2022 DJI Alleged Drone ID Vulnerabilities

Background

Subreption’s research and development team has been dedicating manpower and resources to investigating and developing an array of tools and platforms, including novel countermeasures against so-called CUAS (or “Counter Unmanned Aircraft Systems”, a term applied with ambiguity to anything from drone detection systems to drone disabling platforms). Subreption has a long track record in R&D and vulnerability research, including multiple DARPA contracts and vulnerabilities found in widely used cryptographic libraries, software and devices. We have participated in projects such as Security-Enhanced Linux and have extensive experience with operating system security projects.

Our interest in drone platforms has increased recently due to ongoing events, where significant loss of human life has been linked to COTS drone-related technologies being used for military purposes.

It has come to our attention recently that CVE entries (CVE-2022-29945) have been reserved by industry peers (the actual CVE requested by Kevin Finisterre, timed with the release of the article written by Sean Hollister for The Verge, whose self-described qualifications are “writing about gadgets and videogames”), claiming that a “security vulnerability” exists in the way drone identification beacons are transmitted by a particular consumer drone vendor, DJI.

Our stance is that this is a misrepresentation of the legal and technical reality, with the sole intent of attracting media attention for personal gain (in the form of “clout”, notoriety or future career advancement, disregarding a tremendous corpus of evidence and existent protocols that not only bear similarities to the claimed “privacy compromising” vulnerabilities, they are in fact well discussed in technical literature and have far greater impact than the niche market that is consumer drone devices. It is update-1-mike-kershaws-work-kismet-wirelessalso particularly suspect that DJI Drone ID information and dissectors have been made public in 2017 as part of the “Kismet Wireless” wireless monitoring tool by Mike Kershaw and others (see Update 1), but it is now that these individuals choose to hype the supposed severity of the problem, amidst the situation in Ukraine and DJI’s products involvement in the conflict. An article published on 28th April 2022 for The Verge by Sean Hollister (linked in References) consistently fails to both credit and reference five years old (2017) work by Mr. Kershaw and others.

For example, current implementations of BLE (Bluetooth Low Energy), or so-called “WiFi” (including but not limited to “probe requests”, revealing all the recent WifI access points used by a given device), or even cellular communications systems (from GSM to LTE) broadcast highly valuable identification data about devices and their owners (and their behavior), including but not limited to explicit or implicit geolocation information. Thus, we are surprised that despite such an abundance of technical evidence, claims are being made misrepresenting or omitting technical and practical details, which we intend to address in this statement.

What is “Drone ID” or drone identification broadcasts in the context of consumer and commercial UAV (“drone”) platforms?

“Drone ID” or drone identification broadcasts are beacon broadcasting protocols present in every consumer and industrial drone telemetry and control link system. Albeit their exact implementation details vary between vendors and systems, its main purpose is to identify the location of the drone within range of its transmitter (also implementation dependent, in the case of DJI, 2.4GHz and 5GHz standard WiFi signals, as well as their own proprietary RF protocol, “Ocusync”).

This feature is present in every single drone system today, and in many cases it is mandated by law. From 2022 on-wards multiple efforts internationally have materialized, enforcing the requirement of ID broadcasting systems in drone devices. It is also implemented differently throughout the drone control systems available today, such as Mavlink and other standards, that also contain non-encrypted geolocation or positional data, as well as many other details of the device and its operator.

What are the privacy concerns?

Allegedly, “Drone ID” and similar systems pose a high privacy risk to drone operators.

Because the “nature of the beast” is that these broadcasts (as we explain later in this statement) need to be sent in non-encrypted form, the drone operator has his location and his device’s location exposed. It is not factual to claim that the drones emit this information when they are not flying.

It must be noted that in order to receive these broadcasts there is a technical, factual limitation directly related to the physics of radio-frequency signals propagation (“range”) and, in order to capture drone ID data for a large area, it is necessary to both have a privileged location and highly sensitive radio-frequency equipment, including but limited to low-noise amplifiers, SDR receivers with sufficient sensitivity at the target frequencies, etc.

Fortunately, in our field, one that has its roots in science, claims can easily be countered or proven. We will make a reasonable attempt at simplifying technical concepts in this statement so that the general public can benefit from it.

