridden that allow the drones and their pilots to be located by security authorities. In certain attack scenarios, the drones can even be brought down remotely in flight.
The team tested three DJI drones of different categories: the small DJI Mini 2, the medium-sized Air 2, and the large Mavic 2. Later, the IT experts reproduced the results for the newer Mavic 3 model as well. They fed the drones' hardware and firmware with a large number of random inputs and checked which of them caused the drones to crash or produced unwanted changes in drone data such as the serial number – a method called fuzzing. To do this, they first had to develop a new algorithm.
Four serious flaws
The fuzzer developed by the research group generated DUML data packets, sent them to the drone and evaluated which inputs caused the drone's software to crash. In this process, such a crash indicates a flaw in the programming. "However, not all vulnerabilities resulted in a crash," says Thorsten Holz. "Some errors have also led to data such as the serial number changing." To detect such logical vulnerabilities, the team paired the drone with a cell phone running the DJI app. This allowed them to periodically check the app to see if fuzzing was changing the drone's state.
All four models tested had security issues. In total, the researchers documented 16 vulnerabilities. The DJI Mini 2, Mavic Air 2 and Mavic 3 models possessed four serious flaws. These allowed, firstly, to gain extended access rights in the system. "This allows an attacker to change log data or the serial number and disguise his identity," explains Thorsten Holz. "In addition, DJI takes elaborate precautions to prevent drones from flying over airports or other restricted areas such as prisons – these mechanisms could also be circumvented." Furthermore, the group could crash flying drones from the air..
Location data is transmitted unencrypted
In addition, the researchers examined the protocol DJI drones use to transmit the location of the drone and its pilot so that authorized entities – such as security agencies or critical infrastructure operators – can access it. By reverse engineering DJI's firmware and the radio signals emitted by the drones, the research team was able to document for the first time the tracking protocol called "DroneID" mentioned earlier. "We were able to show that the transmitted data is not encrypted, but that the location of the pilot and the drone can be read by practically anyone using relatively simple means," summarizes Nico Schiller.
Results presented in the USA
The team led by Nico Schiller from the Horst Görtz Institute for IT Security at Ruhr University Bochum and Prof. Dr. Thorsten Holz, formerly in Bochum and now at the Helmholtz Center for Information Security CISPA in Saarbrücken, presented the results at the Network and Distributed System Security Symposium (NDSS). The conference was held in San Diego, USA, from February 27 to March 3.
The researchers informed DJI about the vulnerabilities as part of the Responsible Disclosure process prior to publication at the conference. The manufacturer is likely still working to address the reported vulnerabilities. Those who use the drones therefore probably have a potential problem.
