US Army calls for ban on DJI equipment over security concerns

[sar104]

Yep! This reinforces my suspicions that tactical information can/is being gathered by China military using this firmware "upgrade" ploy? Scary stuff......BTW: still being "throttled" to my "leashed area".....I'm contacting EBAY for a refund.

If the Chinese military are gathering intel from flight data, and are behind the latest firmware upgrades, doesn't it seem just a bit inconsistent that the firmware in question now completely blocks flights in any special use airspace that might actually be of interest?

 

[UAS0750]

DJI has done more to advance Drone security than any other Drone manufacturer. Worse, the Coast Guard and it's affiliated units have issued a "Cease and Desist order" which prevents any unit member from flying or touching a Drone, or even learning about Drone technology on military duty. The Coast Guard seems to be the most under staffed, short handed, U.S. Military Unit. Yet it has an enormous expanse of responsibility for boating safety for 320 million American citizens as well as safety and security control over hundreds of ports, domestic and foreign shipping, shipping cargo, fishiing and water sports operation, and water related accident investigation and prevention. In other words about 10,000 miles of American shoreline. The Coast Guard severely needs greatly expanded observational enhancement of Drones to augment its limited manpower. They first said a "Study Committee" on the "possible" use of Drones was going to be established at the top of Command Leaership. That was a year ago and apparently nothing has even been started. Such lack of foresight and leadership is likely why our military budget is so staggeringly high, though it is the most vital part of our Federal Budget. The truth is Drones will become successfully useful only after they are put in the hands of working front line soldiers and sailors and actually flown in practical missions. The Air Force is flying large Drones on very successful missilons from 6,000 miles away. We know how vital Drone technology can be. But those UAV aircraft cost $10 to $20 million a copy, far too costly to fit the budgets of small, front line, operating units which need them most. Effective development of low cost Drones has been slow, but a few manufacturers like DJI and Parrott have built amazingly efficient designs which can do hundreds needed observational jobs at low initial and maintenance cost. It is certainly time to put them in the hands of front line personnel and see just how much more effective our missions can be. If security problems are found, solve them as testing progresses.

 

[N017RW]

DJI has done more to advance Drone security than any other Drone manufacturer. Worse, the Coast Guard and it's affiliated units have issued a "Cease and Desist order" which prevents any unit member from flying or touching a Drone, or even learning about Drone technology on military duty. The Coast Guard seems to be the most under staffed, short handed, U.S. Military Unit. Yet it has an enormous expanse of responsibility for boating safety for 320 million American citizens as well as safety and security control over hundreds of ports, domestic and foreign shipping, shipping cargo, fishiing and water sports operation, and water related accident investigation and prevention. In other words about 10,000 miles of American shoreline. The Coast Guard severely needs greatly expanded observational enhancement of Drones to augment its limited manpower. They first said a "Study Committee" on the "possible" use of Drones was going to be established at the top of Command Leaership. That was a year ago and apparently nothing has even been started. Such lack of foresight and leadership is likely why our military budget is so staggeringly high, though it is the most vital part of our Federal Budget. The truth is Drones will become successfully useful only after they are put in the hands of working front line soldiers and sailors and actually flown in practical missions. The Air Force is flying large Drones on very successful missilons from 6,000 miles away. We know how vital Drone technology can be. But those UAV aircraft cost $10 to $20 million a copy, far too costly to fit the budgets of small, front line, operating units which need them most. Effective development of low cost Drones has been slow, but a few manufacturers like DJI and Parrott have built amazingly efficient designs which can do hundreds needed observational jobs at low initial and maintenance cost. It is certainly time to put them in the hands of front line personnel and see just how much more effective our missions can be. If security problems are found, solve them as testing progresses.

Where can I learn more about your second sentence?

I could find lots that seemingly contradicts your other statements on current and planned USCG useage of drones and related successes.

