A leaked memo from the office of the Deputy Chief of Staff at the Pentagon includes directions that US Army units are to stop using drones made by Dà-Jiāng Innovations Science and Technology Co, the Chinese global leader in commercial Drone technology that trades as DJI.
According to the Pentagon memo, the US Army Research Laboratory (ARL) and the US Navy have concluded that the drones and the associated software could pose an operational risk, and that US Army users should “cease all use, uninstall all DJI applications, remove all batteries & storage media from devices, and secure equipment” and await further instructions.
DJI’s range of commercial drones are popular amongst businesses, hobbyists and governments for providing both a lot of capability and a flexibility at a low cost, and in a relatively reliable package. As a commercial off the shelf package (COTS), they are available and you can do a lot with them and they are easy to get hold of and fly and as a world leader in drones, DJI own a large chunk of the professional and commercial drone market.
Security concerns around drones aren’t new. Even within the US government there has been a lot of problems securing larger US drones, famously with hackers being able to intercept video footage from battlefield drones. More recently with the proliferation of small commercial drones, unease and concern about the use of Chinese and other foreign made devices for sensitive tasks has grown.
In 2013 the Defense Advanced Research Projects Agency (DARPA) started to work on software that was intended do be resistant to cyber-attacks and interference with the control and navigation systems of it’s larger combat UAS. DARPA program manager, Kathleen Fischer, explained, “The software is designed to make sure a hacker cannot take over control of a UAS. The software is mathematically proven to be invulnerable to large classes of attack”.
When it comes to COTS drones, the threats and concerns are different, and the flight and management software is generally provided by the vendor and produced with a very different set of priorities in mind.
Those concerns started to crystallise last month when it was reported that commercial drone operators using non-US produced drones were being told that they couldn’t carry out work for US government agencies. The US Army following suit and in the very least suspending the use of DJIs products is then a lot less surprising.
The reasons behind the Pentagon directive and the reports of non-US equipment being spurned by the government aren’t that clear. We haven’t seen detailed reasoning and, if it comes from the US intelligence community it may well be some time before we do. However there are some obvious concerns that might offer some guidance.
The first and most obvious issue around the commercial DJI drones relates to the recording of flight data, including recorded audio, visual and telemetry data, via DJI’s software. DJIs ‘Go’ software, usually installed on a tablet or similar device, allows an operator to manage a huge number of aspects of the drones flight profile, sensors and media collection. It is an important part of drone as a package.
The collection of such data is likely to be a concern to the US government. Especially if flights are carried out at sensitive sites, or for sensitive purposes. We aren’t necessarily talking about battlefield operations though (The US’s armed drones, and combat drones have far stricter procurement conditions applied to them) but sensitive buildings and facilities across the US and abroad.
What will be even more concerning, is that by default, DJI’s Go application shares some of that data with the manufacturer, sending data to servers around the world. Users do have an option to turn this feature off, but failing to do so would mean that flight data from flights around US installations could end up in China.
By default it seems that, data about where the drone was flown, including GPS coordinates, altitude and speed, low quality video, and audio recorded by the phone or tablet the software is on, or the drones sensors is shared too.
The combination of that data could be incredibly useful to DJI for improving its products, identifying failures and learning how users employ their devices and monitoring the use of their products. It’s also useful for drone operators, especially if they want to review their flights or assess issues or accidents. But obviously it would also be very useful to a foreign government with less benevolent intent, and so a security risk.
On that basis, the US Army’s decision seems reasonable, especially if there is a period of review leading to procedures that will allow any risk to be mitigated. DJI themselves seemed keen to find a way to reduce the perceived operational risk in their response. A spokesperson for the company said:
“We are surprised and disappointed to read reports of the U.S. Army’s unprompted restriction on DJI drones as we were not consulted during their decision. We are happy to work directly with any organisation, including the US Army, that has concerns about our management of cyber issues. We’ll be reaching out to the US Army to confirm the memo and to understand what is specifically meant by ‘cyber vulnerabilities.'”