Denial of Service due to loss of information in DroneScout ds230 Remote ID receiver from BlueMark Innovations

Vulnerability

The DroneScout ds230 Remote ID receiver from BlueMark Innovations is vulnerable to an information loss attack via traffic injection. The device, in its default configuration, processes Open Drone ID (ODID) messages. An attacker can inject spoofed ODID messages at precise times, causing the receiver to discard legitimate Remote ID (RID) information and instead generate JSON-encoded MQTT messages containing the crafted data. This affects firmware versions from 20211210-1627 through 20230329-1042 [1][2].

Exploitation

An attacker needs to be within radio range of the DroneScout ds230 to inject spoofed ODID messages. The attack requires precise timing to coincide with the reception of real RID messages. No authentication is needed, as the device accepts ODID messages by default. The attacker sends spoofed ODID frames that the receiver processes, leading it to drop the genuine RID data and transmit the attacker's crafted information via MQTT to the broker [2].

Impact

Successful exploitation results in the MQTT broker, typically operated by a system integrator, receiving only the attacker's fabricated RID information instead of the real drone identification data. This causes a loss of situational awareness and can be used to hide the presence of actual drones or inject false drone data. The impact is limited to information integrity and availability, with no direct effect on confidentiality or system control [2].

Mitigation

The vulnerability is fixed in firmware versions newer than 20230329-1042. Users should update to the latest firmware available from BlueMark Innovations. Additionally, setting the configuration option transmit_mode=2 in the [rid] section of the device's configuration file mitigates the issue by changing the transmission mode. No workaround is available for older firmware versions [2].