By Christopher Adams
Two cybersecurity firms reportedly have proven that software in Chinese-made drones compromise the privacy and security of drone operators.
A study last year by Synacktiv, a French information-technology security company, reached the initial conclusion on the Beijing drones, made by DJI — and its results later were validated by Grimm, a cybersecurity-infrastructure consultant based in Washington.
The Synacktiv analysis found that the software used to control the DJI drones possessed secret features, captured data from user devices and contained a forced-update feature that would allow the Beijing company to gain full control of a user’s smartphone.
The federal government basically has stopped using DJI drones out of national-security concerns — and a total ban on Chinese-manufactured drones and their software by the Trump White House seemed a possibility during the final weeks of the administration.
In addition, the products of four U.S.-based drone makers, plus French manufacturer Parrot, have been given the green light for government use by the Department of Defense (DOD), according to news reports last August.
But a spokesman for DJI’s North American operations told Digital Privacy News that the conclusions of the reports were false and that the federal government’s actions smacked of protectionism.
“What you’re seeing happening to us, as well as TikTok and a couple other companies, is that it’s really protectionism,” said Michael Oldenburg, DJI North America’s senior communications director.
“We did not do an analysis of all data that the application captures, as the scope of our analysis was focused on security.”Adam Nichols, Grimm.
“That is the issue here — and it’s policy and legislative action that is trying to give other companies kind of the upper hand.
“At least, when it comes to our market.”
DJI said the claims in the analyses were false.
“It was egregiously wrong the way that they looked at our app and the things that they have claimed to have found that were wrong with it,” Oldenburg said.
Synacktiv conducted its analysis last summer, concluding that DJI’s GO 4 and Pilot apps had issues — mainly forced-update mechanisms, which, according to Synacktiv, required drone users to accept an installation update on DJI’s application page.
Otherwise, operators cannot fly the machines.
Barring Internet Traffic
Additionally, the company claimed that a DJI offline local data-mode feature “requires an Internet connection in order to install unlocking certificates.”
The drone maker, Synacktiv claimed, advertised a “disconnected” local data-mode for the DJI Pilot application, which prevented internet traffic from the app.
“The application has the permission to modify network parameters: Even if the user switches his device to ‘fly’ mode, there is a risk that the app re-enables network connection,” Victor Vuillard, chief technology officer of the Paris-based Parrot S.A., told Digital Privacy News.
Adam Nichols, who leads Grimm’s software application security practice, said that when the drone data was sent to third parties — DJI or Weibo, the Chinese equivalent of Twitter, for instance — there was no understanding of how it could be used or shared.
Possible Security Issues
Nichols also discussed potential security issues.
“If the Weibo SDK (software development kit) is activated as described in our blog post, there were a large number of things sent to Weibo,” he told Digital Privacy News by email. “It’s important to note that we did not do an analysis of all data that the application captures, as the scope of our analysis was focused on security.”
Grimm’s published work on DJI primarily centered on what the Chinese drone maker could do rather than what they had observed the company actually doing, Nichols said.
“Our focus was on the security of the application — and if the update mechanism were abused by either DJI or anyone who managed to compromise their servers, there are a lot of possibilities,” Nichols said.
“The app has access to your photos, media, files, location, serial number, IMEI (international mobile equipment identity), IMSI (international mobile subscriber identity) and so forth.”
Firm’s Own Reports
According to Oldenburg, the Chinese company had two independent cybersecurity audits conducted on their drones last year. One was by the Washington cybersecurity firm, FTI, and the other was by Booz Allen Hamilton, another D.C. cybersecurity company.
“What you’re seeing happening to us, as well as TikTok and a couple other companies, is that it’s really protectionism.”Michael Oldenburg, DJI North America.
Booz Allen examined three DJI products, including a drone developed with the U.S. Interior Department, and concluded that none of the operator’s data was reviewed or collected by DJI, the Chinese government or any unintended third parties, Oldenburg said.
“If you’ve been seeing the headlines over the last couple years, you would think that there is some kind of a data-privacy, or data-custody or cybersecurity issue with DJI’s products,” he said. “It couldn’t be further from the truth.”
The tactics, or “levers,” being used via pending federal government policies — whether it’s the National Defense Authorization Act (NDAA), American Securities Drone Act or an executive order from the White House — don’t directly name DJI but contain a country-of-origin restriction or a ban subtext to prohibit products made in China, Oldenburg said.
These actions might explain why the non-Chinese drone makers support a U.S. ban and promote the analyses critical of DJI products, he argued.
“The domestic and global market has long been unhealthy, dominated by a single company that makes hardware-centric devices that require expert pilots to perform meaningful work,” said Brendan Groves, head of regulatory and policy affairs at Skydio in Redwood City, Calif.
“Consumers, commercial operators, and public-sector agencies have long been looking for software-centric solutions that take the friction out of flying while providing the highest standards of cybersecurity,” he told Digital Privacy News.
Skydio is among the five drone makers on the U.S. government’s approval list.
Wanting US Equipment
The origin of the accusations and claims about DJI products began with the DOD, Oldenburg alleged. The agency realized drones could be critical to a soldier’s battlefield inventory and wanted American-made equipment.
“And, rightfully so, they didn’t want to use any technology made by foreign companies, which we totally support,” he said. “Our products were never … made to military specs.
“They realized they needed to probably start a U.S. company or support a U.S. company to be able to produce a product that was on par with DJI,” Oldenburg said.
He explained that this led to DOD funding of the five “blue drone” companies — Parrot, Skydio, Altavian, Teal and Vantage Robotics — whose machines had been approved for use within the federal government.
“It’s clear to us,” Oldenburg said, “that what’s happening here is they are trying to create … artificial market demand by placing restrictions or prohibitions on the use of DJI drones and others out of China and giving the upper hand to these five ordained blue-drone manufacturers.”
In addition, an article published last August in the FlightGlobal industry publication disclosed that small unmanned aerial vehicles (UAVs) made by American and French drone companies were considered cybersecure by the Pentagon and not susceptible to backdoor spying, which could be possible with DJI drones.
In his comments to Digital Privacy News, Skydio’s Groves quoted FBI Director Christopher Wray telling a Washington think tank last February: “China has national security laws that compel Chinese companies to provide their government with information and access at their government’s request.”
Groves said DJI officials had acknowledged under oath the company’s compliance with these requests.
“The application has the permission to modify network parameters.”Victor Vuillard, Parrot S.A.
While it was not clear to whom DJI made the acknowledgment, the Commerce Department blacklisted the drone maker last month. The agency labeled DJI a national-security concern and prohibited American companies from providing technology to it, according to news reports.
No Government Ties
Oldenburg adamantly insisted, however, that DJI had no ties to the Chinese government and that it even had American investors.
“We’re a Chinese-headquartered and founded company — and that’s as far as it goes,” he told Digital Privacy News. “We’re not a state-owned enterprise.
“There’s not Chinese-government influence within our company, so there’s really no connection there,” Oldenburg added.
“That’s very different from some of the research and findings that you’ll see around other companies that have been caught in geopolitical tensions between the U.S. and China.”
Christopher Adams is a Texas writer.
- SYNACTIV: DJI Pilot Android Application Security Analysis
- Flight Global: Pentagon approves five US drone makers ahead of likely ban on China’s DJI
- GRIMM Blog: DJI Privacy Analysis Validation
- Center for Strategic and International Studies: FBI Director Christopher Wray’s Opening Remarks: China Initiative Conference
- The Verge: US government adds DJI to Commerce blacklist over ties to Chinese government
- RAND: How to Analyze the Cyber Threat from Drones