Once Classified Document Finally Released
A DJI drone
In 2017, the U.S. Army ordered that the use of drones made by Chinese manufacturer DJI be discontinued, citing security concerns. Now, a second classified memo used to support that decision has been released, revealing serious concerns about how cyberspies could intercept video and other encrypted data.
The previously classified May 24, 2017, U.S. Navy memo, Operation Risks With Regards To DJI Family of Products, was released this week by the National Security Archives, an independent, not-for-profit research organization that filed a Freedom of Information Act request to obtain the document.
The memo is now available online through the National Security Archives Cyber Vault project.
A 2017 report by sUAS News, a publication dedicated to drones and unmanned aircraft, noted that a 2017 U.S. Army memo ordered that the use of these Chinese-made drones be discontinued and that batteries and storage media be removed and applications uninstalled from these devices.
While the Army memo cited in the story was released in 2017, a Navy document, which raised specific cybersecurity concerns, remained classified until Dec. 16, when the National Security Achieves released it to the public.
Despite this, other branches of the military, including the Navy and Air Force, as are still using DJI drones, according to a Voice of America report.
“The [Navy] memo drew attention to public research, which suggested that the data link from the drone to the ground station was vulnerable and that the system could upload images, videos, or telemetry to servers without operator knowledge,” according to the National Security Archives
Concerns Over Hacking
Several U.S. government agencies have raised concerns about the security practices of DJI, one of the world’s largest manufacturers of drones, according to Bloomberg.
In May, the Department of Homeland Security issued its own warning about how Chinese spies could intercept data from drones manufactured in China, although that memo did not cite DJI by name (see: DHS Reportedly Warns of Chinese-Made Drones Stealing Data Concerns).
A DJI spokesperson tells Information Security Media Group that while the company’s drones are not designed for military use, it has made security improvements since the Army and Navy memos surfaced in 2017.
“We have long since addressed the concerns expressed in this 2017 memo as part of our continuous commitment to safety and security, including adding advanced data encryption features, storing data shared with DJI on secure U.S.-based [Amazon Web Services] servers, and adding the ability for users to eliminate connection between the drone and the internet,” the spokesperson says. “DJI’s enterprise products that are designed for use by the U.S. government have been tested and validated by U.S. cybersecurity consultants and U.S. federal agencies.
In June, DJI also sent a letter to a U.S. Senate subcommittee denying that its drones send data back to China.
The Navy Memo
The 2017 Navy memo offers some specifics about cybersecurity concerns that led the Army to reconsider its use of these unmanned aircrafts.
Data transmitted between the drone and a ground station could be intercepted by cyber spies even if that data is encrypted, the memo notes. A skilled hacker could also take control of the drone, the memo adds.
“While open source research indicates numerous techniques available to passively view the video and metadata from the air vehicle as well as assume control over the air vehicle by adversaries,” according to the Navy memo.
The ground control station used to control the DJI drones is made up of several components that are susceptible to hacking, especially if they are connected to the internet, the memo notes.
“Open source research indicates when the transmitter, controller, tablet or phone is connected to the web, images, video and flight records could be uploaded to unsecure servers in other countries via live streaming, or transmitted once the air vehicle is connected to a computer using the assistant application,” the memo states.
The memo also notes that if military personnel continue to test these drones, they should take security precautions when operating these drones, such as not connecting the ground control station to a military network or the public internet, and ensuring that any test are not conducted in operationally sensitive areas.
In addition, the Navy memo recommends that military personnel remove the micro-SD card from the drones since these vehicles are sometimes lost on missions and that the camera remained covered unless it’s necessary for the test.
Lack of Reliability
In addition to the concerns over cybersecurity, the Navy memo details other issues with DJI drones. In one instance, the officer writes that these aircraft might be susceptible to electromagnetic interference, which could damage the aircraft.
In another section, the Navy memo questions the overall reliability of DJI drones. “While these systems are commonly available, anecdotal evidence demonstrates that they are not highly reliable when employed in typical military environments,” the memo notes. “Loss of the air vehicle through damage, or malfunction should be considered highly probable over time; DJI systems are expendable.”
Other Security Concerns
While the Navy memo outlines some concerns with these types of drones, other security experts have noted that unmanned aerial vehicles have a host of other concerns as well.
Tom Kellermann, the head security strategist at VMware who held a seat on the Commission on Cyber Security for the 44th President of the United States, notes that the software used to control drones typically contains a backdoor used for updates and configurations.
With the backdoor already installed, hackers can easily plant malware within the drones for cyberspying or other malicious activity, Kellermann tells Information Security Media Group.
“This is compounded by the fact that this technology likely has a remote access Trojan – RAT – embedded in it,” Kellermann says. “‘Made in NATO’ member states should become a mantra.”