According to an internal memo published by sUAS News, the U.S. Army is asking to terminate the use of all DJI products, including cameras and software “due to increased awareness of cyber vulnerabilities associated with DJI products.” This unusual request leaves a lot of unanswered questions such as the nature of the threats and the reason behind of this global ban. What is really going on?
Who Is Concerned With the DJI Ban?
The U.S. Army bases its decisions on two documents. The first one titled “DJI UAS Technology Threat and User Vulnerabilities” is a classified report delivered on May 2017 by the Army Research Laboratory.
The second document is a memorandum from the Navy called “Operational Risks with Regards to DJI Family of Products” also dated from May 2017.
It looks like the U.S. military forces are genuinely concerned about the risks associated with the use of DJI products. At this point, we do not know if the other military branches (Air Force, Navy, Marine Corps, and Coast Guard) are concerned with this DJI ban. However, since the U.S. army memo puts an explicit reference to a similar U.S. Navy document, it is safe to assume that all the branches have already implemented similar restrictions. If not, they could quickly follow the army policy.
Other sources have mentioned that the DJI ban was already effective at the U.S. Department of Energy and the Department of Interior. I was not able to verify this information but if true it looks like the use of DJI products is going to be restricted by many federal agencies dealing with sensitive matters.
What Does It Mean for Contractors and Photographers?
At this time, the U.S. Army memo seems to only mention the 300 airworthiness certificate, meaning, the internal U.S. Army personnel. The document states that “The Army Aviation Engineering Directorate has issued over 300 separate Airworthiness Releases for DJI products in support of multiple organizations with a variety of mission sets.”
Yet, if the ban is actually in place with other federal agencies, a question remains for the contractors. Is it possible to perform a building inspection with a DJI drone for the Department of Energy or U.S. Army as an external entity?
What Are the DJI Products Affected by This Ban?
Surprisingly, the ban affects the entire range of products from DJI, including hardware. “This guidance applies to all DJI UAS and any system that employs DJI electrical components or software including, but not limited to, flight computers, cameras, radios, batteries, speed controllers, GPS units, handheld control stations, or devices with DJI software applications installed.”
The users are also invited to “uninstall all DJI applications” from their computers, cell phones, and tablets.
What Are the Threats?
Officially, the U.S. Army evocates the “increased awareness of cyber vulnerabilities associated with DJI products” to justify the ban. So far it seems that no actual security breach or attack was committed via DJI products. Thus, this is a precautionary measure based on a potential vulnerability. But what type of vulnerability are we talking about?
Essentially, a drone is a moving aircraft carrying a camera and multiple sensors capable of giving away its accurate position by GPS and screening some of the radio frequency spectrum (2.4 GHz and 5.8 GHz band). In other words, this is a perfect potential spying device capable of producing high-definition imagery and signal intelligence coupled with accurate pinpoint location. Since DJI drones record all the information in their internal memory (or via tablet and phone), this data can be retrieved by a hostile entity. Independently, a few imagery and GPS coordinates are not very useful. However, taken all together, this massive amount of data can help to draw a larger picture on strategic locations. Think about U.S. bases overseas. A drone flying over the area could give away the type of units present, the current level of activity indicating a military exercise, and the electromagnetic signature via background noise signal analysis (thus radar defense, com type, etc.).
On top of that, most DJI products are used in conjunction with the DJI App on a smartphone. Thus, the App has access to the phone data and sensors (camera, microphone, local Wi-Fi network, contacts, etc.).
At This Point the Threat Can Be Linked to Two Entities:
- An intruder who would intercept the downlink signal from the drone and/or send new command to override the regular link (and make the drone crash). This type of thing already happened in the past to military drones. It was reported in 2009 that Iraqi insurgents used $26 off-the-shelf Russian software called SkyGrabber to intercept live video feeds from U.S. Predator drones, potentially providing them with information they need to evade or monitor U.S. military operations. Similarly to the Predator downlink at that time, the DJI drones radio signals are not protected by encryption. Recently, a Russian company called CopterSafe offered to unlock no-fly zone limitations of DJI drones via firmware modification. DJI responded quickly and presumably fixed the vulnerability. The intrusion can also be done remotely via the Internet since the DJI Go app stores and uploads a lot of data to DJI’s servers. Any vulnerability in the DJI app or server can lead to a data leak. The latest Edward Snowden revelations described how the CIA was able to turn smartphones and TV into remote surveillance devices. Essentially, a drone is just a flying computer ready to be hacked.