Can it be disabled?

A sufficiently motivated individual can disable “Drone ID” in DJI drones, as well as similar offerings by other vendors, or open source flight controllers. There are a myriad of ways to achieve this: hardware based modifications, software-based attacks (including but not limited to abuse of vendor-specific undocumented facilities).

Can it be encrypted?

Perhaps this is the most glaring error in the misrepresentation of “Drone ID” and its alleged privacy impact by our colleagues, which, assuming good faith, implies a profound lack of understanding of both technical and practical circumstances in beacon broadcasting systems, especially those dedicated to public safety.

“Drone ID” data could indeed be encrypted, but this poses a tremendous technical and practical challenge:

• Transmitting encrypted information, even for those with a license to use higher radiated power or frequency bands (such as licensed ham-radio operators or “radio amateurs”) is illegal in most jurisdictions. The rationale behind these regulations varies, but often it involves considerations for the ability of regulatory agencies to detect and prosecute abuse (especially in frequency bands with specific purposes) as well as an assumed “transparency” for all communications not related to military or law enforcement purposes. It can be argued that “encryption is good”, but this is a very different scenario compared to, say, Internet privacy. One could not argue that the same benefits of encryption can be applied to a fringe, niche market that has direct public safety and communications/radio-frequency spectrum implications. If radio amateurs (who are extensively regulated and need to apply and obtain licenses that require technical and legal exams to be undertaken) are forbidden from using encryption (in all cases or unless the keys are disclosed openly or set to known test values), it could be argued that demanding higher privileges for drone operators (whose devices can be a hazard) is, at the very minimum, poor judgment and a display of ignorance for the practical challenges related to regulating the RF spectrum and public safety.

• As for the technical challenges:

  • Any encryption scheme (whether symmetric or using Public Key Infrastructure principles -where multiple parties share public keys that can be used by others) would require key distribution.

    • This poses both technical and logistical challenges, both extremely difficult to address in practice, if not impossible (again, we have a practical problem, not a theoretical scenario).
    • First and foremost, a symmetric encryption scheme would likely be required, because a beacon broadcasting system cannot depend on bi-directional communication: it defeats its purpose and in the context of radio-frequency communications it cannot be assured that both parties would be within range of communication (transmission and reception conditions for both parties would be different, and a drone is moving and therefore changing its radio-frequency propagation conditions).
    • A symmetric encryption scheme would need secure keys, generated, predefined and distributed to every intended recipient of the broadcasts. This means a worldwide, multi-agency, multi-vendor coordinated effort requiring drone operator ID databases correlating keys, unique identifiers for drones, etc.
    • If the generation of the keys can in any way be changed by malicious or well motivated and talented individuals, or the drone data modified, the whole scheme is once again absolutely useless.
    • If the key generation algorithm is not properly implemented, impersonating drones and spoofing their signals to frame individuals will be trivial. In addition, history has proven that in order to be secure, symmetric encryption depends on certain building blocks and techniques that are not trivially applied to a single-party broadcasting protocol over an unreliable radio-frequency channel.
    • Therefore, any claim that this is practically possible is absurd and gullible at best, and at worst, it is intentional in order to obscure the non-relevance or true technical nature of the issues claimed.
    • There are protocols, such as APRS, often used by volunteers and radio-amateurs in public safety situations, that support positional ambiguity. That is, they omit a configurable amount of precision in their reported coordinates, obscuring the location of the transmitter within a specific radius (depending on the setting, this could be 10 miles worth of ambiguity, 50, 100, 500… as the coordinates have their precision limited, the radius becomes larger). Such a solution could be easily implemented and bears no implementation costs to regulatory agencies.

It is for these reasons that any attempt to claim that “Drone ID” data should or could be encrypted is at best naive, if not a wild misrepresentation of its technical reality, without a clear or cohesive intent. At worst, it is an intentional act of omitting relevant information that could help journalists and the public at large to comprehend the actual facts.

The industry problem of fact checking and misrepresented severity of issues

We believe that the security industry has extremely talented individuals, some of whom we may or may not disagree with in different aspects of our work, principles or efforts. But the industry also has a long, shameful record of low-effort strategies designed to boost the careers of individuals and exposure of companies with utter disregard to the technical merit, veracity or accuracy of their claims.

