RID security vulnerability?

Hi all,
I’m sure this has been discussed to death, but I’m a little concerned about Remote ID security.

For those living under a rock, your Remote ID is your Operator ID plus 4 extra letters and/or numbers. Three of those characters are your “secret key”. They are there to validate your RID, and avoid people spoofing other people’s codes.

However, the algorithm is public (well, behind a paywall), and isn’t really any kind of security at all. The last three “security” characters are randomly chosen from a-z and 0-9. The one character that gets added to your OpID is what’s called a checksum. This is there to ensure your RID is valid and “secure” because the checksum algorithm takes both parts of the RID, smushes them together, and spits out a single character.

So for instance, if your OpID is “GBR-OP-759DFKEMHTZE”, and your security code is “tzo” then your checksum character will be “r”. So your final RID will be “759dfkemhtzer-tzo”. So, what’s the problem with this? Well because the checksum is just one character out of a choice of 36, then you can easily guess a valid security code with a few lines of Python. Will it be the correct security code? There’s only a 1 in 1296 chance of you getting it right, so probably not. But it would be enough to fool an automated system into thinking your OpID is legit.

Obviously there’s more to RID than just the ID, it does broadcast the drone’s location and the flyer’s location which can be picked up on a mobile phone with a free app. Now assume someone wants to report you without confronting you. If you have a spoofed but legitimate-looking RID, the police will be sent to the wrong address and you can make good your escape. In fact our OpIDs are just 12 random characters so you could make up a RID and send the authorities round in circles.

So in summary, a RID is 16 characters, of those 15 are chosen at random, and of those 15, three are meant to be kept secret. I have 40 lines of Python code that can generate a valid-looking security code for any OpID/checksum in milliseconds. This doesn’t feel very secure. As I said, checking the whole thing against the CAA’s database will almost certainly flag up an anomaly, but that is time for ne’er-do-wells to do their dirty deeds.

What are people’s thoughts?

Interesting post. Thank you.

You’re assuming the automated system you’re trying to fool just calculates the checksum in the same way as our area rather than being able to connect to the CAA to check it, I presume? That’s probably a valid assumption, since I’m not aware of a CAA API to actually authenticate against… But maybe the Police have such a link.

And welcome to Dronehub!

I can only speak about my Autel EVO II V3, but the controller was happy when I entered the remote ID “GBRthisisnotreal-wiz”. The controller was connected to my wifi, so it would have had an opportunity to call a server if it wanted to. I agree, there’s no CAA server that I know of that can validate the RID, but the police are bound to have something they can manually check against. An automated system would have to be part of the “networked” RID system which according to Sean at Geeksvana, is coming.

Interestingly, my drone doesn’t appear to actually broadcast my OpID, at least according to the Drone Scanner app. It does broadcast the location and serial number of the drone. That said, I’ve not taken it up yet since I entered a RID, so maybe it only broadcasts the OpID when it is in flight. I’m due for a flight this afternoon, so I’ll see if anything changes.

I have some screenshots showing the fun RID, but I’m too new to upload

Interesting.

My drones don’t appear to transmit remote ID at all, on any of the apps, despite me putting my remote ID into them.

I’ve tried on Potensic Atom 2 and DJI Avata 2. I tried flying them as well.

Interesting to hear that you can pick up your Autel on the Drone Scanner app.

I wonder if drone manufacturers are biding their time. Making sure the RID entry works before enabling it when it is mandatory. I flew my Evo II this evening and I got occasional location updates but not once did it broadcast my OpID.

Actually I suspect in my case it’s a bug in the drone firmware - I have an idea of how to interrogate the data coming directly from the drone using Wireshark, but that will require a bit of tinkering which I don’t have time for yet.

What I have realised though is that more than the ID itself can be spoofed - the pilot’s location can be as well. My controller is a nice all-in-one job with a big touchscreen. It also runs fairly stock Android, including the ability to enable developer mode and so therefore mock locations. This is a feature of Android that enables developers to test their location-based apps without having to physically move around. It simply enables another app to feed mock GPS locations into the system, and all other apps think that the data is coming from the device’s GPS unit.

So picture the scene: Bob the bandit drives around looking for a drone transmitting its RID. He has plans to drop a mobile phone to Rob the robber, his mate in prison. Bob snags the legitimate OpID of the pilot and goes home. There he generates a valid RID from the stolen OpID and uploads it to his drone. Next, he enables location mocking on his controller and places the spoofed location in an unsuspecting granny’s garden a few hundred metres from the prison wall. He drives round to the other side of the prison and sits in his car, looking like he’s playing on his Nintendo Switch or something. Up goes the drone, over the prison walls, and lands in a safe spot in the exercise yard and he drives off. Naturally the guards are all over this like a rash and call the police who bash down the door of the poor old granny. She doesn’t know what a drone is. So they then send another gang over to the apparent owner of the drone, and he shows them his drone safe and sound in its case.

The DfT and CAA have announced they’re spending millions on a hybrid RID system. This combines the direct RID we have now, and a network version where your controller connects directly to a server somewhere. They have gone with a hybrid system because it is acknowledged that there are plenty of areas in the UK that have poor or no mobile signal. If that is the case, it falls back to direct mode. That’s easily simulated by putting the controller into aeroplane mode. So that won’t fix the scenario above.

None of this involves hacking firmware or electronically spoofing GPS. Just a free app, a controller that runs Android, and 40 lines of Python code.

This is an international standard too, so I am sure other bad actors could come up with all sorts of ways round the system that was designed to catch them out.