DJI has released the summary of a report the drone manufacturer commissioned into its data security practices. The report, carried out by San Francisco-based Kivu Consulting, confirms that DJI users have control over how their data is collected, stored and transmitted.
The summary is available for download here.
It does not explicitly mention any of the concerns raised by researcher Kevin Finisterre last year. These issues – arguably the catalyst for the investigation – were presumably rectified before the investigation took place. Whether previous vulnerabilities should have been included and explored is open for debate.
Countering the ICE Memo
One point the report does address is the claim made in an ICE memo that DJI drones were able to collect and send facial recognition data even when systems were turned off.
The summary document, written by Kivu’s director of cybersecurity investigations Douglas Brush, confirmed that this wasn’t the case:
“Kivu also analyzed the drones to determine whether they use facial recognition features capable of identifying individuals. Certain DJI drones do have the ability to use features called FaceAware and Gesture Control that enable users to control the drone by moving their arms a certain way to which the drone is programmed to respond.
However, Kivu determined that the drones cannot identify individual faces or distinguish between them, and in fact do not utilize facial recognition software.”
How did the report take shape?
The report by Kivu Consulting analyzed drones and software independently obtained in the United States late last year.
It was based on an examination of DJI drones, mobile apps and servers as well as the data streams they transmit and receive. Kivu’s engineers looked at the code repositories for DJI’s mobile apps and tested whether DJI’s drones could transmit sensitive user data without connecting to the DJI app.
Kivu independently bought DJI drones as well as iOS and Android devices in the United States, and downloaded the DJI GO 4 mobile apps. Kivu set up systems to capture all data transmitted through iOS and Android devices running DJI GO 4, and reviewed source code, application data, server addresses, and data generated during operation.
Read more: Inside DJI’s Flawed Bug Bounty Program
In a statement, DJI said the company had no input into Kivu’s findings or conclusions. We don’t doubt that, but it will be hard to verify the full extent to which the company has addressed its data security issues without seeing the full report, rather than just the summary.
Either way, DJI says the findings show what they have been saying all along: That DJI “did not access photos, videos or flight logs generated by the drones unless drone operators voluntarily chose to share them.”
“This is the first time DJI has allowed outsiders to examine its proprietary computer code, and the result is the first independent verification of what we have said all along: DJI provides robust tools to help our customers keep their data private,” said Michael Perry, DJI managing director of North America.
“This comprehensive report clearly debunks unsubstantiated rumors about our products and assures our customers that they can continue flying DJI drones with confidence.”
Read more: DJI’s Michael Perry Talks Data Security With Commercial Drones FM
Some key points from Douglas Brush, Kivu’s Director, Cyber Security Investigations, include:
- “Kivu’s analysis of the drones and the flight control system (drone, hardware controller, GO 4 mobile app) concluded that users have control over the types of data DJI drones collect, store, and transmit”.
- “For some types of data, such as media files and flight logs, the drone user must affirmatively initiate transmission to any remote server. For other types, such as initial location checks or diagnostic data, the user may prevent transmission by deactivating settings in the GO 4 application and/or disabling the Internet connection.”
Concluding the report summary, Brush notes that there were further vulnerabilities that were discovered and addressed as part of the investigation:
“As part of its analysis, Kivu performed industry-standard data security audits and vulnerability scans on the GO 4 application and the AWS servers to identify any known software vulnerabilities. Kivu routinely performs such audits and scans for its customers, and it is common to find some potential vulnerabilities, particularly the first time the audits and scans are performed for a particular company.
“In DJI’s case, Kivu identified certain potential vulnerabilities and immediately notified DJI, providing a full report and a prioritized list of potential vulnerabilities for immediate remediation and recommended steps for remediating them. Kivu worked with DJI to complete the recommended steps and then validated the remediation.”