OpenDroneID monitoring
Guardian Air monitors OpenDroneID (ODID) beacon traffic broadcast by drones to identify unmanned aircraft in the area and detect spoofing or anomalous behavior.
Overview
OpenDroneID (ODID) is a broadcast Remote Identification standard defined by ASTM F3411 that requires drones to transmit identification and telemetry data over Wi-Fi beacon frames. Guardian Air captures these beacons using the Wi-Fi adapter and decodes the ODID message packs to extract drone identity, location, and flight data. Guardian Air synchronizes the data to Vantage for analysis and alert generation.
What Guardian Air discovers
During ODID monitoring, Guardian Air collects the following information for each detected drone.
| Data point | Description |
|---|---|
| UA ID (Remote ID) | The unmanned aircraft identifier broadcast in the Basic ID message, used to uniquely identify the drone. |
| ID type | The type of identifier, such as serial number, registration ID, or UTM-assigned ID. |
| UA type | The type of unmanned aircraft, such as helicopter, aeroplane, or multirotor. |
| Protocol version | The ASTM F3411 protocol version in use: F3411-19 (1.0), F3411-20 (1.1), or F3411-22 (2.0). |
| Status | The operational status of the drone as reported in the location message. |
| Latitude and longitude | The geographic coordinates of the drone, extracted from the location vector message. |
| Altitude and height | The geodetic altitude, barometric altitude, and height above takeoff or ground as reported by the drone. |
| Direction and speed | The horizontal direction, horizontal speed, and vertical speed of the drone. |
| Signal strength (received signal strength indicator (RSSI)) | The received signal strength of the beacon in dBm, used to estimate proximity. |
Attack detection
Guardian Air analyzes ODID telemetry data to detect anomalies that may indicate spoofing, replay attacks, or unauthorized drone activity.
| Attack type | Description |
|---|---|
| Improbable RSSI change | A sudden and abnormal change in the drone's RSSI value between consecutive packets, which may indicate spoofing or packet injection. |
| Wrong telemetry sequence number | The telemetry counter in a received packet is lower than or inconsistent with the previous value, which may indicate a replay attack or packet injection. |
| Drone above height limit | The drone reports a height above 500 meters, which is suspicious and may indicate spoofed telemetry. |
| Unrealistic number of drones | More drones appear within a short time window than is plausible, which may indicate that an attacker is sending crafted packets to simulate a fleet of drones. |
Hardware
ODID monitoring uses the same Realtek 8821CU Wi-Fi adapter
(interface wlan0) as Wi-Fi monitoring. Guardian Air identifies
ODID beacons by matching the CEN Organizationally Unique Identifier (OUI) in the vendor-specific information
element of 802.11 beacon frames.