No Evidence Of Drone Data Going To DJI Or China
- No evidence to suggest that data collected by DJI drones is being transmitted to China, DJI, or any other unexpected party – a new independent report confirms;
- DJI welcomes results, especially as the company has had to strenuously deny data-security concerns in the past;
- The audit was carried out on the Government Edition Mavic Pro, Government Edition Matrice 600 Pro, and the Mavic 2 Enterprise.
There is no evidence that data or information collected by DJI drones is being transmitted to China, DJI, or any other unexpected party – a new independent cybersecurity audit has confirmed.
DJI has welcomed the findings in the report and says that it is yet another third-party validation which recognises that operators flying DJI drones ‘have control over their data’.
The verdict will also be a relief for DJI, as the company has continually had to rebuke allegations that its drones are being used to collect and share sensitive data from the USA, branding them incorrect and misleading.
Earlier this year, the US Department of Interior (DOI) grounded its drones (including DJI models) for non-emergency operations, citing these cybersecurity concerns – something that DJI has always strenuously denied.
The security audit was performed by the cybersecurity team at global consulting firm Booz Allen Hamilton, on behalf of PrecisionHawk’s Unmanned Aerial Intelligence Technology Center of Excellence (UAS COE).
The audit found no evidence of data transmission connections between these drones and DJI, China, or any other unexpected party.
DJI Statement To The Findings
In response to the findings, a DJI statement read: “From our perspective, this important finding from an independent, globally recognised leader in cybersecurity indicates that DJI customers have control over the data they collect when using our drones, contradicting reports that data from DJI devices is surreptitiously routed to other parties.
“It is another independent validation of the security of DJI products following reviews by the U.S. National Oceanic and Atmospheric Administration, U.S. cybersecurity firm Kivu Consulting, U.S. Department of Interior, U.S. Department of Homeland Security, and others. The audit is a critical step toward ensuring emerging drone technology is secure and able to be trusted for government and enterprise operations.
“As an industry leader in the commercial drone market, we remain committed to working with customers, partners, industry, and experts around the globe to address security concerns. We encourage continued participation in the DJI Bug Bounty Program, the details of which can be found on our Security Response Center website. Taken together, these efforts will ensure our industry-leading products remain secure and trusted.”
While the audit found no evidence of data transmission to DJI, China, or third-parties, it did identify potential vulnerabilities associated with one or more of the three drone platforms that could be exploited or triggered by a threat source. Nearly all of those vulnerabilities require physical access to the drone itself, or for the attacker to be within direct radio range during specific operations.
In response, DJI has said that it is a welcome chance to further enhance the security profile of its products.
DJI said: “The audit discovered several low or moderate severity threat vectors that pose a low-security risk to DJI users and that are also present in comparable commercial drone products.”
The company added that it will take ‘concrete steps’ to address these issues; some of which have already been remedied, such as implementing the more robust AES-256 encryption on new and future enterprise products, including the Mavic 2 Enterprise.
HELIGUY.com™ is one of the world’s leading drone suppliers and is a DJI Gold Partner. With bases in the UK and US, access to a vast inventory of hardware, expert enterprise staff, a dedicated training team, and an in-house repair centre, HELIGUY.com™ can help you start or scale your commercial drone programme. Contact us by phone or email.