New Drone License Plates Stoke Fears About Tracking, Hacking

A drone flies at the Paris Drone Festival on the Champs Elysees in Paris on June 4, 2017. (Alain Apaydin/Sipa via AP Images)

A drone technology company unveiled a tracking and identification application for use by law enforcement and other parties akin to drone license plates, something critics contend could infringe on privacy rights and be vulnerable to hacking.

Shenzhen, China-based DJI last month announced that AeroScope would harness the existing communication link between a drone and the remote controlled by the operator. It would then pick up and disseminate the drone’s registration information — required by the Federal Aviation Administration for drones between 0.55 pounds and 55 pounds — as well as track its height and location.

That information would be available to “authorized parties” with an AeroScope receiver, such as security agencies. The technology has already been put to use at two international airports as aviation authorities grapple with near-misses in their airspace — or, as in the case of Jean Lesage International Airport in Québec City last month, collisions as a drone hit an incoming SkyJet flight.

The company says the new “drone license plate” reader and tracker works on all of the drones that they make, so about two-thirds of civilian drones on the market. “Other drone manufacturers can easily configure their existing and future drones to transmit identification information in the same way,” DJI noted in an October press release. The firm also contends that privacy rights wouldn’t be violated because the intercepted information of “most drone flights will not be automatically recorded in government databases.”

“As drones have become an everyday tool for professional and personal use, authorities want to be sure they can identify who is flying near sensitive locations or in ways that raise serious concerns,” Brendan Schulman, DJI’s vice president for policy and legal affairs, said in a statement. “DJI AeroScope addresses that need for accountability with technology that is simple, reliable and affordable – and is available for deployment now.”

In a white paper released Thursday, drone company Department 13 picked apart DJI’s drone license plate system, arguing that “creating a system that conforms to the law, without creating new and worse problems, will be difficult.”

“Since license plates are readily visible to the public, it is implied that security concerns should be minimal. Similarly, the drone community, and DJI specifically, imply that distinct drone identification technologies should have minimal security and privacy concerns,” the paper states, noting that “tracking drone ID data and metadata opens the door for future exploitation” and “a potential for drone ID system hacking.”

“DJI’s actions are occurring in isolation, without DJI working with the community to address security concerns, or providing information about issues such as how the system works and how data is handled. Some of DJI’s approaches have clear security issues with no apparent remediation. Essentially, DJI is playing God with the community’s data, and disregarding the outcomes on the community. The community needs to be warned and should assemble a watchdog group to push back and assert transparency.”

The report charges that “a savvy engineer could reverse DJI’s implementation for malicious purposes to spoof Drone ID beacons.”

In a March white paper, DJI said that in “many discussions with policymakers and community members around the world, a theme has emerged about one way in which drones are different from many other technologies: the remoteness of the operator.”

“Unlike manned aircraft, automobiles, mobile telephones with cameras, and other imaging devices, drones are remotely operated. In many cases, particularly in jurisdictions limiting operations to visual line of sight, the operator is near the unmanned aircraft while in flight and it is not difficult to locate her. In some instances, she is not. In those instances, if the operator is actually doing something that everyone would readily agree is unlawful, there is an accountability challenge,” the paper continues. “Remote identification, properly and reasonably deployed, could significantly help to address that challenge. It might also provide a measure of social comfort to those who are unfamiliar with the technology and have anxieties about its use, founded or unfounded.”

Security agencies protecting sensitive locations, the report added, would benefit from a drone “identification regime” in that the information gleaned “can suggest a tactical response to approaching UAS that are not cooperating.”

“For these reasons, DJI supports the concept of remote identification. However, we urge that the development and implementation of such a mechanism be thoughtful, tailored to address and solve the actual challenge, and take into consideration other important interests.”

In August, the U.S. Army halted use of drones from the Chinese manufacturer over cyber vulnerability concerns. DJI responded by announcing development of a “local data mode” that “stops internet traffic to and from its flight control apps, in order to provide enhanced data privacy assurances for sensitive government and enterprise customers.”