A memo – reportedly an official release from the US Army – has been handed to sUAS News. The subject? Halting the use of DJI technology due to ‘Cyber vulnerabilities’.
The text of the document reads:
MEMORANDUM FOR RECORD
2 August 2017
SUBJECT: Discontinue Use of Dajiang Innovation (DJI) Corporation Unmanned Aircraft Systems
a. Army Research Laboratory (ARL) report, “DJI UAS Technology Threat and User Vulnerabilities,” dated 25 May 2017 (Classified).
b. Navy memorandum, “Operational Risks with Regards to DJI Family of Products,” dated 24 May 2017.
2. Background: DJI Unmanned Aircraft Systems (UAS) products are the most widely used non-program of record commercial off-the-shelf UAS employed by the Army. The Army Aviation Engineering Directorate has issued over 300 separate Airworthiness Releases for DJI products in support of multiple organizations with a variety of mission sets. Due to increased awareness of cyber vulnerabilities associated with DJI products, it is directed that the U.S. Army halt the use of all DJI products. This guidance applies to all DJI UAS and any system that employs DJI electrical components or software including, but not limited to, flight computers, cameras, radios, batteries, speed controllers, GPS units, handheld control stations, or devices with DJI software applications installed.
3. Direction: Cease all use, uninstall all DJI applications, remove all batteries/storage media from devices, and secure equipment for follow on direction.
What is Meant by ‘Cyber Vulnerabilities’?
The document, which has been verified by Reuters, eludes to ‘Cyber vulnerabilities’ but doesn’t get any more specific than that. In recent weeks and months there have been concerns over how much data the Chinese manufacturer gathers, although DroneLife was told last month by DJI’s Brendan Schulman that:
As part of DJI’s commitment to customer data and privacy, we want to emphasize that we do not collect any personal data or information from or about a user, except what the user chooses to manually upload and share with us. The same holds true for flight data, including any photos or videos taken during flight.”
The concern seems to lie in the ability to collect that data, which is clearly separate from the act of actually doing it. While there doesn’t seem to be any evidence of the manufacturer actively collecting data that isn’t willingly shared, the fear appears to be that the possibility exists, particularly when DJI is approached to share information by governments and law enforcement agencies.
There are also more obvious security flaws in DJI’s software, which have allowed a growing number of hackers to bypass no-fly-zones and altitude limits. The company has been releasing firmware updates in an effort to stop this, although there are doubts over how effective those moves have been so far.
Is There Proof?
Speaking to AirSpaceMag, Kevin Finisterre, Senior Software Security Engineer at Department 13, pointed out that there isn’t yet any evidence of DJI’s wrongdoing, despite all of the speculation.
“Even though I tend to be one of the more vocal folks against DJI, I have to caution folks on some of the lines of commentary here, as none of them have been ‘technically’ proven. I get the ‘allowing them to build a massive infrastructure database of this country’ line of chatter, but I have yet to see any factual basis for it.”
In a statement, DJI responded to the news with surprise and confusion:
“People, businesses and governments around the world rely on DJI’s products and technology for a variety of uses including sensitive and mission critical operations. The Department of the Army memo even reports that they have “issued over 300 separate Airworthiness Releases for DJI products in support of multiple organizations with a variety of mission sets.”
We are surprised and disappointed to read reports of the U.S. Army’s unprompted restriction on DJI drones as we were not consulted during their decision. We are happy to work directly with any organization, including the U.S. Army, that has concerns about our management of cyber issues.
We’ll be reaching out to the U.S. Army to confirm the memo and to understand what is specifically meant by ‘cyber vulnerabilities’.
Until then, we ask everyone to refrain from undue speculation.”
It’s too soon to say whether or not this memo reflects official Pentagon policy, whether concerns over cyber security are justified or whether this is simply a protectionist move based more on political sentiment than evidence.
If it turns out to be true, the decision from the US Army has obvious parallels with the American ban on Huawei, a Chinese communications provider which has been stopped from selling products in the US due to cyber security concerns.
We’ve got in touch with the Pentagon for clarification and will update this article if and when we receive it.