After news broke last week that the US Army wanted to halt the use of DJI drones, plenty were jumping to the conclusion that something serious was up with DJI’s software from a data security point of view. There is no smoke without a fire, as the saying goes. But we still don’t know the motivations behind that Army memo. And it’s unlikely that they will come to light anytime soon.
Understandably, the whole situation has left DJI in an uncomfortable position and with a damaged reputation. Speaking to DroneLife, a US Army spokesperson has verified the document but declined to comment further on its contents. So where does that leave us?
Taking a Risk-based Approach: Is Data Secure with DJI?
Laying out the facts, it’s easy enough to understand why the US Army has taken the decision that it has. But that decision could have quite easily been made without any evidence of wrongdoing on DJI’s part. So what do we know for sure?
Data is on the Move
We know that DJI’s product ecosystem – which includes drones, flight controllers, applications and update tools – all record and send information back to DJI to a certain extent.
Of course, this data transfer can be justified and put down to completely legitimate purposes. The company could be using it to monitor software issues, track the performance of updates or look into specific incidents. This kind of thing isn’t uncommon, and you’ll find that most operating systems and major applications, such as those from Apple and Microsoft, seek permission to collect or share this kind of information to improve their services and products.
For the vast majority of pilots flying for fun and most professional projects, this isn’t going to be a concern. However, if you’re flying a sensitive or classified mission, it might be enough to unsettle you somewhat. The main concern comes as a result of the two things that are unique to DJI in this instance…
The China Connection: Weighing up the Risk
Speaking to DroneLife, UAS security consultant David Kovar ran through the issues as he sees them.
“There are two problems specific to DJI,” he said. First, “They are a Chinese firm with all of their IT assets in China.” And second, “The Chinese government actively and passively collects information about US Government activities along with commercial and consumer [data].”
So the conclusion is a simple one for military officials making a judgement based on the risks. The capability is there and the demonstrated intent is there. So whether or not anything untoward is happening “good security practice suggests that the appropriate risk mitigation approach is to simply stop using DJI products.”
“The risk exceeds the benefit, probably by a very wide margin. I think you can argue that this is a well-considered decision even without evidence of malicious activity.”
The Unknown Quantity [of Data Transferred]
As part of DJI’s commitment to customer data and privacy, we want to emphasize that we do not collect any personal data or information from or about a user, except what the user chooses to manually upload and share with us. The same holds true for flight data, including any photos or videos taken during flight.
However, there have been instances that suggest there is more to DJI’s data collection than meets the eye. Since the news broke about the US Army memo, the company has pointed to a more recent story in The Verge suggesting that DJI drones have been proven safe by The National Oceanic and Atmospheric Administration.
However, there were contradictory elements within that article, which has since been updated to confirm that the testing used “a third-party remote and independent ground station” (ie didn’t actually test the whole DJI ecosystem) and that Ed Dumas – a computer programmer at NOAA and one of the authors of the study – “ran similar tests on his personal unit, a Phantom 3 professional, during his spare time. His software found that unit was sending encrypted data back to DJI and servers whose location he could not determine.”
As Kovar points out, “DJI has only admitted to limited data collection, either for maintenance purposes or for legal purposes. If you unlock a NFZ, for example, some additional information is collected.”
But this, he says, is where poor communication from the company is leaving room for conspiracies to grow. “DJI aren’t helping themselves – it is safe to assume that when you’re upgrading the firmware on your DJI product using DJI Assistant that some information is sent back to DJI: Your serial number, old firmware #, new firmware #, IP address and user account. But they didn’t mention that collection.”
Clarity is Needed
Until a thorough investigation is undertaken of DJI’s product and application ecosystem, speculation will inevitably continue. Kovar suggests that “It would help DJI’s image if they went through all of the components of their system and documented the data collection from each one in a single place.”
“Failing to mention the NFZ or the Assistant makes people wonder what else they’re not mentioning. Eventually, someone is going to do a full analysis on DJI’s system. If it doesn’t align with what DJI claims is collected, it’ll further damage DJI’s reputation.”
The Presence of Tinker: “Legitimate Malware”
It might sound harmless, but ‘Tinker’ actually represents a genuine threat. Over the past day or so, a small team including Department 13‘s Kevin Finisterre and Andreas Makris has discovered some interesting features deep within the DJI Android application that violate Google Play’s terms of service.
Namely, the inclusion of a Tinker patch, which effectively gives DJI the power to ‘hotfix’ the Android application. This means that the app can be updated as a background process, without acknowledging the user or having to go through Google Play or Google Play’s safety features.
This kind of patching is forbidden for good reason: It’s an easy way for malicious code to be loaded straight into an app without users knowing, and can transform an application’s behavior with a small number of updates. It’s not the kind of feature you want in a drone full stop, let alone one that you’re using for military applications – that’s for sure.
The presence of the Tinker patch isn’t necessarily proof of wrongdoing, as it’s used to update popular apps in China such as WeChat – albeit with hidden censorship features. But it can add functionality that the user might not want, or allow developers to hide things in the code at a later date.
DJI’s tech team has been made aware of Tinker, or rather been made aware of its discovery, and have said that it will be removed in future updates. There is no evidence as of yet that the Tinker backdoor has been used to patch the DJI application. But there’s also no doubt that its presence alone would be justification for the US Army’s decision. After all, questions remain over why it was there in the first place.