In recent years, regulatory frameworks requiring drones to be equipped with remote identification (RID) systems have been developed by agencies in many countries, including the US Federal Aviation Administration (FAA), the European Aviation Safety Agency (EASA) and the Japanese Ministry of Land, Infrastructure, Transport and Tourism (MLIT). Other countries have similar regulatory frameworks in place or are in the process of developing them for unmanned aircraft systems (UAS). RID-enabled drones periodically transmit identification and location (telemetry) information, enabling third-party entities, such as law enforcement, other airspace participants and the general public to identify and locate drones and their operators. In all existing regulatory frameworks, this telemetry data is broadcast using a common wireless protocol called Open Drone ID (ODID).
Nozomi Networks recently released Guardian Air, a new sensor capable of gathering information about nearby wireless networks. Guardian Air supports, among other wireless frequencies, the detection of drones flying in surrounding areas transmitting telemetry data using ODID. Guardian Air is also capable of detecting potential attacks involving the injection of fake ODID traffic.
In this blog, we’ll give an overview of ODID, walk through how Guardian Air detects suspicious ODID traffic and related attacks, and how Guardian Air support for ODID monitoring can be enabled in Vantage.
For more information about RID technologies, the ODID protocol and attack scenarios that illustrate their weaknesses, please refer to our recent white paper, which describes the results of Nozomi Networks Labs research on this topic.
Guardian Air Support for Open Drone ID Protocol
Europe, the U.S. and Japan are currently the most active regions in terms of developing RID policies and rules. These three regions share similar high-level RID system architecture and, from a technical point of view, all three, apart from minor differences, are based on the same wireless RID protocol, ODID.
ODID aims to provide a standardized, open-source reference implementation of a protocol compliant with various RID regulations. Guardian Air supports the monitoring of ODID traffic and, as a result, the detection of drones transmitting it. In fact, a drone compliant with RID regulations, supporting the ODID protocol, periodically transmits its ID, current location, direction, speed, operator information and other relevant telemetry data. At the end of the blog we share a video that shows how to enable Guardian Air in Vantage.
By default the monitoring of ODID traffic is disabled in Guardian Air and it must be explicitly enabled using the "Wireless" tab in the Vantage interface. To see how, watch the video below.
Guardian Air Detection of Open Drone ID Injection Attacks
ODID is affected by known security weaknesses – data transmitted with this protocol is neither encrypted nor authenticated. This creates privacy issues for drone operators and makes ODID prone to spoofing and injection attacks that involve a malicious user injecting fake ODID traffic to forge the presence of drones in the airspace. Such a situation could lead to safety issues if the RID system is used to protect critical infrastructure facilities.
Given the completely unprotected nature of ODID protocol, it is not possible to provide a 100% reliable way to detect it. However, by continuously monitoring ODID traffic, Guardian Air is able to detect some classes of attack and alert the user. Examples include suspicious ODID traffic activities such as messages containing unrealistic telemetry data (e.g., unrealistic drone movements or altitude), duplicated messages (e.g., when an attacker attempts to inject fake telemetry data corresponding to a real drone flying in the surrounding area) or unexpected variations in ODID traffic and in number of drones in a certain area. This last case is known as flood attack, where a malicious user injects a huge amount of ODID traffic to forge the presence of many fake drones in a certain area.
A scenario like a flood attack could represent a safety threat and lead to service disruption if the area belongs to a critical infrastructure facility and that facility relies exclusively on a RID system to protect its airspace. Such areas are also often classified as no-fly zones.
An example of ODID flood attack on a ground station receiver is depicted in the image below, following these steps:
- A real drone is powered on and takes off.
- The drone is detected by a RID ground station receiver and appears on the map service provided by the RID receiver.
- At the same time, the drone is detected also by Guardian Air and it appears as a new “drone” asset in Vantage.
- Suddenly, new drones appear.
- The drones are detected by the RID ground station receiver and reported on the corresponding map.
- Meanwhile, in the situation Guardian Air also detects these new drones and adds them as assets in Vantage. However, Guardian Air also recognizes the suspicious situation and raises an “Unrealistic number of drones appeared” alert recommending that the user perform a visual check of the airspace.
Nozomi Networks Labs conducted an in-depth research investigation regarding RID technologies and attack scenarios like the one briefly covered above. In our white paper, we provide:
- A general introduction to RID technologies and their security weaknesses.
- An in-depth description of ODID protocol and its messages format.
- A description of the reverse engineering activity we performed on the DroneScout ds230, one of the first commercial ODID ground station receiver, and an analysis of the vulnerabilities we found.
- An investigation of droneID, DJI’s proprietary OcuSync-based RID, including an analysis of the proprietary Radio Frequency signal OcuSync and several experimental tests with DJI’s Aeroscope.
- A showcase of novel attack scenarios against RID systems targeting both RID’s intrinsic weaknesses and the vulnerabilities we found during our analysis.
Conclusion
The vast majority of modern consumer drones are equipped with RID systems and transmit their telemetry information using ODID protocol which, being an unsecure protocol, is prone to injection and spoofing attacks. Nozomi Networks provides support for ODID traffic monitoring and drone detection thanks to our Guardian Air wireless sensor. Guardian Air is able to continuously monitor ODID traffic for suspicious activity and raises proper alerts when potential spoofing and injection attacks are detected to provide users with continuous situational awareness.
If you would like to know more about Guardian Air, sign up for a personalized demo or our monthly group demo.
