80,000 drone IDs exposed in DJI Aeroscope data leak

In a data breach, a DJI Aeroscope database with information from hundreds of airspace monitoring devices made by the Chinese drone maker was made public. This database contained more than 80,000 drone IDs.

について Cybernews research team has discovered an unencrypted database containing over 90 million drone-monitoring records created by DJI AeroScope systems.

The Federal Aviation Administration (FAA) came up with Remote ID, which is equivalent to license plates for drones, to identify the owners of all drones if they are flying in a dangerous way or in areas where they are not permitted to fly.

Remote ID will offer information about drones in flight, including the drone’s identification, position, and altitude, as well as the pilot’s location.

In 2017, DJI introduced the DJI AeroScope drone detection system so that drones could be identified while they were in the air. This was done in preparation for the FAA’s Remote ID for Drones program.

“From temporary events like festivals, government events, and major sporting events to fixed sites like airports, prisons, and nuclear power plants, AeroScope is a simple, robust technical solution to provide immediate information about DJI drones in the area – from their flight paths to their pilot locations to their serial numbers,” DJI said.

The company’s drone-monitoring equipment, DJI AeroScope, can “identify the vast majority of popular drones on the market today.”

DJI Aeroscope data leak

The Cybernews Research Team found an open database with more than 90 million records of drone monitoring from 66 different DJI AeroScope devices, most of which were in the 米国 (53). Some were in Qatar (six), while others were in ドイツ, フランスそして Turkey.

The logs contained the drone’s position, model, and serial number, as well as the pilot’s position and home location (usually the point of take-off). The dataset included no personally identifiable information (PII). In all, Cybernews discovered approximately 80,000 distinct drone IDs in the instance.

DJI informed Cybernews that a 54.5GB dataset identified by our researchers on July 11 and housed by AWS in the United States is not their property, implying that the data was most likely disclosed by one of DJI’s customers while utilizing DJI AeroScope to monitor the airspace for drones.

Because the server was hosted on AWS and had no domains allocated to it, our researchers could not trace out the owner, even with the assistance of VirusTotal, Centralops Domain dossier, nmap, and dig, among other important open-source intelligence (OSINT) tools.

Cybernews told DJI and AWS about the leaking database and asked them to fix it as soon as possible so that threat actors won’t be able to get to the information. AWS said that it has forwarded the “security concern to the specific customer for their awareness and potential mitigation.”

Drone monitoring is distressing enough for folks who only take theirs out for a spin or to gather overhead video. Drone monitoring is unavoidable given security considerations, yet it is fair to expect surveillance data to be stored in secure systems.

According to Aras Nazarovas, a Cybernews analyst, this information is disturbing to enthusiasts since it may effectively expose the paths your drone takes.

“For people who launch drones in their backyards, there is an added danger of revealing their address, and the fact that they are rich enough to have a DJI drone, prices range from $300 to $13,700, and you can see which drone they have,” Nazarovas said.