According to an internal memo published by sUAS News, the U.S. Army is asking to terminate the use of all DJI products, including cameras and software “due to increased awareness of cyber vulnerabilities associated with DJI products.” This unusual request leaves a lot of unanswered questions such as the nature of the threats and the reason behind of this global ban. What is really going on?
Who Is Concerned With the DJI Ban?
The U.S. Army bases its decisions on two documents. The first one titled “DJI UAS Technology Threat and User Vulnerabilities” is a classified report delivered on May 2017 by the Army Research Laboratory.
The second document is a memorandum from the Navy called “Operational Risks with Regards to DJI Family of Products” also dated from May 2017.
It looks like the U.S. military forces are genuinely concerned about the risks associated with the use of DJI products. At this point, we do not know if the other military branches (Air Force, Navy, Marine Corps, and Coast Guard) are concerned with this DJI ban. However, since the U.S. army memo puts an explicit reference to a similar U.S. Navy document, it is safe to assume that all the branches have already implemented similar restrictions. If not, they could quickly follow the army policy.
Other sources have mentioned that the DJI ban was already effective at the U.S. Department of Energy and the Department of Interior. I was not able to verify this information but if true it looks like the use of DJI products is going to be restricted by many federal agencies dealing with sensitive matters.
What Does It Mean for Contractors and Photographers?
At this time, the U.S. Army memo seems to only mention the 300 airworthiness certificate, meaning, the internal U.S. Army personnel. The document states that “The Army Aviation Engineering Directorate has issued over 300 separate Airworthiness Releases for DJI products in support of multiple organizations with a variety of mission sets.”
Yet, if the ban is actually in place with other federal agencies, a question remains for the contractors. Is it possible to perform a building inspection with a DJI drone for the Department of Energy or U.S. Army as an external entity?
What Are the DJI Products Affected by This Ban?
Surprisingly, the ban affects the entire range of products from DJI, including hardware. “This guidance applies to all DJI UAS and any system that employs DJI electrical components or software including, but not limited to, flight computers, cameras, radios, batteries, speed controllers, GPS units, handheld control stations, or devices with DJI software applications installed.”
The users are also invited to “uninstall all DJI applications” from their computers, cell phones, and tablets.
What Are the Threats?
Officially, the U.S. Army evocates the “increased awareness of cyber vulnerabilities associated with DJI products” to justify the ban. So far it seems that no actual security breach or attack was committed via DJI products. Thus, this is a precautionary measure based on a potential vulnerability. But what type of vulnerability are we talking about?
Essentially, a drone is a moving aircraft carrying a camera and multiple sensors capable of giving away its accurate position by GPS and screening some of the radio frequency spectrum (2.4 GHz and 5.8 GHz band). In other words, this is a perfect potential spying device capable of producing high-definition imagery and signal intelligence coupled with accurate pinpoint location. Since DJI drones record all the information in their internal memory (or via tablet and phone), this data can be retrieved by a hostile entity. Independently, a few imagery and GPS coordinates are not very useful. However, taken all together, this massive amount of data can help to draw a larger picture on strategic locations. Think about U.S. bases overseas. A drone flying over the area could give away the type of units present, the current level of activity indicating a military exercise, and the electromagnetic signature via background noise signal analysis (thus radar defense, com type, etc.).
On top of that, most DJI products are used in conjunction with the DJI App on a smartphone. Thus, the App has access to the phone data and sensors (camera, microphone, local Wi-Fi network, contacts, etc.).
At This Point the Threat Can Be Linked to Two Entities:
- An intruder who would intercept the downlink signal from the drone and/or send new command to override the regular link (and make the drone crash). This type of thing already happened in the past to military drones. It was reported in 2009 that Iraqi insurgents used $26 off-the-shelf Russian software called SkyGrabber to intercept live video feeds from U.S. Predator drones, potentially providing them with information they need to evade or monitor U.S. military operations. Similarly to the Predator downlink at that time, the DJI drones radio signals are not protected by encryption. Recently, a Russian company called CopterSafe offered to unlock no-fly zone limitations of DJI drones via firmware modification. DJI responded quickly and presumably fixed the vulnerability. The intrusion can also be done remotely via the Internet since the DJI Go app stores and uploads a lot of data to DJI’s servers. Any vulnerability in the DJI app or server can lead to a data leak. The latest Edward Snowden revelations described how the CIA was able to turn smartphones and TV into remote surveillance devices. Essentially, a drone is just a flying computer ready to be hacked.
