Loudmouth DJI Drones Tell Everyone Where You Are

Screenshot of the SDR software in action, with decoded data in a terminal, and a map that shows the location received from the decoded data

Back when commercial quadcopters started appearing in the news on the regular, public safety was a talking point. How, for example, do we keep them away from airports? Well, large drone companies didn’t want the negative PR, so some voluntarily added geofencing and tracking mechanisms to their own drones.

When it comes to DJI, one such mechanism is DroneID: a beacon on the drone itself, sending out a trove of data, including its operator’s GPS location. DJI also, of course, sells the Aeroscope device that receives and decodes DroneID data, declared to be for government use. As it often is with privacy-compromising technology, turns out it’s been a bigger compromise than we expected.

Questions started popping up last year, as off-the-shelf quadcopters (including those made by DJI) started to play a part in the Russo-Ukrainian War. It didn’t take long for Ukrainian forces to notice that launching a DJI drone led to its operators being swiftly attacked, and intel was that Russia got some Aeroscopes from Syria. DJI’s response was that their products were not meant to be used this way, and shortly thereafter cut sales to both Russia and Ukraine.

But security researchers have recently discovered the situation was actually worse than we expected. Back in 2022, DJI claimed that the DroneID data was encrypted, but [Kevin Finisterre]’s research proved that to be a lie — with the company finally admitting to it after Verge pushed them on the question. It wouldn’t even be hard to implement a worse-than-nothing encryption that holds up mathematically. However, it seems, DroneID doesn’t even try: here’s a GitHub repository with a DroneID decoder you can use if you have an SDR dongle.

Sadly, the days of companies like DJI standing up against the anti-copter talking points seem to be over, Now they’re setting an example on how devices can subvert their owners’ privacy without reservation. Looks like it’s up to hackers on the frontlines to learn how to excise DroneID, just like we’ve done with the un-nuanced RF power limitations, or the DJI battery DRM, or transplanting firmware between hardware-identical DJI flight controller models.

43 thoughts on “Loudmouth DJI Drones Tell Everyone Where You Are

  1. Come on .. one of the primary and known uses for DroneID is for governmental agencies like the FCC to enforce flight laws. It doesn’t even make sense that that would be encrypted.

    Theres also available open-source replacement firmware for DJI drones specifically that negates this whole problem for those who want it.

      1. FAA Part 89 disallows encryption: “The FAA does not intend to limit who can receive the
        broadcast messages, and allowing encryption of certain message elements would limit who can
        receive the broadcast messages only to those with the capability to decrypt the messages.”

        Note that UAs that use a broadcast module instead of a “built in” remote ID are allowed to send launch location instead of operator location. However, it limits operation of such UAs to operation within line-of-sight of the operator.

  2. Ok, DroneID is doing exactly what it’s supposed to to, big deal.
    By the way, DjI drones only have DroneID in Markets where it is mandatory.
    No DroneID in my Mini 2 in Germany e.g.

    1. You can thank the general public for it. There was a time when multicopters (and most other RC planes) were used only by universities and serious hobbyists. Abuse was mostly unheard of. We, the men of science, had better things to do than to violate safety zones of airports and military bases; or filming a sunbathing MILF next door. Once the UAVs became a mass-market product and #1 christmas gift, the abuse and idiocy started, and regulations soon followed.

      Same thing happened with Internet, pellet guns (air guns), amateur radio and plenty of other interesting things. Thanks to various nutters you can’t even buy a can of acetone anymore without having to provide your ID. If you buy more than 5L a year, the Internal Security Agency will pay you a friendly visit – been there personally 😑

      1. “Same thing happened with Internet, pellet guns (air guns), amateur radio”

        There are no rules for Amateur Radio. At least none that
        are enforced. Have you ever listened to 80 or 40 meters?
        It’s as bad as CB from the late 70’s/80’s. I would never let
        a child on HF(or even some V/UHF)
        The FCC could care less about AR(no money or public safety involved,
        mainly money though)

        1. Look DJI drones allegedly leaks gps and other pilot content to china servers.
          Look FAA mandates broadcasting droneID as a cheaper alt to ADS-B

          Hobbyist or quick-buck drone pilot: leave me alone, I just want to fly however I want, whenever I want…. and crashing is part of the business since I use DIY HobbyKing parts.

          And you have the AOPA vs the AMA vs businesses (google/amazon) vs researchers (open source crew) vs the FAA in bed with regs (fees $$), DoD (defense contractors), and politicians (FUD). All wanting it their way.

          And that’s why drone industry is in such a hot mess right now and only 2 general commercial choices (a Mavic and Skydio X2) and [really] no more.

      2. You can thank sensationalistic clickbait media and a retarded general public prone to moral panics for it.. The problem of people flying over airports or spying on neighbors etc. are grossly exaggerated.. Most of the high profile cases turned out to be nothingburgers.

    2. As it should be.

      Drone operations that aren’t military in nature should not be encrypted or obfuscated in any way. If a GA pilot breaks airspace rules, we know where he is. He’s operating the aircraft. His registration is publicly available.

      Why should drone operators have an extra layer of protection from culpability, especially with the track record of drone pilots?

      You’re operating in shared airspace, you don’t get immunity. I’m normally all about freedom, but drone operators have enormous potential to cause harm.

      Personally, I feel that if your drone is capable of going over 200 feet AGL, you shouldn’t be allowed to fly it without a license and a course on airspace rules.

      1. This is why for those of you who are daft.

        It’s a huge concern for private citizens who fly UAV’s for many reasons. Did you even read up on the privacy concerns or take note of drones usage in “conflict zones?”

