Hi all,
I’m sure this has been discussed to death, but I’m a little concerned about Remote ID security.
For those living under a rock, your Remote ID is your Operator ID plus 4 extra letters and/or numbers. Three of those characters are your “secret key”. They are there to validate your RID, and avoid people spoofing other people’s codes.
However, the algorithm is public (well, behind a paywall), and isn’t really any kind of security at all. The last three “security” characters are randomly chosen from a-z and 0-9. The one character that gets added to your OpID is what’s called a checksum. This is there to ensure your RID is valid and “secure” because the checksum algorithm takes both parts of the RID, smushes them together, and spits out a single character.
So for instance, if your OpID is “GBR-OP-759DFKEMHTZE”, and your security code is “tzo” then your checksum character will be “r”. So your final RID will be “759dfkemhtzer-tzo”. So, what’s the problem with this? Well because the checksum is just one character out of a choice of 36, then you can easily guess a valid security code with a few lines of Python. Will it be the correct security code? There’s only a 1 in 1296 chance of you getting it right, so probably not. But it would be enough to fool an automated system into thinking your OpID is legit.
Obviously there’s more to RID than just the ID, it does broadcast the drone’s location and the flyer’s location which can be picked up on a mobile phone with a free app. Now assume someone wants to report you without confronting you. If you have a spoofed but legitimate-looking RID, the police will be sent to the wrong address and you can make good your escape. In fact our OpIDs are just 12 random characters so you could make up a RID and send the authorities round in circles.
So in summary, a RID is 16 characters, of those 15 are chosen at random, and of those 15, three are meant to be kept secret. I have 40 lines of Python code that can generate a valid-looking security code for any OpID/checksum in milliseconds. This doesn’t feel very secure. As I said, checking the whole thing against the CAA’s database will almost certainly flag up an anomaly, but that is time for ne’er-do-wells to do their dirty deeds.
What are people’s thoughts?