Chinese drone maker DJI Technology has been working on enhanced data security measures for some time now, but admits that news that the U.S. Army ordered its members to stop using DJI drones earlier this month led to a quicker release of an update designed to address possible concerns about “cyber vulnerabilities” related to its products.
The Shenzhen-based company announced last week that it is speeding deployment of a system that allows users to disconnect from the internet during flights to prevent flight logs, photos or videos from reaching DJI’s computer servers.
DJI Technology’s Corporate Communication Director, North America, Adam Lisberg said the “local data mode” security measure has been in the works for several months, but the company sped up the process because of an Army memo earlier this month that barred service members from using DJI drones. Inside Unmanned Systems initially reported on the memo leak on August 11.
The memo does not indicate specific security concerns and Lisberg states that DJI has not been able to get the Army to respond to its requests for additional information. Even so, the local data mode measure was determined to be something the company felt was needed available as soon as possible.
“The Army said there are cyber vulnerabilities, but they won’t say what they are,” Lisberg said. “We’ve made formal and informal requests trying to find out what they are (but) they won’t say.”
An official Army spokesperson had this to say on the matter: “The Army reviews all technology to assess potential security concerns. Regardless of the manufacturer, all technology products are examined to assure they meet cyber security standards. Commercial industry product improvements enhancing security and mitigating vulnerabilities are always welcomed and encouraged. Individual products are always assessed on their own merits with appropriate consideration of comparative operational benefits weighed against cost and risk. We are not able to comment on whether we will continue to use DJI drones.”
Once word first spread of the Army’s plan to ban DJI products, some customers obviously had concerns, Lisberg said, but it was tough for DJI to address them without really knowing why the Army took its stand. DJI is known to be the world’s largest consumer drone maker, and other branches of the U.S. military have not banned the use of their drones.
“So, we’re sort of in a box. Suddenly people got spooked … (thinking) ‘well if the Army found something wrong with it then why should we trust it?’ ” Lisberg said. “We can’t fight back when we don’t know what their objection is. So that’s the box we’ve been in since then and we realized that since we weren’t getting any real answers from the Army one of things we could do to try and rebuild some of that trust is to accelerate the development of the local data mode.”
The idea is if DJI users are concerned about their data leaving their control, or ending up somewhere else, Lisberg explained, the best way to guarantee that doesn’t happen is to make sure their drone (or the app which is operating the flights) doesn’t send any data out. Disconnecting the link between the internet and DJI’s controller apps that run on tablets and mobile phones will disable updates of maps, flight restrictions and other data that the controller application receives from the internet while the drone is in use, the company said.
“So, if you go into a full data silent mode you use that sort of functionality and that’s one of the things we’re working on,” he said, adding that these programs are an ongoing part of DJI’s security development cycle, and that other data security initiatives are currently in the works.
The company says some drone pilots choose to share images and video with DJI, which makes them visible on its SkyPixel website. However, many businesses and government customers have raised concerns about sensitive video and pictures – such as movie/television footage or images of critical infrastructure – and want to ensure it is never sent to DJI.
“Absolutely, we take their concerns seriously,” Lisberg said, when asked about users who are concerned their sensitive data may be unwillingly shared.
The company stated it does not collect images, video or flight logs from its users unless they share them, and that turning on the new “local data mode” will prevent accidental synching with DJI’s servers. Its drones do not rely on an internet connection to fly.
Former Air Force intelligence chief and current CEO of ISR Ideas, retired Major General Jim Poss, seems skeptical that this latest measure will make all users confident that their data remains secure. When news first broke of the Army’s concerns with DJI drones, Poss said there are always policy concerns to consider whenever you’re dealing with foreign systems and the ever-present risk of cyber vulnerabilities with a complex system like a drone.
Even after the company announced its local data mode capabilities, Poss noted that security concerns will always exist and that this latest measure should not be considered a solution for any-and-all possible security problems.
“It’s Cyber Warfare 101 – in cyber defense we always talk about the attack surface of a target,” Poss explained. “The attack surface is the number of ways and methods a hostile hacker can use to influence a cyber system to do what they want it to do. For example, to give information or change the way a drone is flying.”
Foreign unmanned aerial systems (UAS) like DJI drones introduce many more cyber-attack surfaces than can be fixed by what DJI proposes — merely having the user select where their data is going — he said.
“That’s apparently DJI’s response to the Army’s cyber concerns – if users don’t want your data to go to China then they can turn that option off in the user interface,” said Poss, who added that there are many more attack surfaces that drone users have to worry about than just the user interface.
Cyber-attack surfaces start at the hardware level, he explained, and a routine attack technique is to build vulnerabilities into the integrated circuits themselves.
“If you have foreign made chips in your drone, they could have built in backdoors that only very sophisticated detection devices can find,” Poss said. “For example, you may think a chip is just providing flight control, but secretly it’s also storing all your flight history and dumping it the next time you connect your drone to the internet.”
According to Poss, the next attack surface to consider is the firmware because most chips don’t know what they’re supposed to do until the firmware tells them what to do. For example, firmware can turn a chip from being a radio transmitter to being a GPS receiver in the “blink of an eye.”
“Legitimate firmware would load onto a programmable chip and make the chip provide flight control functions to only the owner. Doctored firmware would tell the chip to provide flight control to the owner AND a hostile hacker,” he explained.
Poss, who emphasized that he is not accusing DJI of any wrongdoing whatsoever, said software is another big area of concern as “hackers can write all kinds of illicit activity into software. To the owner, that innocent software patch just improves camera resolution. They never know that hackers (possibly) wrote a routine that sends every 30th picture to their illicit server – along with the GPS coordinates.”
So, while the update may address some security issues and may put some users’ minds at ease, Poss makes it clear that drones and their data can be attacked in a variety of manners.
“I’m not saying DJI is doing any of this stuff and I want to make that very clear,” he said. “I’m just talking about in theory the types of attack surfaces that a complex system like a DJI drone has. Any system with integrated circuits has a number of attack surfaces that can’t be fixed by just changing the user interface. We’ve been worrying about computer security for decades. Drones are an even greater security threat than computers because they have all the security vulnerabilities of a computer, plus they can fly, always know where they are and have high resolution cameras. Add all those separate concerns up and … yeah there’s a bunch of vulnerabilities that just changing the user interface won’t address.”
“Shoot – if I were a hacker, I’d make you think you turned off data forwarding when you actually turned it on. How would an average user know?”
Lisberg stated security is always in the forefront at DJI and that as enterprise users constantly come up with new uses for its products, improved measures to address security are always in the works. He added that DJI users who have completed missions in local data mode have total control of their data from there, and can delete flight logs and any copies of the images that are stored in the app. In “extreme cases”, he added, some users will even wipe their phones clean after missions as there are a lot of different steps that people can take “if they feel the need to go to that type of extremes.”
Additionally, DJI proposed an electronic identification framework for small drones last March. The remote identifier would provide accountability while protecting drone operator privacy. More details on this proposal can be found at < https://www.dji.com/newsroom/news/dji-proposes-electronic-identification-framework-for-small-drones>.