Is It Amateur Hour at the DOI? – How DJI Has Bamboozled the US Government Again
An alternative title for this article would be “Nice try DJI” because you are only fooling more of your amateur security experts and wasting tax payer money and government resources. DJI released an article in conjunction with a DOI report.
From the article on DJI’s website:
The DOI’s findings were presented in a flight test and technical evaluation report issued last week [1]. Key findings of the report included:
Notice they word this as key findings like they found something useful:
1. DOI has been working with DJI for over two years to create a solution that would allow its bureaus access to DJI’s high-quality off-the-shelf hardware equipped with custom firmware and software to prevent intentional or unintentional data leakage to any outside entities.
How is this a key finding and not a statement?
2. Testing of the Government Edition solution began in April of 2018 as part of the three-phase testing plan developed by DOI.
More statements…
3. Testing included 1,133 flights totaling 298 hours on the DJI Matrice 600 Pro and 1,112 flights totaling 240 hours for the DJI Mavic Pro drones.
Another statement…
4. DOI collaborated with the National Aeronautics and Space Administration (NASA) Kennedy Space Center as well as other industry and federal partners with expertise in data management assurance testing to conduct targeted assessments of Government Edition hardware, firmware, and software.
Great another statement, where are the findings?
5. During testing there was no indication that data was being transmitted outside the system, confirming that they were operating as promised by DJI.
Oh really? This is easy to confuse as an admission of being secure, but is it? What are the metrics of the test, what penetration testing was completed?
Flaws in the Testing:
If we review the comments of the security company who did the testing we find that on Page 39 “3 Data Leakage Tests – We captured the internet traffic during nominal usage of DJI’s specialized systems for the Department of the Interior and analyzed the traffic to determine if the systems contacted DJI servers during that usage. This kind of test cannot prove that the systems won’t contact DJI servers, as the software might only transmit data during conditions that are infeasible to test.”
This whole article should be read, but all you need to see to make a choice is the statement by the research company who DJI hired “Drones Amplified” to do the security testing. Upon inspection of this company we find they are not known in the security world and were probably given some free DJI equipment as a fan boy company. In an unverified statement given by a DJI insider the DOI chose this company to review the product. My thoughts are why would they choose this company? They are not vetted as a security company, and are completely the opposite, they are a drone company who specializes in firefighting might we suggest some collusion on the DOI’s part in this bone headed selection? Should we trust that they were even truthful? DOI completed the report, but Drones Amplified signed off on the security findings, this seems very suspicious and they are not in any way reflective of a US government verified security firm.
Remember Volkswagen?
A good friend of mine is Michael Melkerson featured on the Netflix show Dirty Money Episode 1 who represented the owner who bought a VW and sued them. It was discovered by a University that when you hook a car up to the test which is like a dyno machine the car would run a different set of metrics, basically if the car was hooked to a dyno machine the wheel stayed straight and neutral for a given amount of time at various speeds then it would revert to a different set of emission metrics. Michael used this verification from a legitimate security professional as his tool to go after and beat Volkswagen.
How do we know there isn’t a test just like this for DJI? Maybe a software override if it is hooked up to a device and not flying? A comment on LinkedIn from Marc Matthew a Senior Python Developer with more skills than the whole Drone Amplified company says:
“Think Volkswagen and emissions testing… Onboard software sees a “test” and alters behavior, a prototype:
if (port_scan_detected()):
send_data_to_china_later = True”
Kevin Finisterre’s (Follow Him @d0tslash) Comments on Twitter:
1) Testing does not mean reverse engineering, nor does it include finding backdoors to gain entry. The company used limited means to look for vulnerabilities.
Source: https://twitter.com/d0tslash/status/1148977414615326721
2) KF points out the admission that the test is invalid actually stated by the “Security Firm” with zero creditability – Drones Amplified.
Source:https://twitter.com/d0tslash/status/1148944323607769088
3) The company used an unsophisticated tool called Wire Shark which is a pretty weak tool for finding security flaws not to mention the drone was never flown with the program activated.
Source:https://twitter.com/d0tslash/status/1148944651606536192
4) “These DNS requests and pings aren’t leaking flight data to DJI servers, but there’s no good reason for the apps to do them.” Sans a proper firmware RE session, for all you know this is a check in packet to a DJI Command and Control server ;) but you aren’t security folks anyway”
Commentary: KF is basically stating they do not do the investigation correctly and were very sloppy in choosing a methodology to find the vulnerabilities.
