Information on over 80,000 different drone IDs was spotted in a publicly available database. Among other things, the data leak contains information about locations, flight routes and associated serial numbers.
The Cybernews research team discovered an open database of over 90 million entries of drone surveillance logs generated by 66 different DJI AeroScope devices. AeroScope is a drone surveillance device from DJI and can “identify the vast majority of drones on the market today.”
Most of the logs found (53) originated in the USA. Other data originated in Qatar (six) and a few in Germany, France and Turkey.
Contents of the AeroScope data leak
The records now found included the drone’s location, model and serial number, the location of the drone’s pilot, and the home point (usually the launch point). However, the record did not contain any personally identifiable information . In total, Cybernews staff found over 80,000 unique drone IDs in this case.
DJI told Cybernews that the 54.5GB dataset Cybernews discovered on July 11, 2022, hosted on AWS in the US, is not in their possession. This suggests that the data most likely came from a customer using AeroScope equipment to monitor airspace.
Since the server was hosted on AWS and no domains were assigned to it, it was not possible for Cybernews researchers to track down the owner. For that, they also relied on the help of VirusTotal, Centralops Domain dossier, nmap and dig, as well as other useful open source intelligence tools (OSINT).
Cybernews notified both DJI and AWS about the leaked database and asked them to fix the issue as soon as possible to reduce the risk of unauthorized people accessing the dataset. AWS said it had “passed the security concerns to the respective customer for their attention and possible remediation.”
However, so far there are no reports of a corresponding response from this customer.
What is the risk posed by the data leak?
Surveillance of drones is unsurprising due to security concerns and is already a common practice in many areas. However, it is usually assumed that the data collected in this way is not publicly accessible and is not stored permanently.
Aras Nazarovas, a cybernews researcher, says the information now found is troubling for amateur drone pilots because it can essentially show the routes they take with their drone.
“For people launching drones in their backyards, there’s the added risk of their address being exposed and the fact that they’re rich enough to own a DJI drone – prices range from $300 to $13,700, and you can see what drone they have,” Nazarovas said.
We do not know exactly from which regions users from Germany are affected by the data leak. Cybernews also does not disclose any further details about the information contained in the data leak for good reason. It is therefore not possible to verify whether one is affected by this data leak.
It should also be mentioned again that this data leak was obviously not DJI’s fault, but someone who had the AeroScope system in use. AeroScope is not available for free sale, but only via a contact form on the DJI website.