“No evidence” of data transmission to DJI, China or unexpected party, finds independent audit

dji

An independent audit has found “no evidence” of data transmission to DJI, China or any unexpected party.

The manufacturer welcomed the results of the cybersecurity audit of DJI drone products.

The security audit was performed by the cybersecurity team at global consulting firm Booz Allen Hamilton, on behalf of PrecisionHawk’s Unmanned Aerial Intelligence Technology Center of Excellence (UAS COE), as part of its ongoing effort to assess threat vectors facing unmanned aerial technology platforms.

Story continues below
Advertisement

It examined three specific DJI commercial drone products: The Government Edition Mavic Pro, Government Edition Matrice 600 Pro, and the Mavic 2 Enterprise.

The UAS COE released an executive summary of the audit, which DJI has encouraged all customers to read fully.

The firm described it as another independent validation of the security of DJI products following reviews by the U.S. National Oceanic and Atmospheric Administration, U.S. cybersecurity firm Kivu Consulting, U.S. Department of Interior, U.S. Department of Homeland Security, and others.

DJI said the audit is a critical step toward ensuring emerging drone technology is secure and able to be trusted for government and enterprise operations.

This follows the Department of Interior grounding its drone fleet, after citing cybersecurity concerns.

The manufacturer, based in China, said the findings show how DJI customers have control over the data they collect when using its drones, contradicting reports that data from DJI devices is surreptitiously routed to other parties.

As part of its response, a DJI statement reads: “In addition to this important conclusion, we appreciate that Booz Allen’s extensive penetration testing and security review have provided us with further opportunities to enhance the security of our products.

“Through their extensive testing, the audit discovered several low or moderate severity threat vectors that pose a low-security risk to DJI users and that are also present in comparable commercial drone products.”

It continues: “This is a welcome opportunity to further enhance the security profile of our products, even beyond the requirements requested by our government partners when our Government Edition was developed. We look forward to continuing to secure our products if more security issues are discovered.

“We take these findings extremely seriously and are already implementing concrete steps to address many of the threat vectors identified in the report. Some have already been remediated, and we are actively working on several others, for our current products and longer-term approaches to security. All but two of these threat vectors relate to physical proximity or access to the drone itself.”

Concluding: “As an industry leader in the commercial drone market, we remain committed to working with customers, partners, industry, and experts around the globe to address security concerns. We encourage continued participation in the DJI Bug Bounty Program, the details of which can be found on our Security Response Center website. Taken together, these efforts will ensure our industry-leading products remain secure and trusted.”

Tags : ChinacybersecurityDJIsecurity
Alex Douglas

The author Alex Douglas

3 Comments

  1. It would appear that this testing covers security testing of the potential for external penetration of the drone systems, i.e. from an external point into the drone systems.
    Nothing is reported regarding the potential for the drone system itself (i.e. the drone control firmware) to transmit data to an uncontrolled unwanted third party.
    It is this threat of either the existing drone firmware, or future update of it, being utilised to transmit data back to DJI that has been under question.
    Am I missing something here?

  2. While I completely understand why they did it, people need to realize that this report isn’t telling us anything. It doesn’t matter how well DJI protects any of their data or whether or not they take a hard line against any Chinese government request or demand for this data. In fact, there is probably a good chance the company hasn’t ever been put in that position by any of their government agencies.

    Booz Allen’s conclusion is almost certainly valid, accurate, and demonstrates a company culture which takes the protection of it’s customers’ data seriously. They found no evidence that the China-based DJI drone manufacturing corporation has divulged any data, whether in an isolated case or a systemic process.

    What Booz Allen didn’t find, because they didn’t look, nor would they have had the capabilities to, what is most likely actually happening. They weren’t able to analyze the flow of data into DJI far enough upstream to see what’s happening.

    Why anyone would assume that it the Chinese Government, but more specifically the Chinese Military and Intelligence apparatus would bother to ask a domestic company for access to any data they want, is befuddling. Nevermind that this access is codified into Chinese law, we seemed to have forgotten that this is a country which over the last century has integrated a deeply embedded infrastructure of domestic surveillance networks which touches every signal and byte that goes into or out of China’s borders.

    The value that this data holds to the Chinese Intelligence agencies cannot be overstated. What other nations, to include the US, spend $Billions to suriptiscously seek out, China has being delivered to their doorstep in perpetuity. DJI would have no say or involvement in the collection of this data, that likely happens well before the data reaches their servers.

    There is absolutely no possiblity that the Chinese government would be content to leave this treasure trove of information and data on the table. Anyone who believes that they are is either ignorant of how the Chinese government works, or is simply naive in such matters.

  3. Take note of the drones that were tested… they are certainly not the majority of the drones already out in the public’s and law enforcement’s hands and being used. It also absolutely did not say data is not being sent. Read the conclusion of the report. Lots of people are celebrating this report…. maybe they forgot to read which drones were tested along with the conclusion of the report. I honestly don’t understand why.

Leave a Response