DJI’s DroneID became the subject of controversy last spring when the Ukrainian government criticized the company because Russian military forces were using DJI drones for their missile targeting and using the radio signals broadcast from Ukraine’s own DJI drones to locate Ukrainian military personnel. China-based DJI has long sold a suitcase-sized device called Aeroscope to government regulators and law enforcement agencies that allows them to receive and decode DroneID data, determining the location of any drone and its operator from as far as 30 miles away.
DJI’s DroneID and Aeroscope devices are advertised for civilian security uses, like preventing disruptions of airport runways, protecting public events, and detecting efforts to smuggle cargo into prisons. But Ukraine’s vice minister of defense wrote in a letter to DJI that Russia had repurposed Aeroscope devices from Syria to track Ukrainian drones and their operators, with potentially deadly consequences.
DJI responded by warning against any military use of its consumer drones and later cutting off all sales of its drones to both Ukraine and Russia. It also initially claimed in response to the Verge’s reporting on the controversy that DroneID was encrypted, and thus inaccessible to anyone who didn’t have its carefully controlled Aeroscope devices. But DJI later admitted to the Verge that the transmissions were not in fact encrypted, after security researcher Kevin Finisterre showed that he could intercept some DroneID data with a commercially available Ettus software-defined radio.
The German researchers—who also helped debunk DJI’s initial encryption claim—have gone further. By analyzing the firmware of a DJI drone and its radio communications, they’ve reverse engineered DroneID and built a tool that can receive DroneID transmissions with an Ettus software-defined radio or even the much cheaper HackRF radio, which sells for just a few hundred dollars compared to over $1,000 for most Ettus devices. With that inexpensive setup and their software, its possible to fully decode the signal to find the drone operator’s location, just as DJI’s Aeroscope does.
While the German researchers only tested their radio eavesdropping on a DJI drone from ranges of 15 to 25 feet, they say they didn’t attempt to optimize for distance, and they believe they could extend that range with more engineering. Another hacker, University of Tulsa graduate researcher Conner Bender, quietly released a pre-publication paper last summer with similar findings that will be presented at the CyCon cybersecurity conference in Estonia in late May. Bender found that his HackRF-based system with a custom antenna could pick up DroneID data from hundreds or thousands of feet away, sometimes as far as three-quarters of a mile.
WIRED reached out to DJI for comment in multiple emails, but the company hasn’t responded. The former DJI executive who first conceived of DroneID, however, offered his own surprising answer in response to WIRED’s query: DroneID is working exactly as it’s supposed to.
Brendan Schulman, DJI’s former VP of policy and legal affairs, says he led the company’s development of DroneID in 2017 as a direct response to US government demands for a drone-monitoring system, and that it was never intended to be encrypted. The FAA, federal security agencies, and Congress were strongly pushing at the time for a system that would allow anyone to identify a drone—and its operator’s location—as a public safety mechanism, not with hacker tools or DJI’s proprietary ones, but with mobile phones and tablets that would allow for easy citizen monitoring.