Blog entry by Bruce McPherson
Over 80,000 drone IDs were exposed in a data leak after a database containing information from dozens of airspace monitoring devices manufactured by the Chinese-owned DJI was left accessible to the public.
Think twice before taking out your shiny new drone for a spin near the Cannes Film Festival, a prison, a nuclear power plant, or an airport. Enhanced security institutions use devices to monitor drone movement, posing a privacy risk to its owner.
Recently, the Cybernews research team stumbled upon an unprotected database with over 90 million drone-monitoring logs generated by DJI devices – the largest market player in the world that sells both drones and devices to surveil them.
The surveillance race
Used by the military, businesses, and consumers, drones are “fundamentally changing aviation.” Therefore, the US Federal Aviation Administration (FAA) envisions integrating drones into the National Airspace System (NAS) by identifying all unmanned aircraft systems (UAS.)
The FAA introduced remote ID – analogous to license plates for drones – to identify owners of all drones in case they are flying in an unsafe manner or where they are not allowed to fly. Remote ID will provide information about drones in flight – the identity, location, and altitude of the drone and its control station or take-off location.
But it seems that Chinese-owned DJI, already controlling the lion’s share of the drone market worldwide, got there first. In 2017, it introduced the AeroScope device to provide an in-flight drone identification system.
In fact, the company boasted about protecting the prestigious Cannes Film Festival 2022 from unsolicited intrusions from aerial cameras – AeroScope was used by police officers to watch for drones in the area’s no-fly zone.
“From temporary events like festivals, government events, and major sporting events to fixed sites like airports, prisons, and nuclear power plants, AeroScope is a simple, robust technical solution to provide immediate information about DJI drones in the area – from their flight paths to their pilot locations to their serial numbers,” DJI said.
The Shenzhen-headquartered company holds a whopping 70% of the global consumer and enterprise drone market, according to the Business Insider report from 2020.
DJI was blacklisted by the Biden Administration in 2021 for its alleged involvement in the surveillance of the Uyghur Muslim minority in China.
On October 5, 2022, the US Defense Department added DJI and a dozen other companies to a list of Chinese entities believed to be connected to the Chinese military. Pentagon paved the way to further restrictions on their businesses, arguing that access to advanced technologies is crucial for modernizing the People’s Liberation Army.
DJI was also in the spotlight after Ukraine’s Vice Prime Minister Mykhailo Fedorov accused the company of helping the Kremlin to kill civilians by allowing Russia to freely use DJI devices, including AeroScope, on Ukrainian soil.
The discovery
AeroScope, a drone-monitoring device by DJI, can “identify the vast majority of popular drones on the market today.”
The Cybernews Research Team discovered an open database with over 90 million entries of drone-monitoring logs created by 66 different DJI AeroScope devices, with the majority of them (53) being located in the US. Some were located in Qatar (six) and a few in Germany, France, and Turkey.
Logs included the drone's position, model and serial number, the position of the drone’s pilot, and home location (usually the point of take-off). No personally identifiable information (PII) was present in the dataset. In total, we found over 80,000 unique drone IDs in the instance.
DJI told Cybernews that a 54.5GB-strong dataset, discovered by our researchers on July 11 and hosted by AWS in the US, is not their property, meaning that the data was most likely exposed by their client using AeroScope devices to monitor the airspace for drones.
Since the server was hosted on AWS and didn’t have any domains assigned to it, it was impossible for our researchers to track down the owner even with the help of VirusTotal, Centralops Domain dossier, nmap, and dig, among other useful open-source-intelligence (OSINT) tools.
Cybernews informed both DJI and AWS about the leaky database for them to fix the issue as soon as possible to reduce the risk of threat actors accessing the dataset. AWS said it had passed our “security concern on to the specific customer for their awareness and potential mitigation.”
Troubling data
Needless to say, the surveillance of drones is upsetting enough for people who simply take theirs out for a spin or to capture aerial footage. Given the security concerns, tracking of drones is inevitable: however, it’s reasonable to expect that surveillance data is kept in protected databases.
Aras Nazarovas, a Cybernews researcher, said this information is upsetting to hobbyists since it can essentially show the routes they take with your drone.
“For people who launch drones in their backyards, there is an added danger of revealing their address, and the fact that they are rich enough to have a DJI drone – prices range from $300 to $13,700, and you can see which drone they have,” Nazarovas said.
By Jurgita Lapienytė