Drones play an important role in the Ukrainian war - not only military models, but also drones from the semi-professional and hobby sectors, such as those used by filmmakers - be it specially modified hexacopters, which can also drop small bombs, or camera drones such as DJI&s Mini or Mavic models, which are used for reconnaissance.
After it happened several times that Ukrainian pilots of DJI drones were directly attacked by Russian artillery or missiles, it was suspected that their location data was obtained using DJI&s AeroScope flight surveillance system. The truth, however, as it turns out, is more trivial.
DJI&s AeroScope drone surveillance system
. AeroScope (formerly Drone ID) was actually developed for public safety, to enable local authorities to identify drones and their owners in dangerous or illegal flight maneuvers. To this end, each DJI drone manufactured since 2017 continuously transmits an identification signal that can then be read by authorities using the AeroScope system to read, among other things, the location of the drone, home point, and pilot, as well as altitude, speed, direction of flight, model name, and serial number of the drone.
This information cannot be turned off and is embedded in the data stream that is constantly exchanged between the drone and pilot for control purposes. To prevent misuse, DJI&s AeroScope systems are sold only to government agencies. A stationary AeroScope system is said to be capable of receiving signals from drones up to 50 km away (the mobile version only 5 km) under optimal conditions.
Position data - encrypted or not?
However, using the AeroScope system in a war to locate drone pilots was not on DJI&s mind when it developed the system. Previously, DJI had explicitly assured that drone information was sent in encrypted form and could only be read via per AeroScope. On the following picture, a data recording made with a simple SDR receiver by the security researcher Nico Schiller of the radio traffic between drone and control unit, however, it is easy to see which information is transmitted openly.
I.e. every DJI drone since 2017 sends out its detection signal unencrypted and this can be read not only with a special AeroScope receiver, but with any receiving system. DJI has now - after initial denial - also officially admitted this. This is not entirely unexpected, since the AerosScope system is basically open and intended to be used by other drone manufacturers as well, and is intended for flight safety and not for conflict situations.
This information is also interesting for normal drone pilots, as it means that anyone with an appropriate receiver (and not just DJI&s Aeroscope) can see where each drone and its pilot are in the entire radius. As of next year, the transmission of this position data will even be mandatory for all drones by law.
However, there are already hacks with the help of which either the determination of the GPS signal can be deactivated or the transmitted position data of the pilot can be spoofed, i.e. falsified. Nico Schiller was able to do this with the simple GPS Faking App under Android twitter.com/74ck_0/status/1518618303954132992.