A cybersecurity news website says its research team has discovered a 54.5GB unprotected database of DJI drone logs. The leaky data contains over 80,000 unique drone IDs, aircraft model and serial numbers, the position of the drone’s pilot, and more.
The open database, Cybernews says, collates information from 66 different DJI AeroScope drone detection devices. A majority of these devices (53) are located in the United States, while others are spread across Qatar, Germany, France, and Turkey. The database itself is hosted by Amazon Web Services (AWS) in the United States.
More specifically, the leaked DJI drone data includes information such as the flight status, unique ID assigned to the aircraft, home location of the drone (which is usually the take-off point), timestamps, drone models, serial numbers, and the operator’s location. No personally identifiable information is present in the dataset.
The big question now is, who owns this data?
The identity of the database owner is not yet known, though DJI has clarified the data is not held by them. This likely means the tracking data has been exposed by an AeroScope client using DJI’s drone identification technology to monitor the airspace.
AeroScope devices are typically sold to airports, police departments, prison authorities, nuclear power plants, sensitive military units, and government facilities.
Cybernews says it tried to track down the database owner using several open-source-intelligence (OSINT) tools but couldn’t succeed because the AWS server had no domains assigned to it. The website then urged both DJI and AWS to fix the issue “as soon as possible to reduce the risk of threat actors accessing the dataset.”
AWS responded by saying it had passed the “security concern on to the specific customer for their awareness and potential mitigation.”
DJI spokesperson Adam Lisberg told DroneDJ the company is aware of the issue. Here’s Lisberg:
As the story notes, this data was not held by DJI, and we have no idea who generated it. The report further says the dataset does not appear to include any personally identifiable information. It’s important to note that the FAA will require all drone pilots to broadcast exactly this type of information from their drones as its Remote ID system takes effect over the next year, in a format that anyone can access. Nonetheless, we plan to instruct all AeroScope customers to ensure they use proper protocols to secure their data.
The FAA’s Remote ID rule requires a drone in flight to provide identification and location information that can be received by people within the range of local radio signals. The federal agency likens it to a “digital license plate” for a drone.
Drone operators are not required to comply with the FAA Remote ID regulations until September 16, 2023. But drone tracking solutions leveraging Remote ID signals have already started to appear on the market. Czech start-up Dronetag recently launched a free app for iOS and Android devices that allows literally anyone to see the real-time height, direction, pilot identification, pilot position, operation description, and location history of Remote ID-enabled drones flying nearby.