Mykhailo Fedorov, Ukraine’s Vice Prime Minister, accused DJI of helping Russia kill civilians in Ukraine. Russia was able to use a drone-tracking device called DJI AeroScope, to pinpoint the location of Ukrainian drone pilots, and then allegedly kill them with mortars and missiles. We wrote an explanation of DJI AeroScope, its purpose, and what DJI could do to stop people being killed by its technology. A hacker pointed out that DJI was not being truthful on at least one point. The company now admits it. DJI now claims that the AeroScope signals broadcast from every DJI drone are not encrypted.
This means that governments and other technical professionals may not require an AeroScope in order to view the exact position of every DJI drone or the exact location of each pilot.
To be clear, both Adam Lisberg, DJI spokesperson, and David Kovar (drone forensics expert), told us that these signals were encrypted. We checked with DJI again after hacker Kevin Finisterre suggested that this was incorrect. Finisterre repeatedly disproved the claim that DJI admitted to The Verge that it was false, and that this took place almost a month later.
It means that @adamlisberg must update @StarFire2258 with a comment stating that his engineering staff misspoke & @DJIFlySafe #DJIEnterprise #djisupport #AeroScope packets are NOT *encrypted*. https://t.co/7y9xodwIoh pic.twitter.com/FJn1a2QZyV– KF (@d0tslash) April 19, 2022
DJI’s Lisberg claims it’s his fault, but also says that his R&D contacts from China repeatedly told him that it was encrypted. It took senior managers to admit that it wasn’t true.
It’s not surprising that AeroScope signals remain unencrypted. DJI originally envisaged Drone ID (now AeroScope), as a technology other drone companies could use. The United States and other countries have already made it mandatory that drones broadcast your location by 2023. It won’t be an option, and it’s unclear if these signals will be encrypted.
We asked Lisberg about some of the claims he made in his piece. We want to verify that other information is correct. Although there are no other corrections at the moment, he did admit that DJI could prematurely revoke AeroScope certificates to disable them. However, that would only affect stationary units connected to its AWS servers. It could theoretically also see the GPS positions of AeroScope receivers that way (though not likely the ones used by the Russian military or portable ones that don’t connect to AWS).
Lisberg also stated, “I was once again told Sentinel/Supervisor do not exist,” referring specifically to an alarming-sounding program Finisterre discovered during a DJI data breach. Finisterre suggested that the program was evidence that DJI, at least in China is mining data on its users. DJI, however, has denied this, telling The Verge that it was just a suggestion on how DJI could theoretically do targeted advertising, but that it never happened.
Finisterre also pointed out that DJI had a way to remotely disable the AeroScope signals broadcast by its drones until it disabled them in later updates. However, it appears that commands can still be sent to the drone to hide a pilot’s coordinates.
DJI announced yesterday that it would stop all product shipments and all after-sales support to Russia and Ukraine.