DJI drone IDs are not encrypted

TL;DR

This paper reveals that DJI drone IDs are not encrypted and presents a methodology and prototype for detecting drone IDs using low-cost radio hardware, highlighting security vulnerabilities in drone identification systems.

Contribution

The paper demonstrates that DJI drone IDs are not encrypted and provides a practical detection system using HackRF hardware, exposing security flaws in drone ID technology.

Findings

DJI drone IDs are not encrypted.

A working prototype for detecting DJI drone IDs is developed.

The detection system uses low-cost radio hardware and software.

Abstract

Drones are widely used in the energy, construction, agriculture, transportation, warehousing, real estate and movie industries. Key applications include surveys, inspections, deliveries and cinematography. With approximately 70-80% of the global market share of commercial off-the-shelf drones, Da-Jiang Innovations (DJI), headquartered in Shenzhen, China, essentially monopolizes the drone market. As commercial-off-the-shelf drone sales steadily rise, the Federal Aviation Administration has instituted regulations to protect the federal airspace. DJI has become a pioneer in developing remote identification technology in the form of drone ID (also known as AeroScope signals). Despite claims from the company touting its implementation of drone ID technology as "encrypted" yet later being proved incorrect for the claim, it remains a mystery on how one can grab and decode drone IDs over the air with low-cost radio frequency hardware in real-time. This research paper discusses a methodology using radio software and hardware to detect both Enhanced Wi-Fi and OcuSync drone IDs, the three types of drone ID packet structures and a functioning prototype of a DJI OcuSync detection system equipped with two HackRF Ones.