DJI, Huawei, Spying and How They Bamboozled the FAA and American Public

DJI is in the press again about security concerns and has continually been allowed free range access over at the FAA when they were continually warned about security vulnerabilities. DJI has made public statement after public statement, but who should you believe? A foreign company or their US Public Policy person with zero security experience?

Why do the FAA still allow them to be part of the discussion and attend meetings after all the security concerns?

DJI has security problems why does the FAA continue to support them?
 They have infiltrated the US to include:
o Policy round table discussion with the FAA (a foreign company is helping to write US laws poised to increase sales)
o The FAA is giving unlimited access to our sensitive locations across the country by giving foreign manufacturer access to the NAS with real-time updating to include TFR’s which are for diplomatic movement, national security and military exercises.
o Sold units to the US Military with known security issues
o Sold units to Public Safety to include Law Enforcement with known security issues
o Own 70% of the market in the US (where are the US companies?)
 US small business were pushed out by FAA hoping a company like DJI
would pay for the infrastructure
 Pushed out small business drone companies with huge marketing
campaigns
 DJI is subsidized by 90% by the Chinese Government as a company
o Have lobbied against rights for model aircraft
o Have lobbied against US aviation regulations to gain more sales
o Has lobbied against safety recommendations to gain more sales
o Has publicly chastised anyone who questions them or their security problems

Early Days

It all started back in early 2016 at a bar in Washington, DC when I was approached by someone who had some security concerns with DJI. It was an interesting talk which would change the history and future of drones forever. I thought I needed more proof and was offered just that, without giving the details of this conversation I will present the story through my eyes and the press.

After my meeting in DC, I contacted a good friend of mine Kevin Finisterre who had just finished a project and I asked him to look at this and he agreed. In the “Early Days,” it was just a handful of people working on this inquiry as one thing lead to another then a few articles emerged that at the time was really shocking to most. Hacking drones seemed unreal and unlikely to most, but soon this would be generally accepted knowledge.

When all said and done a few people were able to turn public opinion from a handful to more than 80% of the public believe DJI is collecting data. Don’t get me wrong DJI has a fine product, but the data collection thing is something that should not let happen in our country.

  1. Late 2016 approached by 1 person who had a suspicion based on their security background and some work they did to see where the data went or if any data was collected by DJI.
  2. Late 2016 Spoke to a security “white hat” hacker Kevin Finisterre who took DJI on as a threat to public safety.
  3. 2016 How to hack a drone article: https://www.futurity.org/drones-hackers-security-1179402-2/
  4. Early 2017 Total of 3 people (and their teams) with working knowledge on the security vulnerabilities of DJI.
  5. Mar 2017 Public comments on DJI security vulnerabilities in which the general public called those working on this problem conspiracy theorists, trolls and crazy.

Media is Alerted

Once Kevin made his speech at the sUSB Expo in San Francisco a great deal of momentum picked up surrounding the issues and more articles came out about his involvement. DJI responded with a new firmware update that didn’t fix the backdoors or security vulnerabilities.

6. May 2017 White hat hacker Kevin Finisterre presents at sUSB Expo his findings on DJI and security vulnerabilities

7. DJI makes a firmware update https://www.vice.com/en_us/article/3knkgn/dji-is-
locking-down-its-drones-against-a-growing-army-of-diy-hackers

Federal Authorities Alerted

When the federal authorities were alerted even more momentum was gained, the DOD supposedly leaked a memo that said to stop using DJI drones in all military applications. DJI responded with a Bug Bounty Program that Kevin entered and found some major concerns. He tried for a few months to get paid, but never was offered payment, he was however threatened with legal action. Kevin is a pro and old hat at hacking and has done this type of work for almost 2 decades.

He is sharp when it comes to infiltrating a company or system and has a lawyer retained for when he starts a new project. His legal counsel provided him support throughout this endeavour and Kevin never did anything wrong but expose the security problems the main goal of the program but was never paid for his work. This demonstrates the ability of DJI to spin the press, lie publicly about their technology and gain free positive press by giving out products.

I heard that one Verge writer whose article I have posted below was recruited by DJI to only publish positive press about DJI. With millions of dollars of advertising budgets they have bullied their way into legislation in the FAA.

8. Aug 2017 DOD orders to stop using DJI

https://mail.google.com/mail/u/0/#inbox/FMfcgxwCgpXpkscVGQNQVjcTlxwmfXWP?projector=1&messagePartId=0.1

9. Bug Bounty Program https://threatpost.com/dji-launches-drone-bug-bounty- program/127696/

10. Nov 2017 Bug Bounty Program Exposed
https://www.theverge.com/2017/11/20/16669724/dji-bug-bounty-program-conflict-researcher

11. Nov 2017 DJI calls Kevin Finisterre a hacker and threatened with legal action
https://thenextweb.com/security/2017/11/21/researcher-informs-drone-maker-dji-about-bugs-gets-called-a-hacker-and-threatened/

12. Nov 2017 DJI Statement on Security https://www.dji.com/newsroom/news/statement-about-dji-cyber-security-and-privacy-practices

13. Nov 2017 DHS Claims DJI is Spying for China
https://www.engadget.com/2017/11/30/homeland-security-claims-dji-drones-spying-china/

DJI Hires 3 rd Party Security Audit (Bogus Report)

DJI started back peddling and scrambling to find a way to spin this so that they could sell more products. They hired what they claim is a 3 rd party to review their security, but they had the final say on the publication of the results, who is to say they hired a dozen companies and published the one that said their was no problem, maybe that company wasn’t skilled enough to find any problems? How do we know? We do know IEEE came out with a report as well as another company who was not hired by them and both publish security vulnerabilities. Is this a big conspiracy? The actors would be government agencies and departments with IEEE and other security-related companies in the conspiracy, what do these people have to gain? Maybe they are loyal to our country and not the all mighty dollar?

