Drone Security and the Mysterious Case of DJI's DroneID

Proceedings 2023 Network and Distributed System Security Symposium Pub Date : 1900-01-01 DOI:10.14722/ndss.2023.24217

Nico Schiller, M. Chlosta, Moritz Schloegel, Nils Bars, Thorsten Eisenhofer, Tobias Scharnowski, Felix Domke, Lea Schönherr, Thorsten Holz

{"title":"Drone Security and the Mysterious Case of DJI's DroneID","authors":"Nico Schiller, M. Chlosta, Moritz Schloegel, Nils Bars, Thorsten Eisenhofer, Tobias Scharnowski, Felix Domke, Lea Schönherr, Thorsten Holz","doi":"10.14722/ndss.2023.24217","DOIUrl":null,"url":null,"abstract":"—Consumer drones enable high-class aerial video photography, promise to reform the logistics industry, and are already used for humanitarian rescue operations and during armed conflicts. Contrasting their widespread adoption and high popularity, the low entry barrier for air mobility—a traditionally heavily regulated sector—poses many risks to safety, security, and privacy. Malicious parties could, for example, (mis-)use drones for surveillance, transportation of illegal goods, or cause economic damage by intruding the closed airspace above air-ports. To prevent harm, drone manufacturers employ several countermeasures to enforce safe and secure use of drones, e.g., they impose software limits regarding speed and altitude, or use geofencing to implement no-fly zones around airports or prisons. Complementing traditional countermeasures, drones from the market leader DJI implement a tracking protocol called DroneID, which is designed to transmit the position of both the drone and its operator to authorized entities such as law enforcement or operators of critical infrastructures. In this paper, we analyze security and privacy claims for drones, focusing on the leading manufacturer DJI with a market share of 94%. We first systemize the drone attack surface and investigate an attacker capable of eavesdropping on the drone’s over-the-air data traffic. Based on reverse engineering of DJI firmware, we design and implement a decoder for DJI’s proprietary tracking protocol DroneID, using only cheap COTS hardware. We show that the transmitted data is not encrypted, but accessible to anyone, compromising the drone operator’s privacy. Second, we conduct a comprehensive analysis of drone security: Using a combination of reverse engineering, a novel fuzzing approach tailored to DJI’s communication protocol, and hardware analysis, we uncover several critical flaws in drone firmware that allow attackers to gain elevated privileges on two different DJI drones and their remote control. Such root access paves the way to disable","PeriodicalId":199733,"journal":{"name":"Proceedings 2023 Network and Distributed System Security Symposium","volume":"30 2","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"5","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings 2023 Network and Distributed System Security Symposium","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.14722/ndss.2023.24217","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 5

Abstract

—Consumer drones enable high-class aerial video photography, promise to reform the logistics industry, and are already used for humanitarian rescue operations and during armed conflicts. Contrasting their widespread adoption and high popularity, the low entry barrier for air mobility—a traditionally heavily regulated sector—poses many risks to safety, security, and privacy. Malicious parties could, for example, (mis-)use drones for surveillance, transportation of illegal goods, or cause economic damage by intruding the closed airspace above air-ports. To prevent harm, drone manufacturers employ several countermeasures to enforce safe and secure use of drones, e.g., they impose software limits regarding speed and altitude, or use geofencing to implement no-fly zones around airports or prisons. Complementing traditional countermeasures, drones from the market leader DJI implement a tracking protocol called DroneID, which is designed to transmit the position of both the drone and its operator to authorized entities such as law enforcement or operators of critical infrastructures. In this paper, we analyze security and privacy claims for drones, focusing on the leading manufacturer DJI with a market share of 94%. We first systemize the drone attack surface and investigate an attacker capable of eavesdropping on the drone’s over-the-air data traffic. Based on reverse engineering of DJI firmware, we design and implement a decoder for DJI’s proprietary tracking protocol DroneID, using only cheap COTS hardware. We show that the transmitted data is not encrypted, but accessible to anyone, compromising the drone operator’s privacy. Second, we conduct a comprehensive analysis of drone security: Using a combination of reverse engineering, a novel fuzzing approach tailored to DJI’s communication protocol, and hardware analysis, we uncover several critical flaws in drone firmware that allow attackers to gain elevated privileges on two different DJI drones and their remote control. Such root access paves the way to disable

查看原文本刊更多论文

无人机安全与大疆无人机id神秘事件

-消费级无人机可以实现高水平的空中视频拍摄，有望改革物流行业，并已用于人道主义救援行动和武装冲突。与它们的广泛采用和高度普及相比，航空运输这个传统上受到严格监管的行业的低进入门槛给安全、安保和隐私带来了许多风险。例如，恶意方可能(错误地)使用无人机进行监视、运输非法货物，或通过侵入机场上空的封闭空域造成经济损失。为了防止伤害，无人机制造商采用了几种对策来加强无人机的安全使用，例如，他们对速度和高度施加软件限制，或者使用地理围栏在机场或监狱周围实施禁飞区。作为传统对策的补充，市场领导者大疆公司的无人机采用了一种名为DroneID的跟踪协议，该协议旨在将无人机及其操作员的位置传输给执法部门或关键基础设施运营商等授权实体。在本文中，我们分析了无人机的安全和隐私索赔，重点关注市场份额为94%的领先制造商大疆。我们首先将无人机攻击面系统化，并调查能够窃听无人机空中数据流量的攻击者。基于DJI固件的逆向工程，我们设计并实现了DJI专有跟踪协议DroneID的解码器，仅使用廉价的COTS硬件。我们证明传输的数据没有加密，但任何人都可以访问，危及无人机操作员的隐私。其次，我们对无人机安全性进行了全面分析:结合使用逆向工程、针对大疆通信协议量身定制的新型模糊测试方法和硬件分析，我们发现了无人机固件中的几个关键漏洞，这些漏洞允许攻击者在两个不同的大疆无人机及其遥控器上获得更高的权限。这样的根访问为禁用铺平了道路

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings 2023 Network and Distributed System Security Symposium

自引率

0.00%

发文量