This is often routinely happening through the longstanding relations that some journalists have with industry peers, to whom they turn when they need to publish a story with a high likelihood of social media exposure, or public interest. More often than not, these journalists have no technical background and no qualifications to verify the information (depending on the good faith of third-parties to do so, who may or may not have personal conflicts of interest to discredit or confirm facts), and are themselves misled, but it is also ethically questionable as a journalist not to seek contesting opinions in order to have a “picture in context” of the subject matter. Journalism owes to the general public a persistent effort to procure true, factual and objective information. Alarmist or unsubstantiated claims do not belong in the profession.

The CVE, NIST or MITRE databases are not meant to house “political” vulnerabilities or vague, imprecise claims, especially when there is a wealth of evidence pointing at similar circumstances existing in protocols and systems widely used in the Internet, for which these individuals have not made any CVE reservations or claims, knowing that those are not affecting a small niche market and will therefore see major scrutiny and backlash from other industry peers. We appreciate their efforts, but kindly ask our industry peers to adhere to the excellence standards that we owe to the general public, and wish that this statement is not taken personally, because it’s only directed at specific actions and attitudes, not the individuals behind them (hence our avoidance for naming these peers or directing any comments individually). “Glory seeking”, press and social media hype, etc, are not valid motivators for any of our work. Claims of grandiose value need to be factual, and there have been claims in this direction that could be proven false if submitted to technical, objective factual scrutiny.

We will update this statement as needed.

Conflicts of interest

Subreption is not affiliated with DJI or any other consumer drone vendor, and has not been engaged, attempted to engage, or contracted, in any shape or form with DJI. Our staff has no assets or financial instruments associated in any way to any consumer or industrial drone vendor.

Subreption is providing pro bono consulting and research to multiple institutions in Europe, as well as volunteer organizations, in the context of drone awareness and strategic advantages to prevent loss of human life.

Update 1: Mike Kershaw’s work (Kismet Wireless)

We are updating this statement to reflect even more clearly than it was stated before that the third-parties involved with the CVE reservation and press “hype” very obviously have done so ignoring the work of Mike Kershaw, whom, with the help of other contributors (as listed in the source code linked in References), implemented the dissector for DJI’s Drone ID protocol (over WiFi and their 5GHz channel 149 5MHz spacing implementation, “Enhanced Wifi”) in 2017. In no way this statement ever suggested that he is involved with the hype, and as far as we are aware through cooperative third-parties, he is not. It makes absolutely no sense for Mr. Kershaw to be, since he did not seek any notoriety in 2017 when he already released his work to the public. Therefore, we are not editing our original statement but making this addendum to avoid any distortion or misinterpetation of this statement.

The paragraph in question:

It is also particularly suspect that DJI Drone ID information and dissectors have been made public in 2017 as part of the “Kismet Wireless” wireless monitoring tool, but it is now that these individuals choose to hype the supposed severity of the problem, amidst the situation in Ukraine and DJI’s products involvement in the conflict.

Mike Kershaw is a well known member of the community and a respected industry peer that has provided and given back a wealth of tremendously useful work for the industry while seeking very little notoriety or compensation for it. It is because of his work and other volunteers that Kismet Wireless exists today, and has assisted numerous commercial and altruistic endeavors since its release. As is often the case in the industry, Mr Kershaw’s notoriety seeking is inversely proportional to the tangible contributions he has made. It begs the question where were these journalists when people like Mr Kershaw and others working discretely did the legwork and made their contributions?

References

• Symmetric-key algorithm (Wikipedia)
• Kismet DJI Drone ID (November, 2017)
• Kismet DJI Drone ID parsing (structure definitions) (Freek van Tienen, Jan Dumon)
• DJI insisted drone-tracking AeroScope signals were encrypted — now it admits they aren’t (by Sean Hollister, at The Verge, contains unverified claims and fails to mention and credit Mike Kershaw and other individuals with published Drone ID work, including dissectors/decoding tools, several years old now -2017-)
• CVE-2022-29945

Contact

Press and media can reach us at regarding this announcement or any other inquiries.