- Another possible threat could be linked to DJI and China. It is no secret that the U.S. and China have become strategic rivals since the fall of the U.S.S.R. Like many other countries, China is very active in the cyber warfare game and DJI could be seen as a vehicle for hostile intents (a Trojan horse for Chinese cyber-forces such as Unit 61398). Of course, there is no actual evidence that DJI is linked to the Chinese government or that it has any intention associated with cyber espionage. However, the Snowden leaks revealed the importance of the U.S. intelligence influence in the Silicon Valley. The NSA was able to tap freely in major company servers such as Facebook, Apple or Google via the program PRISM. This backdoor data gathering was organized in a democratic country with a strong legal system. Therefore, we can understand that the U.S. Federal agencies are concerned about the Chinese capacity to step into DJI territory. As Kevin Pomaski from sUAV News explains, the DJI user agreement clearly states that “The DJI Go App connects to servers hosted in the United States, China, and Hong Kong. Also, we may transfer your data from the U.S., China, and Hong Kong to other countries or regions in connection with storage and processing of data.” The documents then says “your flight data might be monitored and provided to the governmental authorities according to local regulatory law.” Of course one can decide to opt out and disable some of the data collection features. However, this type of option is not certain and the user never really knows what keeps being transferred or not. Think about Cortana on Windows 10. It was supposed to be disabled and now is impossible to remove despite “personalization options.” As Pomaski notes: “There have been some public posts that DJI apps that are not being utilized are still collecting and sending information to its SSL servers. A more in depth review of these connections and what information is being collected will have to be made to determine exactly what is happening there.”
What Is DJI's Response?
According to an official statement published by The Verge, DJI was not aware of this army ban:
We are surprised and disappointed to read reports of the U.S. Army’s unprompted restriction on DJI drones as we were not consulted during their decision. We are happy to work directly with any organization, including the U.S. Army, that has concerns about our management of cyber issues.
We’ll be reaching out to the U.S. Army to confirm the memo and to understand what is specifically meant by ‘cyber vulnerabilities’. Until then, we ask everyone to refrain from undue speculation.
Back in the early 2010s, another Shenzhen-based company, Huawei, was under scrutiny by the U.S. authorities because of potential Chinese state influence on the communication hardware manufacturer that could pose a security threat to the U.S. interest. Strong claims were made but no clear evidence was ever produced despite numerous hearings and official reviews. However, it is always hard to find the smoking gun in the blurred-line world of cyber-warfare and proxy espionage.
If the Army memorandum is true, it raises many questions. Of course, a drone flying in a military environment constitutes by nature a target of choice for any entity that would like to spy on U.S. military interest. Where there is a computer there is a potential vulnerability.
That being said, why is this ban only directed at DJI? Why not ban all the other drone manufacturers such as Autel, Yuneec, and Walkera to name a few? These drones are also made in China and don’t offer better protection or any data encryption to the best of my knowledge. And what about smartphones and tablets? The vast majority of these products are manufactured in China as well. As with drones, they are potential micro-spying devices filled with sensors, cameras, and microphones connected to the Internet. They are not exempt of vulnerabilities either. Perhaps, the fact that most smartphones runs on American-made software (Android, Apple) is appeasing the federal agencies (note: at a certain level of hierarchy, smartphones are also banned from sensitive meetings and high-level executives must use special phones approved by the U.S. security agencies).
Another question is related to the general nature of this ban. All DJI products including hardware such as DJI Ronin gimbal are affected by this restriction. This gimbal doesn’t have any special sensors or connectivity features but it would be banned from any filmmaking project on U.S. Army premises.
The hardware ban seems to close the door to any open software solution. The U.S. Army only reports the deliverance of 300 airworthiness certificates, which is not exactly a big market for DJI anyway but the issue is lying elsewhere. This kind of news is hurting DJI’s reputation. Some say that as with Huawei a few years ago, the security reasons advanced to justify this ban are a way to protect the U.S. market. But with the fall of 3D Robotics, there are no major U.S. drone manufacturers anymore.
At this point there is nothing else to do other than wait for the next development on this story. However, if you are doing a lot of business with sensitive federal agencies, the choice of DJI products may become problematic in the future if this trend is confirmed.