Chinese drone giant DJI has published an independent report in a bid to combat public fears over the data security of its devices.
When you deliver technology that’s highly sophisticated and accessible enough for anybody to use, you can bet that security researchers will start delving into your operations to make sure that everything is above board.
This is particularly the case when your hardware is not only used by hobbyists, but also by the US Army and by law enforcement personnel around the world. And it doesn’t help if you’re a Chinese company dominating a global industry littered with high-profile American failures, during a trade standoff between economic superpowers.
DJI: Guilty until proven innocent?
Drone industry leader DJI found itself in this situation just last year, when the Shenzhen-based manufacturer’s credibility came under attack from several angles. These included a leaked US Army memo that ordered personnel to ground DJI drones over fears of espionage and ‘cyber vulnerabilities’ – a common enough concern in these politically sensitive times.
Broadcom’s bid for Qualcomm was blocked on claimed national security grounds, Chinese telecoms giant ZTE has been shut out of US and UK business, Huwaei is constantly monitored by GCHQ in the UK, and Kaspersky Lab has come under suspicion many times for its links with the Russian government, and may yet be shut out of US business too.
But back to DJI. There was a second critical memo, this time from the federal agency responsible for immigration and customs enforcement (ICE). It made a number of wild accusations, claiming that DJI drones, among other things, were able to detect and recognise faces and send sensitive data back to the Chinese government – even when switched off.
Security researcher Kevin Finisterre – an employee of counter-drone company Department 13 who would later back away from DJI’s bug bounty scheme in questionable circumstances – then made public several flaws in DJI’s security architecture, which have since been fixed by the company.
All of this amounted to a public dressing down of DJI and its approach to data security.
Like many technology companies, DJI’s focus has long been on producing the best products possible, and it presumably took the view that it was unnecessary to add military-grade security to camera drones that were largely designed for hobbyists and photographers.
Reassuring commercial users
Despite that, DJI has recently made a concerted effort to target commercial users and ride the new wave of drone adoption in industries such as construction and agriculture. So in order to reassure any users who might wish to deploy drones on more sensitive missions, the company has introduced a new privacy mode and hired an external security company to audit its technology.
The results of that audit were made public this week, with a summary from San Francisco-based Kivu Consulting released by DJI and made available for download.
“Kivu’s analysis of the drones and the flight control system (drone, hardware controller, and GO 4 mobile app) concluded that users have control over the types of data that DJI drones collect, store, and transmit,” said Douglas Brush, Kivu’s director of cybersecurity investigations.
Brush wrote:
For some types of data, such as media files and flight logs, the drone user must affirmatively initiate transmission to any remote server. For other types, such as initial location checks or diagnostic data, the user may prevent transmission by deactivating settings in the GO 4 application and/or disabling the Internet connection.
Internet of Business says
Reports had previously suggested that DJI drones could transmit sensitive user data without the user’s knowledge or consent. Kivu’s summary refute those accusations, as well as claims made in the ICE memo regarding the existence and use of facial recognition software.
“This is the first time that DJI has allowed outsiders to examine its proprietary computer code, and the result is the first independent verification of what we have said all along: DJI provides robust tools to help our customers keep their data private,” said Michael Perry, DJI’s North American MD.
“This comprehensive report clearly debunks unsubstantiated rumours about our products and assures our customers that they can continue flying DJI drones with confidence.”
DJI is thought to have a 72 percent market share of global drone sales across all price points. This dominance is the result of relentless iterations, a vertically integrated company structure, the snowball effect of consumer confidence, and the inability of competitors to reach the same levels of achievement.
Kivu Consulting’s report should give nervous buyers the reassurance they need to employ DJI’s drones for more sensitive tasks – or simply the peace of mind that comes from data security, regardless of the information’s sensitivity.