Following New Cybersecurity Audit, Local Data Mode Feature Coming To More DJI Drones To Eliminate Internet Connection And Prevent Transmission Of Drone Flight Data
September 9, 2020 – DJI, the world’s leader in civilian drones and aerial imaging technology, will make Local Data Mode, an easy-to-use and effective data privacy feature that eliminates internet connectivity and prevents the transmission of all drone data over the internet, available in the DJI GO4 and DJI Fly flight control apps within the coming months. The feature has been available for DJI drones through the DJI Pilot app since 2017. Today’s commitment to expanding availability of this feature follows an independent review and validation of Local Data Mode and DJI’s drone products by FTI Consulting (FTI), a global leader in cybersecurity.
This expansion brings Local Data Mode to operators of all recent DJI drones, allowing commercial and government customers, including public safety agencies and other federal, state and local government users, to confidently choose the best DJI drone for each mission. All DJI drones provide data security protections for their users by empowering them to decide whether and when their drone data is shared externally. Local Data Mode provides government and commercial customers with additional assurance that data generated during drone operations is effectively protected. It is an internet connection “kill switch” feature within DJI’s command and control mobile applications that, when enabled, prevents the app from sending or receiving any data over the internet. With this feature enabled, drone operators can easily and effectively cut off all network connections from DJI’s mobile applications and prevent any data from being transferred to DJI or other parties.
“For commercial and government customers who generate highly sensitive data and operate with rigorous data security protocols, Local Data Mode provides simple and effective operator-controlled assurance that no data from their flights will be transmitted over the internet,” said Brendan Schulman, Vice President of Policy and Legal Affairs at DJI. “This expanded capability for DJI customers builds on the results of FTI’s independent analysis and demonstrates yet again that DJI empowers its customers to protect their data.”
Independent Cybersecurity Audit Validates Local Data Mode
FTI recently conducted an analysis of DJI hardware and software including a source code review of DJI applications as well as a hardware cybersecurity review of devices. All DJI products were procured independently for testing and DJI provided FTI with access to more than 20 million lines of application source code for an audit focused on understanding communication protocols and destinations. The executive summary of FTI’s full analysis is available for download at this link.
The FTI audit found that when Local Data Mode was enabled, no data generated by the drone or application was sent externally to infrastructure operated by any third party, including DJI, validating DJI’s assertions about the utility and function of the feature. FTI also found that using Local Data Mode with the “Allow Map Services” featured enabled, which gives operators additional situational awareness during flight, resulted in data sent and received only to a trusted third-party American mapping provider, Mapbox. FTI’s assessment also confirmed that DJI employs various security best practices.
How Local Data Mode Works
DJI drones are controlled by flight control apps which operate on smartphones or tablets either by themselves or in connection with a remote-control unit. They routinely communicate over the internet with servers from DJI and third-party service providers. Through these communications, the apps check for software and firmware updates, and also obtain relevant localized data for flights, including maps to display on the app screen; geofencing restrictions including government-issued temporary flight restrictions; radio frequency and radio power requirements for the flight region; and other information that enhances flight safety and functionality.
There are two options for enabling Local Data Mode, namely enabling Local Data Mode only and enabling Local Data Mode together with the map service request. Turning on Local Data Mode stops all DJI app communications to and from the internet, helping assure drone operators that all data remains local and entirely within their control. When operators want to use the network-based mapping services available through DJI’s apps under Local Data Mode, they can enable the “Allow Map Services” feature to access them, which allows internet communications only with the server of American map services provider Mapbox. Other apps on a smartphone or tablet are not affected by the use of Local Data Mode.
Additional Protections For Commercial And Government Customers
For commercial and government customers who want advanced drone fleet management capabilities offered by DJI FlightHub software, FTI’s analysis also found no evidence of data being requested or transmitted externally with the combination of FlightHub Enterprise and the DJI Pilot PE application. FlightHub Enterprise is a version of FlightHub that is installed and hosted on a customer’s local IT infrastructure, and the DJI Pilot PE application is a custom version of DJI Pilot for use with FlightHub Enterprise.
DJI also continues to offer its Government Edition solution created specifically for use in high-security situations by government agencies. The solution involves custom device firmware and operational software in a unique architecture that supports high data security requirements, including Local Data Mode permanently enabled, to ensure that drone data can never be shared with unauthorized parties including DJI. While not part of the scope of FTI’s analysis, DJI’s Government Edition solution has been independently reviewed by U.S. cybersecurity firm Booz Allen Hamilton, U.S. Department of Interior, and U.S. Department of Homeland Security.
Ongoing Commitment To Cybersecurity and Data Privacy
Today’s news marks another milestone in DJI’s ongoing multi-year cybersecurity and data privacy commitment to assure customers that DJI drones are safe and secure for operation across a wide variety of missions and environments. DJI offers Bug Bounty awards to researchers and others who discover and responsibly disclose issues that could affect the security of DJI’s products, and proactively has its products independently examined by private U.S. cybersecurity firms and U.S. federal agencies. They include studies by U.S. National Oceanic and Atmospheric Administration, U.S. cybersecurity firms Kivu Consulting and Booz Allen Hamilton, U.S. Department of Interior, U.S. Department of Homeland Security, and today’s report from FTI Consulting. For more information about DJI’s cybersecurity protections, please visit https://security.dji.com/data/overview/.