 

[Meta4]

Being able to review those specific videos/pics is a cheap way to gather intel data. Agents used to mingle with tourists while taking pictures on their vacations all the time. Remember the picture taking bans right after 911? This has potential to be a problem.

Yes, I remember the ridiculous, over the top paranoia that consumed the USA at the time.
Particularly the stupid picture taking bans that achieved nothing at all toward enhancing security.
The idea that photography (in the USA) = espionage is outdated and pretty well irrelevant.
People with ill intent can get whatever info they want from Google Earth, hiring a light plane or just walking up to most things they might have an interest in.
Here's some intelligent analysis of the idea: The War on Photography - Schneier on Security

And this whole line of enquiry is based on the quite false notion that somehow DJI is somehow getting your videos and photos.
They don't even get your basic flight data unless you choose to upload them.

If they were somehow siphoning off large video and image files, someone would have noticed by now but there have been no reports of this happening.

 

[anotherlab]

R

Replacing with an AUTEL unit. The orange color will be easier to see BEYOND 50 METERS!!!! which is where my phantom can only fly now....this is sucking HARD

You do know that Autel is a Chinese company that has offices in the US? The drones are designed in the US, but built in China.

 

[Meta4]

You do know that Autel is a Chinese company that has offices in the US? The drones are designed in the US, but built in China.

Autel drones aren't even designed in the US.
Autel Robotics USA is sales and service operation with the design and manufacturing being done in Shenzen China, just down the road from DJI.
Prior to opening Autel Robotics USA, they were Maxaero and a China only company.

 

[macoman]

Autel drones aren't even designed in the US.
Autel Robotics USA is sales and service operation with the design and manufacturing being done in Shenzen China, just down the road from DJI.
Prior to opening Autel Robotics USA, they were Maxaero and a China only company.

Man, these Chinese are leading the way with the drones they design.

 

[68charger440]

The flight info is searchable data. If uploaded to somebody's server, it can be searched - including GPS data. So, if the coordinates are someplace someone wants to know about (airports, military bases, infrastructure, etc.) then you know which videos (also uploaded and crossed referenced) to pull up and view. If only 1 in 1000 produce any intelligence someone didn't already know it could be worth all the trouble. That is what intell gathering is all about - one small piece at a time. This is the big problem. Taking control is mostly only useful if the drone is in the right place at exactly the right time for a specific purpose. Most hobbyists and part 107 pilots won't be ferrying dangerous materials on their flights. I suspect no sensitive data has been uploaded. The changes made by DJI to store data have been recent and the military doesn't upgrade firmware without testing it.

As a software developer for three decades I can tell you that Trojan horses make it past the best firmware testing all the time in the very best of both the public and private sector computer systems...and not just once in a blue moon. There is not a week that goes buy where Microsoft or one of the other software giants don't release patches to software that has in some cases been vulnerable for many years even though the software is constantly being scrutinized for exploits.
Just look at the computer system breaches in the various branches of top secret government as proof if the ineptitude that the bureaucracy in govt allows. The Snowden leaks, unsecured emails from the very top levels of govt, and the $600.00 toilet seats show how tight the controls are in government, so it is foolish to think that just because software is screened it is free of spyware, malware or any number of other hidden hacks. Often the uploaded data looks clean but has hidden data between the lines so to speak.
As far as the military not upgrading firmware without testing it, be careful when drinking that spiked koolaid! The more you drink the better you feel until morning comes around and you see what secrets were let out the back door. You can NEVER EVER be sure that your systems have not been compromised.
There are two types of organizations. Those that have been hacked, and those that have been hacked but don't know it yet!

 

[mark99]

DJI have basically HACKED peoples existing owned equipment and disabled features on it in the guise of "update"
Would you trust a company this unscrupulous with anything ?

 

[Nomesurveyor]

If the Chinese military are gathering intel from flight data, and are behind the latest firmware upgrades, doesn't it seem just a bit inconsistent that the firmware in question now completely blocks flights in any special use airspace that might actually be of interest?