        Bottom line is this….Take this as a very dumbed down version of an example for you to understand. It’s the same principle and issue.

        The general public does not have access to look information about a person by running your cars your cas license plate. Say someone someone wanted to find out where you lived because you drove a nice vehicle. Or they thought your wife or daughter was attractive. (several examples to start with.) Would you want some stranger or violent thug, robber, rapist, to be able to look you up and come to your house later on? All because they were able to run your plates from an app? No, you would not!
        There’s good reason why the license plate data base is off limits to the general public.

        The same goes for drones and their pilots. I have thousands of dollars worth of drone equipment. I also fly them with my family. I don’t want paranoid uneducated people, crooks, knowing my identity or location for safety alone. Let alone, I don’t want people knowing the equipment I have.

        I’m perfectly fine with law enforcement and the FAA to know who I am and where I am at. Because I don’t fly illegally. Plus it’s just how it is. We have to have some sort of governing systems in place to keep order and enforce safety. Right?

        The issue is, with any random Jo blow knowing where am at and what equipment I own. That’s where privacy and safety is a huge concern. The general public should never have access to my location or information.

        It’s no different than someone being able to pull your plate number. Police can’t even pull your license plate without reasonable cause. I know these things because I worked for law enforcement for several years.

        That’s what the problem is. If you were a UAV operator, you’d know this. Better yet an educated UAV operator. Either way this information should never be allowed to be viewed by the general public for many reasons. I listed on a couple of scenarios as to why.

      2. If fixed and rotor pilots would adhere to the rules and the FAA simply established a radius around controlled airspace prohibiting recreational drone pilots, all this would be greatly simplified. All too often I observe rotor pilots flying below 500 AGL without rhyme or reason, other than to get a cool shot of vehicles, people, etc.

  3. Now who wants to start a project for a drone throwie. ESP32 or something smaller with separate radio, deep sleep and battery to last a year. Just to hide it in where ever to start spamming packets like this at random intervals and random locations.

  4. One thing I learned from studying malware is that “encrypted” only means “hidden”. We generally expect cryptography to be unbreakable but simply XORing each byte with a constant value is enough to qualify as being encrypted, as is often the case with encrypted strings in malware. I’m not trying to be pendant but there is a significant difference between “encryption” and “secure encryption”.

      1. Well if it is like Gravis says it is such a bad encryption it wasn’t even close to secure the day it was made – nothing can be entirely unbreakable but a reasonable time to failure can be expected with anything claiming ‘encrypted’ – it shouldn’t be that simple and quick to break.

        It is the same way Rot13 is something many codebreaking geeks will just read at a glance like it was plain text. It is too common and simple you don’t have to work at it at all, but even a bad Vigenère cypher will make them work a little to get at the goodies.

  5. I’m less concerned about my drone giving away my location that I am about people using their drones in a way that they feel this data needs to be kept private…

  6. For civilian use, I see no reason for encryption.
    For Ukraine. Why would they even use them with stock firmware?
    It can’t be that difficult to disable that info, or send out deliberately falsified data.
    But the simplest remedy I’ve seen is just walk away some distance from the drone before it’s being activated for takeoff.

    1. Ukraine did both of those things, and they did them early on, The Ukrainians applied a common hack to disable the remote ID, and before that they simply walked a couple hundred feet away from the takeoff point. There are even YouTube videos by Ukrainian soldiers showing exactly that.

    2. Per FAA Part 89, “standard” UAs (drones) (those with remote ID built in) the location of the operating station is sent.
      For UAs using “broadcast modules”, the remote ID is allowed to have the launch point location instead. However, such UAs are restricted to operating within line-of-sight of the operator.

      (Last I checked, UAs were already restricted to operating within line-of-sight by another part of the FAA regulations. Including this in Part 89 “protects” against raising the limit in the other part – surprisingly forward thinking.)

  7. Don’t really care. If you’re operating a drone in public, why should you expect any “privacy”? Besides it’s not like your social security number is being broadcast.

    Yes, it’s a problem for military use, which is why military users should find implementations more amenable to their needs.

  8. I wonder, what it would take to get a microcontroller to transmit a false set of statistics using the same protocol. For example, purposefully missreporting the operator’s position, so anyone trying to apprehend them goes in the opposite direction.

    1. afaik DJI is using phones GPS coordinates for the transmitted droneID. The problem might be when you are trying to calibrate the drone before start and it complains transmitter is nowhere near the drone :) thus you might need to modchip the drone itself adding some fixed offset. This wouldnt be difficult as DJI drones are using external serial GPS receivers.

  9. We all carry little computers in our pockets that send off our location, even if location is supposedly “off” on the phone. The 911 system will get your location this way.
    Ham operators gleefully broadcast their location via APRS (aprs.fi). The only way to really hide your location these days is to not be around technology. There are cameras everywhere, and the newer cameras even do audio as well.
    People don’t realize the amount of time they spend in front of a camera each day.
    From the camera at the front door at Walmart, to the camera at the ATM, your location is broadcast in more ways than one. There was a case in New York where a guy got a speeding ticket because his EZ-PASS toll transponder data indicated he could not have gotten from point A to point B in the amount of time between the two transpoder readings without speeding. What’s good is, it’s widely known that drones broadcast their position as well as the position of the operator. In today’s world, there is no privacy, and that is to be expected given the amount of technology we are surrounded by on a daily basis.

  10. The government/FAA and law enforcement can know my location if I’m breaking the law! law enforcement can’t legally look up your phones location without a warrant.

    The general public should not have access to my location period! The general public can’t just run a license plate now can they?

    Same principal applieds here.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.