Last week, the U.S. Army issued a memorandum discontinuing the use of DJI drone products due to cybersecurity concerns. The memorandum said, “Due to increased awareness of cyber vulnerabilities associated with DJI products, it is directed that the U.S. Army halt use of all DJI products. This guidance applies to all DJI UAS and any system that employs DJI electrical components or software including, but not limited to, flight computers, cameras, radios, batteries, speed controllers, GPS units, handheld control stations, or devices with DJI software applications installed.” It wasn’t long before this ban that the U.S. banned the use of closed circuit television (CCTV) cameras on critical infrastructure if the CCTV was manufactured in China.
DJI drones, especially with the launch of the Spark, can take off and land almost autonomously in your hand. They are easy to fly right out of the box, which is perhaps why they are the most popular drone on the shelf right now. But what happens with the drone’s flight log information, GPS positioning data, aerial sensor captured data and the data collected within coinciding apps on your device? Most of this data gets transmitted back to DJI’s servers. Specifically, DJI syncs your flight logs and images to their servers, and caches data from your app when offline and then re-syncs the data to their servers when online, including audio and video data. While these practices are mentioned in the DJI drone manuals, many drone operators are unaware of this constant data collection. And for many commercial drone operators, working as an independent contractor for a company, can’t firmly state that the set of data they provide to the company is the only single copy in existence—so what if you were gathering highly sensitive infrastructure data? The solution is closed systems which can better secure and protect the data collected during a drone operation.
In response to the U.S. Army’s memorandum, DJI said, “We are surprised and disappointed to read reports of the U.S. Army’s unprompted restriction on DJI drones as we were not consulted during their decision. We are happy to work directly with any organization, including the U.S. Army, that has concerns about our management of cyber issues. We’ll be reaching out to the U.S. Army to confirm the memo and to understand what is specifically meant by ‘cyber vulnerabilities’.” We will watch for an update on this front.