- Another possible threat could be linked to DJI and China. It is no secret that the U.S. and China have become strategic rivals since the fall of the U.S.S.R. Like many other countries, China is very active in the cyber warfare game and DJI could be seen as a vehicle for hostile intents (a Trojan horse for Chinese cyber-forces such as Unit 61398). Of course, there is no actual evidence that DJI is linked to the Chinese government or that it has any intention associated with cyber espionage. However, the Snowden leaks revealed the importance of the U.S. intelligence influence in the Silicon Valley. The NSA was able to tap freely in major company servers such as Facebook, Apple or Google via the program PRISM. This backdoor data gathering was organized in a democratic country with a strong legal system. Therefore, we can understand that the U.S. Federal agencies are concerned about the Chinese capacity to step into DJI territory. As Kevin Pomaski from sUAV News explains, the DJI user agreement clearly states that “The DJI Go App connects to servers hosted in the United States, China, and Hong Kong. Also, we may transfer your data from the U.S., China, and Hong Kong to other countries or regions in connection with storage and processing of data.” The documents then says “your flight data might be monitored and provided to the governmental authorities according to local regulatory law.” Of course one can decide to opt out and disable some of the data collection features. However, this type of option is not certain and the user never really knows what keeps being transferred or not. Think about Cortana on Windows 10. It was supposed to be disabled and now is impossible to remove despite “personalization options.” As Pomaski notes: “There have been some public posts that DJI apps that are not being utilized are still collecting and sending information to its SSL servers. A more in depth review of these connections and what information is being collected will have to be made to determine exactly what is happening there.”
What Is DJI's Response?
According to an official statement published by The Verge, DJI was not aware of this army ban:
We are surprised and disappointed to read reports of the U.S. Army’s unprompted restriction on DJI drones as we were not consulted during their decision. We are happy to work directly with any organization, including the U.S. Army, that has concerns about our management of cyber issues.
We’ll be reaching out to the U.S. Army to confirm the memo and to understand what is specifically meant by ‘cyber vulnerabilities’. Until then, we ask everyone to refrain from undue speculation.
Conclusion
Back in the early 2010s, another Shenzhen-based company, Huawei, was under scrutiny by the U.S. authorities because of potential Chinese state influence on the communication hardware manufacturer that could pose a security threat to the U.S. interest. Strong claims were made but no clear evidence was ever produced despite numerous hearings and official reviews. However, it is always hard to find the smoking gun in the blurred-line world of cyber-warfare and proxy espionage.
If the Army memorandum is true, it raises many questions. Of course, a drone flying in a military environment constitutes by nature a target of choice for any entity that would like to spy on U.S. military interest. Where there is a computer there is a potential vulnerability.
That being said, why is this ban only directed at DJI? Why not ban all the other drone manufacturers such as Autel, Yuneec, and Walkera to name a few? These drones are also made in China and don’t offer better protection or any data encryption to the best of my knowledge. And what about smartphones and tablets? The vast majority of these products are manufactured in China as well. As with drones, they are potential micro-spying devices filled with sensors, cameras, and microphones connected to the Internet. They are not exempt of vulnerabilities either. Perhaps, the fact that most smartphones runs on American-made software (Android, Apple) is appeasing the federal agencies (note: at a certain level of hierarchy, smartphones are also banned from sensitive meetings and high-level executives must use special phones approved by the U.S. security agencies).
Another question is related to the general nature of this ban. All DJI products including hardware such as DJI Ronin gimbal are affected by this restriction. This gimbal doesn’t have any special sensors or connectivity features but it would be banned from any filmmaking project on U.S. Army premises.
The hardware ban seems to close the door to any open software solution. The U.S. Army only reports the deliverance of 300 airworthiness certificates, which is not exactly a big market for DJI anyway but the issue is lying elsewhere. This kind of news is hurting DJI’s reputation. Some say that as with Huawei a few years ago, the security reasons advanced to justify this ban are a way to protect the U.S. market. But with the fall of 3D Robotics, there are no major U.S. drone manufacturers anymore.
At this point there is nothing else to do other than wait for the next development on this story. However, if you are doing a lot of business with sensitive federal agencies, the choice of DJI products may become problematic in the future if this trend is confirmed.
The Army is setting out to stop the commercial off the shelf (COTS) useage by Army personnel in their official functions. The Army has allowed for the purchase of 300+ COTS/DJI solutions, because the Army (actually the DOD) does not have a JCIDS approved program to support the operational/capability requirements. Security threats have been identified in the software, making them vulnerable during some of their uses (in particular overseas).
This has no effect on individual Soldiers buying drones and flying either on base or off base (on base per garrison command policies).
Thanks for the information. As usual the procurement dept was (had to be) ahead of the standard solution defined by a joint dev/tech committee. Obviously the security issue would come from the software but why ban the hardware as well? (assuming the DJI comes up with an open source platform).
Following this logic, the DOD would have to ban all foreign made drone/software. Of course individual personnel off duty and off site can still enjoy their Phantom ;)
Then what about the national guard for a state of emergency situation ? I totally understand the DOD reasons behind this ban but I'm a little bit confused with the implementation. Obviously I must be missing some part of the story.
Based on previous security breaches during equipment procurements
http://www.zdnet.com/article/cisco-partners-sell-fake-routers-to-us-mili...
http://security.blogs.cnn.com/2012/11/08/fake-tech-gear-has-infiltrated-...
I think the greatest concern is the potential for hardware vulnerabilities. While DJI has become somewhat “westernized” in appearance, at the end of the day, they are still a technology company headquartered in a foreign nation under the control of an adversarial communist regime.