14. Apr 2018 IEEE Makes Statement on DJI Security Vulnerabilities
https://ieeexplore.ieee.org/document/8326960/

15. Apr 2018 DJI Releases Security Report https://gizmodo.com/dji-releases-security-findings-it-hopes-will-quash-chin-1825469976

16. Senator Murphy Calls on DOD to Stop DJI May 2018
https://www.murphy.senate.gov/newsroom/press-releases/following-security-threats-murphy-calls-on-sec-mattis-to-ban-defense-department-use-of-foreign-made-commercial-drones-and-instead-support-us-drone-manufacturers

17. June 2018 DOD bans the sale of DJI https://dronedj.com/2018/06/07/department-of-defense-bans-the-purchase-of-commercial-over-the-shelf-uas-including-dji-drones/

18. DJI Drone Security Flaws with More Details from Bug Bounty and Security Researcher
https://www.wired.com/story/dji-drones-bugs-exposed-users-data/

DJI Ramps Up Their Public Safety Program for Sales

After a long time of articles not being published and an all quiet on the front, we see DJI slowly put in their grasp unwitting public safety officials to buy their equipment. It is hard for some to understand how they could be duped into buying systems made abroad? What is the process during a recorded public safety violation or crime to subpoena the Chinese for the video?

This completely violates all ethics and victims’ rights by being recorded and having their data collected over seas. It also compromises public safety by giving access to problems and possible vulnerabilities to our system of law. The original person responsible for Kevin gaining access into the DJI database was also sent to prison. He had written Kevin months before saying the government had threatened him with imprisonment, he did not know if it was real or a hoax because it sounded so far-fetched.

19. Dec 2018 NYPD Buys DJI Drones After Warnings https://www.slashgear.com/nypd-adds-14-dji-drones-to-its-force-under-new-uas-program-04556899/

20. Dec 2018 Almeda County Flies DJI Drones
https://www.eff.org/deeplinks/2018/12/alameda-and-contra-costa-county-sheriffs-flew-drones-over-protests

21. Apr 2019 DJI Employee Who Leaked Data Sent to Prison
https://www.zdnet.com/article/dji-employee-who-leaked-source-code-awarded-prison-sentence/

DHS Huawei and President Trump

Now we are present day with Huawei and President Trump who seems to be eying DJI next after his ban on Huawei. This reemergence of press on the issue seems to be preparing the public for what is to come as in the articles posted above many agencies and departments have made statements warning the public on the use of DJI equipment so there is nothing new here only speculation that DJI might soon be banned from sales and usage in the US. The telecom companies banned Huawei by kicking them from the Google play store and next Apple so the phone cannot download any apps leaving it useless besides testing and phone calls. How might the US government ban DJI? Will the telecom companies ban them from connecting to their networks? This would still allow video recording, but no updates to geofencing or upgrades.

This would render DJI dead in the water.

22. May 2019 DJI Could Be Stealing Data https://www.engadget.com/2019/05/20/us-government-alert-chinese-drone-data/

23. May 2019 DHS Issues Warning https://www.databreachtoday.com/dhs-federal-agencies-need-to-patch-vulnerabilities-faster-a-12439

24. May 2019 Feds to Energy Companies Issues Warnings
https://www.eenews.net/stories/1060369689

25. May 2019 Is DJI the Next Huawei?https://www.theverge.com/2019/5/21/18633744/dhs-alert-china-drones-dji-huawei

In closing, I would like to state that DJI has a fine product I used to own one until 2016 and could be fixed if they were willing to cooperate and not put out smoke screens. We do have current security concerns with the things Kevin has found and posted, also the accompanying US gov articles stating not to use their products. If you believe DJI then they have done nothing wrong, however, all Chinese companies are required to work for the Chinese government, it is mandated in their country. The “security experts” on DJI’s side call the US gov and their supporters’ conspiracy theorists and chastise them in public for their valid concerns.

I might remind people that DJI has no US computer experts on the payroll, they only have sales, marketing and policy people with zero security expertise.

When they make public statements based on US companies they chose to hire and publish the results it is to protect sales not answer any questions on the concerns. I call for more people to step forward and ask more questions.

People say I am harsh for asking questions, I believe they only feel this way because they know deep down, they have bought into something they know nothing about. My questions drive home what the core problems are in the US with DJI.

I am from a family of patriots, who all served in the military and who have held positions at the very highest levels in the government. I gain nothing by writing these articles, marketing wizards say I am doing harm to my sales.

I don’t sell anything but myself and if by asking questions, pointing to facts published by the US government and other accredited people, not on DJI’s fan list or payroll is causing harm to me, then I will harm away with zero remorse.

Previous articleDJI – Director of U.S. Regulatory Affairs
Next articleUTM TCL 4 Takeaway
Rob Thompson
Rob Thompson is the co-founder of Falcon Foundation, a 3rd generation commercial multi engine pilot, Part 107 holder who also holds a Master of Science from James Madison University for his work in aviation system designs and technical & scientific writing. Falcon Foundation provides leading advocacy efforts in the unmanned aircraft systems industry, managing government relations, committees of association, executing legislative and regulatory strategies and creating law through the corresponding legislative committees. By working independently on advocacy issues, educating the clients on public policy issues quickly, and by engaging team members to facilitate successful results. Client policy issues will include aviation regulation, unmanned aircraft systems, Part 107 waivers, the regulatory process, and industry safety concerns. Client groups include aviation professionals, unmanned aircraft systems, and operators, both commercial and hobbyists, and non-aviation business sectors, including small business service and manufacturing sectors.