Over 80,000 drone IDs were exposed in a data leak after a database containing information from dozens of airspace monitoring devices manufactured by the Chinese-owned DJI was left accessible to the public.
Recently, the Cybernews research team stumbled upon an unprotected database with over 90 million drone-monitoring logs generated by DJI devices – the largest market player in the world that sells both drones and devices to surveil them.
The discovery
AeroScope, a drone-monitoring device by DJI, can “identify the vast majority of popular drones on the market today.”
The Cybernews Research Team discovered an open database with over 90 million entries of drone-monitoring logs created by 66 different DJI AeroScope devices, with the majority of them (53) being located in the US. Some were located in Qatar (six) and a few in Germany, France, and Turkey.
Logs included the drone’s position, model and serial number, the position of the drone’s pilot, and home location (usually the point of take-off). No personally identifiable information (PII) was present in the dataset. In total, we found over 80,000 unique drone IDs in the instance.
DJI told Cybernews that a 54.5GB-strong dataset, discovered by our researchers on July 11 and hosted by AWS in the US, is not their property, meaning that the data was most likely exposed by their client using AeroScope devices to monitor the airspace for drones.
Since the server was hosted on AWS and didn’t have any domains assigned to it, it was impossible for our researchers to track down the owner even with the help of VirusTotal, Centralops Domain dossier, nmap, and dig, among other useful open-source-intelligence (OSINT) tools.
Cybernews informed both DJI and AWS about the leaky database for them to fix the issue as soon as possible to reduce the risk of threat actors accessing the dataset. AWS said it had passed our “security concern on to the specific customer for their awareness and potential mitigation.”
Troubling data
Needless to say, the surveillance of drones is upsetting enough for people who simply take theirs out for a spin or to capture aerial footage. Given the security concerns, tracking of drones is inevitable: however, it’s reasonable to expect that surveillance data is kept in protected databases.
Aras Nazarovas, a Cybernews researcher, said this information is upsetting to hobbyists since it can essentially show the routes they take with your drone.
“For people who launch drones in their backyards, there is an added danger of revealing their address, and the fact that they are rich enough to have a DJI drone – prices range from $300 to $13,700, and you can see which drone they have,” Nazarovas said.
Photo: REUTERS/David Kirton
Source: Cybernews