This Hacker Tool Can Pinpoint a DJI Drone Operator’s Exact Location

DJI’s DroneID became the subject of controversy last spring when the Ukrainian government Criticize the company Because the Russian military forces have been using DJI drones to target their missiles and using radio signals broadcast from Ukrainian DJI drones to locate Ukrainian military personnel. China-based DJI has long sold a suitcase-sized device called the Aeroscope to government regulators and law enforcement agencies that allows them to receive and decrypt DroneID data, locating any drone and its operator from up to 30 miles away.

DJI’s DroneID and Aeroscope are being advertised for civilian security uses, such as preventing turbulence on airport runways, protecting public events, and detecting efforts to smuggle goods into prisons. But the Deputy Minister of Defense of Ukraine wrote in A.S letter to DJI that Russia has reused Aeroscopes from Syria to track Ukrainian drones and their operators, with potentially deadly consequences.

DJI responded by warning against any military use of its consumer drones and subsequently cut off all sales of its drones to both Ukraine and Russia. It also claimed initially in response to a Verge report on the controversy that DroneID was encrypted, and thus inaccessible to anyone who did not have carefully controlled Aeroscope hardware. But DJI later admitted to the Verge that the transmissions were no encrypted in fact, after security researcher Kevin Finister showed he could intercept some DroneID data using a commercially available, software-defined Ettus Radio.

The German researchers — who also helped debunk DJI’s initial encryption claim — have gone further. By analyzing the DJI drone’s firmware and radio communications, they designed the reverse DroneID and built a tool that can receive DroneID transmissions using a radio defined by Ettus software or even the much cheaper HackRF radio, which sells for only a few hundred. for over $1,000 for most Ettus machines. With this inexpensive setup and their software, it is possible to completely decode the signal to find the location of the drone operator, just as DJI’s Aeroscope does.

While the German researchers only tested wireless eavesdropping on a DJI drone from ranges of 15 to 25 feet, they said they haven’t attempted to improve the distance, and believe they can extend that range with more engineering. Another hacker, Conner Bender, a researcher at the University of Tulsa, quietly released a pre-print paper last summer with similar findings that will be presented at the CyCon cybersecurity conference in Estonia in late May. Bender has found that his HackRF-based system with a dedicated antenna can capture DroneID data from hundreds or thousands of feet away, sometimes as far as three-quarters of a mile.

WIRED has reached out to DJI for comment in multiple emails, but the company has not responded. However, the former DJI CEO who first conceived of DroneID gave his surprising answer in response to a WIRED query: DroneID works exactly as it’s supposed to.

Brendan Schulman, DJI’s former vice president of political and legal affairs, says he led the company’s development of DroneID in 2017 as a direct response to US government demands for a drone control system, and that it wasn’t meant to be encrypted. The FAA, federal security agencies, and Congress were pushing hard at the time for a system that would allow anyone to locate a drone—and the location of its operator—as a public safety mechanism, not with hacker tools or those of DJI, but with a cellphone. Phones and tablets that allow citizen monitoring easily.


Leave a Reply

Your email address will not be published. Required fields are marked *