Bochum and Saarbrücken researchers in Germany have found security vulnerabilities, some being serious, in numerous drones created by the manufacturer DJI. For example, these allow users to change a drone’s serial number or override the mechanisms that enable security authorities to track the drones and their pilots. During special attack scenarios, drones could be brought down remotely in flight.
A team led by Nico Schiller and Professor Thorsten Holz will presented their findings at the recently hed Network and Distributed System Security Symposium (NDSS).
Researchers noted 16 detected vulnerabilities and informed DJI of their findings before releasing the information to the public.
Four DJI models were examined
Three DJI drones, all different categories, were tested. The small DJI Mini 2, the medium-sized Air 2, and the large Mavic 2 were the selected models. Later on, the Mavic 3 was added to the list and also tested. The test team fed the drones’ hardware and firmware random inputs and monitored to see which ones caused drones to crash or made unwanted changes. Specifically, one that could alter the serial number – a method known as fuzzing. To this end, they first had to develop a new algorithm.
“We often have the entire firmware of a device available for the purpose of fuzzing. Here, however, this was not the case,” says Nico Schiller while describing the challenge. Due to DJI drones being complex systems, the fuzzing had to be done in the live system.“After connecting the drone to a laptop, we first looked at how we could communicate with it and which interfaces were available to us for this purpose,” says the researcher from Bochum. As it transpired, the bulk of the communication occurs through a uniform protocol called DUML, which transmits commands to the drone in packets.
Four severe errors noted
The research team created a fuzzer that produced DUML data packets, sent them to the drone, and determined which inputs led to the drone’s software to crash. Such a crash indicates an error in the programming. “However, not all security gaps resulted in a crash,” says Thorsten Holz. “Some errors led to changes in data such as the serial number.” In order to detect the logical vulnerabilities, the team paired the drone with a mobile phone running the DJI app. The research team periodically checked the app to see if fuzzing was changing the state of the drone.
The researchers discovered 16 security vulnerabilities in all four models that were tested, with the DJI Mini 2, Mavic Air 2, and Mavic 3 models containing four critical flaws. These bugs enabled attackers to gain extended system access rights, allowing them to modify log data, change serial numbers, and conceal their identity. Additionally, the security mechanisms that DJI implemented to prevent drones from flying over restricted areas, such as airports and prisons, were found to be overrideable. The researchers were also able to cause the drones to crash while in flight.
In future studies, the Bochum-Saarbrücken team intends to test the security of other drone models as well.
Location data is unencrypted
The researchers analyzed the transmission protocol of DJI drones, which enables authorized entities such as law enforcement to access the drone’s location and pilot’s information. Through reverse engineering the firmware and radio signals of DJI drones, the research team documented the “DroneID” tracking protocol, which was previously unknown. “We showed that the transmitted data is not encrypted, and that practically anyone can read the location of the pilot and the drone with relatively simple methods,” concludes Nico Schiller.
*The original version of the press release stated: “The researchers informed DJI of the 16 detected vulnerabilities prior to releasing the information to the public; the manufacturer has taken steps towards fixing them.” Since the vunerabilities have already been fixed, the text was updated on 3 March 2023, 11.20 a.m.
Post Image- The researchers looked for security gaps in the firmware and scrutinized the inner workings of the drones. © RUB, Marquard
The full research paper can be accessed at- Drone Security and the Mysterious Case of DJI’s DroneID