It is interesting that this specifically targets DJI and not other Chinese manufacturers Although, the Army has a habit of targeting the “greatest offender”, and later implying it to others. This could indicate that no one other than DJI has been approved as a COTS solution.
State and local first responders will probably continue to be able to purchase the products, but since the National Guard uses the same procurement system as the Active Component, they won’t be able to purchase or utilize them from DOD funding for DOD activities. In other words, they can buy them for use with state funds in response to state activities, but they will never be taken forward into the “fight”.
My biggest qualm about the policy is that it applies to all DOD activities, even those that aren’t inherently sensitive. For instance, public affairs officers taking aerial photography of a morale building event such as an installation wide run, or change of command ceremonies. The alternatives for achieving such a shot are prohibitively expensive & dangerous in comparison to using a P4Pro or an Inspire. So it doesn’t necessarily make sense in these instances.
Absolutely, actually the Senate wrote a report in 2012 about some suspicious hardware that could be part of major defense programs (THAAD, P-8A, C-27J & C-130J, etc.). In this case it was counterfeit products from China but what about legit parts from China ?
The truth is that the world has become dependent upon Chinese hardware and lost its industrial sovereignty in many areas. ITAR is good to protect US technology but on the other side when you accept to be supplied in critical components from a potential rival, that type of thing can happen.
I think EVERY Chinese hardware or software is calling home. Not only from US.
China is banning VPN at home, but what about VPN software made by Chinese
owned companies or Chinese silent partners and distributed around the globe?
Not different to Russia and US!
Over on slashdot a user has detailed how cheap Chinese quadcopters that use smartphone controllers are waking up WiFi while charging overnight and phoning home to China.
https://mobile.slashdot.org/story/17/08/07/0221228/ask-slashdot-are-my-d...
While DJI isn't mentioned specifically it is pretty easy to see how this potential vulnerability is unacceptable for the military.
<<why is this ban only directed at DJI? Why not ban all the other drone manufacturers such as Autel, Yuneec, and Walkera to name a few? These drones are also made in China and don’t offer better protection or any data encryption to the best of my knowledge. >>
_To the best of your knowledge_ should be your clue.
None of the manufacturers have tools to prevent hacking, but Autel, Yuneec, and Walkera don't force data to go to a server in central China, and Autel, Yuneec, and Walkera don't access user data. Users control their own data. In the case of Yuneec, their products have the tablet built into their transmitter. If it's powered down, it cannot send data. The applications installed on the tablet don't phone home, as it doesn't have LTE, and if the device is connected to the aircraft wifi, it cannot access external wifi at the same time. Connecting to a network requires informed effort on the part of the user.
Not all drones behave like DJI.
Yes. As I said there are two types of vulnerability. 1) the direct radio link interception, 2) the remote data collection or breach via internet. Obviously DJI is more concerned by the point number 2 but all drones up/downlink to be compromised. Anyone with a ground station and high gain antenna can pick up the signal from miles away.
Actually the Voyager 4 from Walkera has a 4G LTE network option. Walkera drones also work via an app. All this mean potential vulnerabilities.
I'll say it again. "Not all drones function like DJI."
In the case of Yuneec, there is no LTE, and the Android tablet does not require connection to the internet. Connecting to the internet requires user intervention, and requires the user disconnect the aircraft from the controller, meaning the aircraft is grounded.
Logs are stored on the aircraft in a microsd card that can only be accessed via USB, and localized connection. The local connection does not require internet connection; Yuneec provides a service application (free download) that does not use the internet (because it's local). The transmitter ""can"" be connected to the internet, but no application phones home.
DJI knew what they were doing, this has been known in the industry for more than a year.
My company services DJI, Yuneec, and Autel products (and the junk e-hang too). We are well aware of who is doing what. Yuneec, Autel, e-hang also weren't funded by/partnered with the PRC as DJI is.
Where is the Army internal memos when you really need them? When Hilary gave the Russians our Uranium, or when the Army 'lost track of $1bn worth of arms'. I'm sure a ban on one drone manufacturer will send a message but at the cost of what? Heck every where you go your being watched even in your living room where is the ban on TVs with smart logic and cameras....you know they are watching ...you just don't know who they is.
Here's my take and im probably wrong but; DJI is from China. Last time I looked China was communist which means no private business. While this hasn't been totally perused with gusto China has the mandate to legally involve themselves in a local company even more so than the NSA/CIA with backdoor in tech company. DJI has servers in China which receives all of the Go apps info which would include DJI products used by the US armed forces. Probably not a good idea on their part to send location and other into of drones used by the military to servers on China were the Gov can get their hands on the info.
Also periodically DJI issues firmware updates.Nothing to stop Chinese government embedding all sorts of things in there. The mind boggles. In fact it is every surprising the Pentagon would allow the use of consumer electronics made in China by a company based in China and subject to Chinese government interference (remember Hauwei ?) If Hauwei is a security risk then why not DJI at the time ?
The Chinese would have to be rather naïve not to have embedded STUXNET type worms in a whole host of devices. And the US would be naïve to believe they hadn't.
Indeed a right decision by US army. All the US army serviceman can now visit https://akohelpdesk.com/ for any Army knowledge online help