Confusing isn't it? That still doesn't explain why my P3S still is chained to my porch? I certainly understand the Military's concerns too, it's obvious. But what's stopping them (China) from collecting/archiving all of this data anyway?

 

[sar104]

Confusing isn't it? That still doesn't explain why my P3S still is chained to my porch? I certainly understand the Military's concerns too, it's obvious. But what's stopping them (China) from collecting/archiving all of this data anyway?

I don't think that there is anything mysterious going on here. How much influence the Chinese government has over DJI is uncertain, and it is certainly not inconceivable that DJI could be providing flight data to them, but it's hard to see how that is related to any specific firmware version or the clunky GEO issue (presumably the one that is causing problems for you) since the options to upload flight data have not noticeably changed.

I have not seen the referenced Navy report, but it is fairly clear that a couple of security concerns may be involved:

(1) Communications between the DJI Go app and the DJI servers are encrypted and so it is not easy to figure out the extent of those data. Even when flight data are not synchronized (optional) there are communications occurring. Possibly only to retrieve NFZ data and check for software/firmware updates etc., but it's not transparent.

(2) Third parties might be able to access flight data or imagery since neither the link encryption nor the control software communications encryption is FIPS certified.

Neither of these possibilities is likely a significant worry for personal or business users, but they are not acceptable for many Federal or Federal contractor applications.

 

[Drestin Black]

It's the Geo system and DJIs ability to remotely ground all drones.
DJI servers can put up fake NFZs anywhere and anytime, blocking drones from flying.
Imagine a drone need to take off for a life critical, when suddenly it's a brick. Unacceptable.

 

[N017RW]

Yep don't send a toy to do a tool's job.

 

[sar104]

It's the Geo system and DJIs ability to remotely ground all drones.
DJI servers can put up fake NFZs anywhere and anytime, blocking drones from flying.
Imagine a drone need to take off for a life critical, when suddenly it's a brick. Unacceptable.

If you are referring to the military ban then no, it is not that. They are not using them for life-critical applications.

 

[Erised]

What's a guy to do?

 

[Bakersfield Quad]

NOAA cleared the DJI 1000, as A security risk, finding that, as far as could be proved, DJI's communication was only firmware checks or functions of software's updating.
Nothing to see, move on.

 

[sar104]

NOAA cleared the DJI 1000, as A security risk, finding that, as far as could be proved, DJI's communication was only firmware checks or functions of software's updating.
Nothing to see, move on.

At least a couple of studies that I know of came to a similar conclusion. Unfortunately they were, firstly, not definitive (your "as far as could be proved") and, secondly, there is no way to be sure that firmware updates or other changes pushed from DJI will not alter the results. Not a problem at all for most uses but not good enough for government work.

 

[Erised]

Instead of the headlines reading .....ban on DJI......It should have read "us-army bans' some personnel from purchasing unsecured equipment". Why does it look like it's dji's fault when the drone was not designed for military use, the people who bought them did not do a very good job. The military invented the internet, they should know better.

 

[N017RW]

The headline accurately reflects the subject and content of the memo. No editorializing.
Is it possible there are other memos for other equipment manufacturers?
What motivates you to be so critical
of this?

 

[anotherlab]

Confusing isn't it? That still doesn't explain why my P3S still is chained to my porch? I certainly understand the Military's concerns too, it's obvious. But what's stopping them (China) from collecting/archiving all of this data anyway?

What would they do with it?

NOAA cleared the DJI 1000, as A security risk, finding that, as far as could be proved, DJI's communication was only firmware checks or functions of software's updating.
Nothing to see, move on.

If you are referring to the article on The Verge, they said the S-1000 was sending network traffic for mainly seeking updates, but the Phantom was sending encrypted data to DJI and "unidentified" servers. I'm fine with encryption, actually prefer it. Makes it harder for a man in the middle attack. What they didn't say was how what the traffic load from the Phantom was compared to the S-1000. If it's only checking for updates, the amount of traffic should be more or less the same amount to the S-1000.