In a data breach, a DJI Aeroscope database with information from hundreds of airspace monitoring devices made by the Chinese drone maker was made public. This database contained more than 80,000 drone IDs.
The Federal Aviation Administration (FAA) came up with Remote ID, which is equivalent to license plates for drones, to identify the owners of all drones if they are flying in a dangerous way or in areas where they are not permitted to fly.
Remote ID will offer information about drones in flight, including the drone's identification, position, and altitude, as well as the pilot's location.
In 2017, DJI introduced the DJI AeroScope drone detection system so that drones could be identified while they were in the air. This was done in preparation for the FAA's Remote ID for Drones program.
“From temporary events like festivals, government events, and major sporting events to fixed sites like airports, prisons, and nuclear power plants, AeroScope is a simple, robust technical solution to provide immediate information about DJI drones in the area – from their flight paths to their pilot locations to their serial numbers,” DJI said.
The company's drone-monitoring equipment, DJI AeroScope, can “identify the vast majority of popular drones on the market today.”
DJI Aeroscope data leak
The Cybernews Research Team found an open database with more than 90 million records of drone monitoring from 66 different DJI AeroScope devices, most of which were in the United States (53). Some were in Qatar (six), while others were in Germany, France, and Turkey.
The logs contained the drone's position, model, and serial number, as well as the pilot's position and home location (usually the point of take-off). The dataset included no personally identifiable information (PII). In all, Cybernews discovered approximately 80,000 distinct drone IDs in the instance.
DJI informed Cybernews that a 54.5GB dataset identified by our researchers on July 11 and housed by AWS in the United States is not their property, implying that the data was most likely disclosed by one of DJI's customers while utilizing DJI AeroScope to monitor the airspace for drones.
Because the server was hosted on AWS and had no domains allocated to it, our researchers could not trace out the owner, even with the assistance of VirusTotal, Centralops Domain dossier, nmap, and dig, among other important open-source intelligence (OSINT) tools.
Cybernews told DJI and AWS about the leaking database and asked them to fix it as soon as possible so that threat actors won't be able to get to the information. AWS said that it has forwarded the “security concern to the specific customer for their awareness and potential mitigation.”
Drone monitoring is distressing enough for folks who only take theirs out for a spin or to gather overhead video. Drone monitoring is unavoidable given security considerations, yet it is fair to expect surveillance data to be stored in secure systems.
According to Aras Nazarovas, a Cybernews analyst, this information is disturbing to enthusiasts since it may effectively expose the paths your drone takes.
“For people who launch drones in their backyards, there is an added danger of revealing their address, and the fact that they are rich enough to have a DJI drone, prices range from $300 to $13,700, and you can see which drone they have,” Nazarovas said.
Get your Part 107 Certificate
Pass the test and take to the skies with the Pilot Institute. We have helped thousands of people become airplane and commercial drone pilots. Our courses are designed by industry experts to help you pass FAA tests and achieve your dreams.
FTC: DroneXL.co uses affiliate links that generate income.* We do not sell, share, rent out, or spam your email, ever. Our email goes out on weekdays around 5:30 p.m.