Saturday, November 27, 2021

Why Should We Trust DJI?

The historical relationship between the Chinese and United States is steeped in espionage. A quick search of sUAS News website will reveal an article going back to 2013:  

“QinetiQ North America was attacked by a Shanghai-based hacker group from 2007 to 2010, Bloomberg reported on Thursday. The hacking collective has been coined the ‘Comment Crew’ by security experts.”

QinetiQ is both a drone manufacturer and a defence contractor, so this incident rightly raised cyber security concerns in the drone industry. The recent memorandum Dated May 24th from the Army on DJI equipment not passing the security sniff test has worried other defence contractors in the US. Commercial UAS operators with ongoing government contracts at sensitive locations who use own DJI equipment should be equally concerned.

Understanding the Threat  

The memorandum states that:

#1 a) Army Research Lab (ARL) report, “DJI UAS Technology Threat and User Vulnerabilities” Dated 25 May 2017 (Classified)

  1. b) Navy Memorandum, “Operational Risks with Regards to DJI Family of Products,” dated 24 May 2017.

#3 Direction: Cease all use, uninstall all DJI applications, remove all batteries/storage media from devices, and secure equipment for follow on direction.”

(US Army Memo Dated 24th May 2017)

Before the official news broke on the Army report, several individuals suspected something similar might be occurring and started using the #ChiComms (short for “Chinese Communications”) hashtag to discuss the matter on Twitter.  They were met with significant scepticism, but in the end, the Army report and DJI’s reaction did show their fears were founded in reality.

One of the significant concerns that may have motivated this memorandum from the Army is that China may implement long term technology espionage schemes to gain intelligence on US businesses, infrastructure, etc. Unfortunately, even if the Army is researching the back door data being sent by DJI’s UAS to its servers in China, it will probably not release the results anytime soon. In the QinetiQ example, above the analysis took no less than 3 years to release. While there is no publically available data to verify that possibility, DJI’s massive market share in the US and global consumer UAS markets has the potential to operate as a Chinese Trojan horse for this kind of espionage. Government actors and civilians alike will therefore need to reevaluate their trust relationship with DJI in the absence of hard data. China’s long and storied history of technological espionage should give even the most skeptical US users some pause.

In response to the Army’s memorandum, DJI has announced they will soon implement an offline mode, and repeatedly asserted that their data is secure. DJI’s proposed solution is reactive and far too late to ensure the safety and security of Americans and their data. DJI also just announced a new bug bounty program that would pay users to find vulnerabilities and bugs within their code that they would fix. The program would give DJI community wide access to the best hackers who they could then exploit consumers of their products later on by using the very codes they worked on under the guise of safety and cleaning up buggy codes.

The sheer scale of the threat posed by such a broad and deep espionage scheme should force all US companies and government actors to take this problem seriously. This threat is not isolated to China viz-a-viz DJI; any actor with the resources to hack the “hot patches” and infiltrate that data could use consumer-grade UAS to evaluate sensitive infrastructure, industries, and other potential targets across the US without the user ever knowing about it.

While low-resolution visual depictions of these sites are widely available online, the high-resolution images and other data that could be collected by an unwitting fleet of consumer drones would be much more actionable. For example, a military commander of an invading force would obviously be interested in determining the bombing routes of least resistance for manned or unmanned bombing aircraft. This process typically begins with a simple line of desired targets, but becomes considerably more complex as it incorporates the purposes for hitting those targets and the mission cost in time, man hours, vehicles, etc. Detailed imagery from a fleet of remotely accessed consumer drones could enhance the accuracy of that calculus, and even operate as an unseen forward observation platform during the early stages of the raid. While a consumer drone can only gather a minimal amount of data during a typical flight, the amount of data generated by an entire fleet over ten or twenty years could offer a significant source of intelligence for a long-term strategic military campaign. China’s growing and state-funded robotics schools will undoubtedly produce war machines that are more able than ever to capitalize on such data. Such schools are sponsored by DJI such as the Robo Master 2017 which is in Singapore is a Chinese state sponsored war machine incubator for the youth.  

DJI and the DAC

In addition to the sheer capabilities presented by such an espionage campaign, there are specific reasons to doubt DJI’s trustworthiness when it comes to data security. DJI’s general counsel stated several times that there was no “backdoor” on their products – i.e. that the drones were not sending data back to Chinese servers unless directed to do so by their owners. Here are some quotes from the article.

(Screen shot from www.dronelife.com on 8-28-2017)

(Screen shot from www.dronelife.com on 8-28-2017)

When hackers found exactly such a backdoor, DJI said it would offer a secure offline mode. US users should approach DJI’s newfound “offline” mode with a healthy dose of scepticism. If anyone truly believes that unchecking a box is their security method then they have more problems than needing a new drone to contract with the US government.

DJI’s data security issues are particularly concerning given their seat on the Drone Advisory Committee (DAC).  The Drone Advisory Committee is committed to making the NAS T

“This Federal Advisory committee was formed to provide an open venue for the FAA and key decision-makers supporting the safe introduction of Unmanned Aircraft Systems (UAS) into the National Airspace System (NAS).” -www.rtca.org

(Screen shot from www.RTCA.org on 8-28-2017)

The FAA probably did not suspect DJI of operating as an instrument of Chinese espionage, but they should have known better than to include any Chinese companies or anyone whose direct product interfaces with a Chinese platform on this official rule making committee. In light of the Army memorandum, the FAA should review the members of the DAC now for Chinese influence. This raises serious questions about the FAA’s level of security awareness both in cyber security, international espionage and the motives of a few others currently on the DAC to make absolutely certain they have American business interest at heart.