Source: https://twitter.com/d0tslash/status/1148945151492009984
5) “I challenge @djiglobal @djienterprise to get a hardware penetration test / backdoor audit from @atredis…. Someone *actually* respected in the security industry. I bet they won’t! ;)”
We have reapitdly challenged DJI to do testing with recommended 3rd party testers not some drone company amateurs, but this has fallen on deaf ears at DJI and now the DOI who were bamboozled into hiring some chumps to the do the testing.
6) “1.Observed test results cannot be extended to future DJI GE software, firmware, or hardware updates.” Absolutely correct! Nor can they be retro actively applied to older firmware versions or previous software states…
Source:https://twitter.com/d0tslash/status/1148941883298783237
7) “Also please note “@djiglobal modified the firmware several times during the testing period “ software and hardware should remain static during a test like this… IMHO (In my humble opinion)
Source: https://twitter.com/d0tslash/status/1148940993137381377
8) “@djienterprise @djiglobal “The limited scope analysis focused primarily on the following elements” catch that? LIMITED SCOPE! Common game in security auditing…. Ask @greybrimstone.”
Kf is stating that the word phrasing for this is a common way for amateurs like this one who conducted the tests to gain the results they seek, a limited scope could be as simple as monitoring the data usage which proves absolutely nothing if you don’t have the whole picture and experience to make that call.
Source: https://twitter.com/d0tslash/status/1148939998068187136
9) “This report is full of conflicting information. Example “At worst, it’s informing the app of DJI servers that it could potentially leak data to.” Right after saying “We did not detect any leakage of data to DJI servers with any of the apps.” Make your mind up! Which is it!?”
This is pretty contradictory to their claims throughout the report.
Source:https://twitter.com/d0tslash/status/1148945392123490306
Conclusions
KF’s Conclusion:
Source: https://twitter.com/d0tslash/status/1148946776998780928
My conclusion:
Why did DOI authorize this report and sign off on it “willy nilly” from some fraud drone security “experts” who are in bed with DJI? Seems there is collusion here with the same company specializing in fire-fighting, do you see the connection? If we had more resources I bet we could find the exact person who recommended this company either as the director of this investigation or DJI themselves. For this reason I am calling for the firing of every employee at DOI who authorized and signed off on this including someone I used to have respect for Mr. Mark Bathrick who on appendix C has his John Hancock. Once again, they sent a plumber to repair a car and are giving a false sense of security to the general public plain and simple!!
I also want to know why I am doing the US Governments job and having to play hall monitor to this fiasco? I don’t get paid for the time I spent on this article, research and communicating between true experts. I also want to call attention to the FAA who have invited DJI into the inner circle and who appointed the CEO of Precision Hawk who doesn’t have a day in aviation in his life to the Drone Advisory Committee? Are you kidding me enough is enough already!! I guess on my own dime I’ll go over to my various contacts at the US agencies, and Congress to plead my case for the removal of this nonsense. We could have easily saved the tax payers all the money for this 15-month pork barrel and inconclusive report. As stated by KF and myself there are other way more experienced companies to have completed this work, I have heard they would even volunteer to help for free to stop the madness, but I assume it wasn’t in the DOI’s interest because “they don’t have any alternative drones to use,” this is not my problem and it is time to get on the program.
We at the CUAS Coalition are seeking a big 4 defense contractor or US agency to come off some of that money they gained from tax payers to support our efforts. I am contacted everyday regarding my knowledge by these companies and low on the totem pole employees who would like to hire me as a walk on or to provide them information, contacts and equipment. I don’t work for free people; I got a child and bills. I will however go after government waste and security flaws that others wouldn’t touch with a 10-foot pole. You big 4 know who I am and it’s time to pony up or be left behind. Once this thing comes full term because the adversaries will be a full 3 to 4 iterations out, meaning improvements over our existing capabilities. We have solutions, training and personnel to tackle these challenges.
If you like my “free” and patriotic work please contact me to contribute to our efforts at:
Email: R.Thompson@cuascoalition.org
Website: www.cuascoalition.org
