US military report highlights security fears behind ban on DJI drones
- A navy intelligence report from 2017 warned of the danger the world’s bestselling camera drone brand could be hacked
- Memo said ‘numerous techniques’ could be used to compromise data collected using the devices, which the US military had used to develop its defences
A recently disclosed document has shed new light on the US military ban on Chinese-made Dajiang (DJI) drones.
The memorandum “Operational Risks With Regards to DJI Family of Products” by the US Navy’s executive officer for unmanned aviation and strike weapons – dated May 24, 2017 – was one of the reports cited by the US Army later that year when it banned the world’s bestselling drone camera brand. This ban was later extended across the US military.
The army memo only attributed its ban to “cyber vulnerabilities” without further elaboration.
In the navy memorandum, which was recently released to the national security archive of George Washington University through the US Freedom of Information Act, the researchers identified several risks.
The main concern was that the data link between a DJI drone and a ground station could be hacked to gain access to the data collected — or even to hijack the aircraft.
It was noted that a “thorough study of the cyber vulnerabilities of these systems” had not been completed, but that open sources indicated “numerous techniques” could be used to compromise the data.
The memo also said the DJI system could upload images, videos or flight records to “unsecure servers in other countries” without the operator’s knowledge.
There was also a risk that operators could lose control of the drone under electromagnetic interference, and that the devices could easily be damaged or malfunction in “typical military environments”.
Other problems included a lack of training assistance, logistics supply and technical support from a foreign maker.
DJI sells about 70 per cent of the world’s civilian quadrotor drones.
Instead of using the DJI cameras for reconnaissance, the US military mostly employed them to develop their defences against drones.
It used the drones to simulate a “representative” threat from enemy drones and to develop its counter-unmanned aircraft systems tactics accordingly.
However, the memo implied that if the DJI drones were hacked it could expose details of US defensive strategies to the enemy.
The army banned the use of the drone in August 2017. The Pentagon extended this ban across the US armed forces in May 2018.
US lawmakers are now weighing proposals to enshrine the ban in the National Defence Authorisation Act for the next financial year.
Shenzhen-based DJI has said that while it did not design or market its products for military use, the company had long since addressed the concerns expressed in the 2017 memo.
Those measures include “adding advanced data encryption features, storing data shared with DJI on secure US-based AWS servers, and adding the ability for users to eliminate connection between the drone and the internet”.
“DJI’s enterprise products that are designed for use by the US government have been tested and validated by US cybersecurity consultants and US federal agencies,” it said.
The company added that it gave all customers control over how their data was collected, stored, and transmitted.