Airmap

One of our very own stakeholders in the NAS and UTM, Airmap has long been suspect of providing inaccurate navigation data through their apps which shares information with DJI in the Go App. They have a shared data partnership with DJI, Airmap’s platform runs on Amazon servers and the FAA provides the data for UAS navigation, charts and GIS sharing. Even though Airmap is an American company it is just as guilty as DJI on giving away sensitive GIS data to the Chinese, especially if they do not have security analysts looking at the data and protecting it. How is it that Airmap can be pushing heavily to be a trusted partner of the FAA’s for the LAANC system as a solution, but still provide the sharing of data with the Chinese? Many people say the LAANC system is a direct copy of the Chinese cloud system called “U-Cloud.” This only helps to further the Chinese’s cause to infiltrate deeper into the US NAS by making it a requirement to use their products either via Airmap or DJI directly. This is the danger when working with outside governments and allowing them to be part of the rulemaking process mandating their equipment requirements. It is very surprising that Airmap who has Chinese investors and a seat on the DAC has not been vetted better by someone with a security clearance who is a cyber subject matter expert on behalf of the US government. It would lead one to ask if the military won’t use DJI products then should we allow DJI to make rules and influence policy? At the very core of aviation and the NAS is the US military and strategic air command.

“These areas are already viewable on AirMap’s iOS, Android, and Web apps in the “Restricted Special Use Airspace” category.”

LAANC System on Airmap’s website.

There are many defence contractors wondering how this has all happened and should be rightfully concerned about cyber issues when partnering with the drone companies that use Chinese software and equipment. The FAA needs to more carefully vet the members of the current committee before moving forward by removing the Chinese influence. Credentials alone do not make anyone an expert on air traffic procedures, technology, policy, or any of the other critical areas needed to adequately serve on this panel. Moving innovation through the rigid system in place within the FAA takes serious talent, and Dan Elwell who was sworn in recently as the FAA’s Deputy Administrator appointed by President Donald J. Trump should find people who could really fill those roles. He should seek to hire individuals with talent and expertise at all costs to get this industry moving again, before its present stagnation turns into an all-out collapse.

Moving Forward With Solutions Not Just Criticism

DJI has not sufficiently proven their trustworthiness to date, but there are definite steps they could take to repair the damage done by the Army memorandum.  For example, DJI could pursue the trusted DO-178 certification that would rule out any problems the military might have used their equipment. Of course, that process would bring to light any issues that would prevent the US military from using that equipment, and DJI may not want to bear that cost. After all, their drones are marketed to civilians and not to militaries. As a side note, the technology vetting process itself needs some serious reform. It is far too slow to keep pace with technological advancements and does not capitalize on the expertise in hacking and other forms of penetration testing available among US citizens in the private market. The DoD should start crafting a new message welcoming talent that could not pass a physical fitness test or fit the mould as a soldier as internet warriors for the next generation of warfare. In addition, the complicated government contracting and procurement process allows military contractors – to hold onto the most advanced data and insights into UAS development. This level of control stifles the innovation that could help US warfighters gain ground in new forms of warfare. The DoD should allocate the responsibility to continue that innovation to private partners that are more passionate about technology than the Department itself. This would enable DoD to work much like a civil regulator, watching and being actively engaged in the process but unleashing the real experts to create the systems of tomorrow.

The possibility that consumer drones may be engaged in cyber-espionage – with or without their users’ knowledge – also highlights the need for a growing counter-unmanned aircraft system (C-UAS) industry. Effective C-UAS will allow those in charge of the sensitive intelligence targets mentioned above to exclude prying eyes from their airspace in a way that is simply unattainable by any other means.  C-UAS will also enable regulators to worry less about someone accidentally flying their aircraft close to an airport and concentrate on bad actors or those who break the regulations for hire.

Finally, this entire episode between the Army and DJI also highlights the need for a think tank and central point of contact on military affairs, civil defence and technology innovation in counter drone equipment in the United States. The C-UAS Coalition is perfectly tailored to that mission and is rapidly expanding to fill its role.  The Coalition will continue to unite manufacturers with users and asset owners to create compelling new technologies and safeguard American airspace. Including academic papers of support, R&D testing of tactics and equipment and keep members abreast of ongoing policy changes as this pioneering phase develops into an industry.  

Rob Thompson
Rob Thompson is the co-founder of Falcon Foundation, a 3rd generation commercial multi engine pilot, Part 107 holder who also holds a Master of Science from James Madison University for his work in aviation system designs and technical & scientific writing. Falcon Foundation provides leading advocacy efforts in the unmanned aircraft systems industry, managing government relations, committees of association, executing legislative and regulatory strategies and creating law through the corresponding legislative committees. By working independently on advocacy issues, educating the clients on public policy issues quickly, and by engaging team members to facilitate successful results. Client policy issues will include aviation regulation, unmanned aircraft systems, Part 107 waivers, the regulatory process, and industry safety concerns. Client groups include aviation professionals, unmanned aircraft systems, and operators, both commercial and hobbyists, and non-aviation business sectors, including small business service and manufacturing sectors.