Naked Security

Drone firm says it’s stepping up security after US army ban

Two weeks ago, the US Army told its troops that using drones from DJI – maker of the world’s best-selling drones – was henceforth verboten, given unspecified vulnerabilities discovered by its research lab and the US Navy.

While the army was keeping mum about those vulnerabilities, others haven’t been so circumspect. Rather, they’ve been talking for months about sensitive information having the potential to be scattered in the tailwinds.

In May, Kevin Pomaski, a chief pilot for one of the largest commercial UAS service providers in the US, wrote an article about highly sensitive information that can be revealed in conversations between unmanned aerial system (UAS) pilots and their clients: details that he said can include infrastructure, stadiums, military installations, construction sites, details about security, details about the drone itself, details about the drone operator, and more.

This sensitive data is vulnerable to interception, he said:

Critical infrastructure access and layouts are being captured every day. This information may be accessed by foreign actors that mean to harm the countries that these locations are in. The complete data record can be cataloged by pilot, region or location and a full report of the layout, security response, names of people will be revealed. Corporate espionage agents would love to have visual and audio details of that new system being captured by the drone in any industrial field of pursuit.

More recently, rumors have been flying about operators being told not to show up for work at US government agencies unless they bring American-made drones with them. According to sUAS News, the unspecified government agencies allegedly have security concerns about data being shared unwittingly.

If the allegations are true, it adds up to a ban on the Chinese-made DJI equipment. DJI is, after all, a Chinese company, governed by Chinese law, as Pomaski pointed out.

He dissected the privacy policy of DJI’s Go app and came up with a number of issues around sensitive data. For example, this passage from the privacy policy notes that personal information could be transferred to offshore servers:

The DJI Go App connects to servers hosted in the United States, China, and Hong Kong. If you choose to use the DJI Go App from the European Union or other regions of the world, then please note that you may be transferring your personal information outside of those regions for storage and processing. Also, we may transfer your data from the US, China, and Hong Kong to other countries or regions in connection with storage and processing of data, fulfilling your requests, and providing the services associated with the DJI Go App. By providing any information, including personal information, on or through the DJI Go App, you consent to such transfer, storage, and processing.

Now, two months after the army banned DJI drones, DJI has responded by adding a privacy mode to its equipment to prevent flight data being shared to the internet.

On Monday, DJI announced that it’s adding a local data mode that stops internet traffic to and from its flight control apps “in order to provide enhanced data privacy assurances for sensitive government and enterprise customers”.

The company says the privacy mode had been in the works for months, before the army ban. The new privacy mode, due out in future app versions expected in the coming weeks, entails a tradeoff: blocking all internet data means that DJI apps won’t…

On the plus side:

[Local data mode] will provide an enhanced level of data assurance for sensitive flights, such as those involving critical infrastructure, commercial trade secrets, governmental functions or other similar operations.

The army memo had told troops to “cease all use, uninstall all DJI applications, remove all batteries/storage media from devices, and secure equipment for follow on direction.”

However, the army has reportedly walked that ban back a bit, sUAS News reported on Monday. A second memo had reportedly gone out at the end of last week, to the effect that the army will grant exceptions to the ban once a DJI plugin has passed OPSEC (Operational Security) scrutiny.