Written by Jackson Barnett
While a big portion of the current trade war is focused on tech giant Huawei, another company based in China has been battling U.S. government claims that its products present national security concerns.
SZ DJI Technology, the world’s largest commercial drone maker, is facing a ban from all U.S. military purchases over cybersecurity concerns and allegations of links to the Chinese government. But while the company has long been accused of security issues — a threat level nudged up to a “national security threat,” as one Senate staffer told CyberScoop — few supporting details have emerged.
There is no public evidence showing a link between mass swaths of U.S. user data falling into the hands of Chinese intelligence services, as has been suggested in Congressional testimony and a public intelligence report from Immigrations and Customs Enforcement. But concerns over government use of commercial drones continues as the company moves to enhance the cybersecurity of its drones.
DJI says the allegations are “obviously false” and “unsubstantiated speculation.”
“DJI drones do not share flight logs, photos or videos unless the drone pilot deliberately chooses to do so. They do not automatically send flight data to China or anywhere else,” DJI said in a letter to Congress following a June hearing.
The 2020 National Defense Authorization Act currently contains an amendment from Sen. Chris Murphy, D-Conn., that would ban all Chinese-made drones and Chinese-manufactured parts from military purchase. The ban expands a current U.S. Army policy directive that forbids the purchase of DJI products. Both bans include a possible waiver.
“There are legitimate security concerns,” a Senate staffer who requested anonymity told CyberScoop. The staffer added there is a “high degree of confidence” the company poses a risk—but what exactly that risk may be is unclear.
‘Eight ways to Sunday’
Previously, security researchers have pointed to weak cybersecurity practices in DJI’s software.
Kevin Finisterre, a researcher who had an issue with the company over its vulnerability disclosure program, said its security was “a joke.”
“It is my understanding that they have been compromised eight ways to Sunday at this point,” said Finisterre, who used to work for the counter-drone company Department 13. He also added that DJI is “larger than other drone companies, so it can make finding the attack surface easier.”
DJI acknowledged it hasn’t maintained high standards in its security, citing company culture as partly responsible.
“It’s a work in progress,” Michael Oldenburg senior communications manager for DJI North America, told CyberScoop.
“These drones were never built to meet or align with DOD requirements,” said Mario Rebello, head of DJI North America.
Despite acknowledging DJI drones still do not meet the military’s cybersecurity standards, Rebello said “all three-letter agencies are using our products in some form or fashion.” Rebello said he personally met with representatives from agencies that have offered feedback as recently as last week.
One drone reseller, Christopher Casey, who the Army contracted for a fleet of DJI drones told CyberScoop he was unaware of any cybersecurity problems and the Army never brought it up.
“I haven’t heard a word, that is very new to me,” Casey said.
The DOJ, CIA, NSA, DIA and NGA declined to comment. The Army referred questions about DJI to the DOD, which did not return a request for comment. The Air Force, Treasury, Department of Energy, DEA, ODNI, NRO, DHS, and State Department did not return requests for comments.
Disagreement over data location
DJI claims flight data is only shared to DJI’s cloud instances if a user chooses to do so. Going into “local mode” keeps almost all flight data on the device, Oldenburg said. But reducing connectivity to DJI can impact device operations, DJI terms show. Without opting in to GPS location sharing, some flight services are turned off.
“Connectivity is crucial to making a great product,” said Spencer Gore, CEO of the Silicon Valley-based drone company Impossible Aerospace.
Gore echoed the concerns of others in the American drone industry over DJI’s large share of the market, which currently sits at 80 percent of U.S. sales. As the popularity of drones is expected to increase, it is important for the U.S. to maintain a foothold in the industry that could become critical to national security, he and others said.
“We have to think very carefully whether we want Chinese-manufacturing drones with high-power capabilities flying around American neighborhoods,” Gore said.
Rebello of DJI urged customer not to judge the company for being Chinese. He said DJI operates like any large multinational tech company, just one that “happens to be headquartered in China.”
At the heart of concerns over Chinese technology in the U.S. is a string of Chinese laws that eliminate much of the barriers between the government and industry. The laws require companies to turn over data and general compliance when the interests of Chinese national security threats are raised. The specter of Chinese companies easily swiping data from U.S. products is also at the center of the debate around Huawei.
DJI would not turn over U.S. user data to China that is stored on servers based in the U.S., Rebello said, but added “we abide by every local rule in place.”
The company maintains it was founded as a commercial drone company that now operates as a global tech company. Initially, it never intended to sell to the U.S. government and potentially capture sensitive data from agency flights. But as they dominated the market, their product became attractive to cash-strapped federal agencies.
Keeping the government happy
The first signs of trouble for DJI came in 2017 with a U.S. Army memo banning all products. The memo cited a classified report titled “DJI UAS Technology Threat and User Vulnerabilities,” but no details as to why all DJI products were to be severed from Army systems. Since, the ban was expanded to be DOD-wide, with other agencies and private companies following suit, and DHS issues warnings over the “inherent risk” of using Chinese-made drones, a CISA spokesperson said.
In response, DJI created a government-tailored enterprise edition the company claims has no connectivity, highly limiting the fear of data leakage. The stripped-down drone and accompanying application is an extreme version of their “local mode” the company said keeps user data on the device.
The Department of Interior spent two years studying the enterprise edition drone in conjunction with drone hardware company Drone Amplified, NASA, an unidentified agency and national lab. The report concluded the enterprise model was safe and did not have any noticeable data leakage in the final edition.
While the report cleared the enterprise edition for Interior’s use, it was specific to test cases only. Drone Amplified conducted an analysis of connectivity during testing.
“When we started work with [Interior], the first thing they said was ‘Let’s find a platform that works beside DJI,’” Drone Amplified CEO Carrick Detweiler told CyberScoop.
Even though Detweiler — whose company makes a device that can attach to drones in order to drop fire-starting ignition pods for controlled burns — said “we are qualified for the analysis we did,” but was clear in saying it doesn’t have cybersecurity-specific experience. It did not conduct an audit of DJI’s code or reverse engineer the applications.
DJI gaining clearance will open up new business avenues as it tries to continue its push into the federal market. But, it is unlikely to dissuade concerns on Capitol Hill that the company is connected to the ongoing problems between technology and geopolitics.
Sen. Rick Scott, R-Fla., was outspoken at a hearing on security threats from drones over his discontent with the U.S. purchasing the Chinese-made products. He likened the allegations against DJI to those of Huawei.
“I’ve warned my colleagues about the dangers of purchasing any tech, including drones, made in China,” Scott told CyberScoop in a statement. “Whenever possible, we should buy from American manufacturers.”