Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Army Calls Halt On Use of Chinese-Made Drones By DJI (theverge.com)

Posted by BeauHD on from the new-guidance dept.

Due to "an increased awareness of cyber vulnerabilities with DJI products," the U.S. Army is asking all units to discontinue the use of DJI drones. The news comes from an internal memo obtained by the editor of SUAS News. It notes that the Army had issued over 300 separate releases authorizing the use of DJI products for Army missions, meaning a lot of hardware may have been in active use prior to the memo, which is dated August 2nd, 2017. The Verge reports: SUAS News published a piece back in May of this year that made a number of serious accusations about data gathered by DJI drones. Author Kevin Pomaski starts out writing, "Using a simple Google search the data mined by DJI from your provided flights (imagery, position and flight logs) and your audio can be accessed without your knowing consent." However, he never follows up with evidence to demonstrate how this data becomes public or can be found through a Google search. Pomaski also point out, correctly, that when DJI users elect to upload data to their SkyPixel accounts through the DJI app, this data can be stored on servers in the U.S., Hong Kong, and China. This data can include videos, photos, and audio recorded by your phone's microphone, and telemetry data detailing the height, distance, and position of your recent flights. DJI provided the following statement to The Verge: "People, businesses and governments around the world rely on DJI's products and technology for a variety of uses including sensitive and mission critical operations. The Department of the Army memo even reports that they have 'issued over 300 separate Airworthiness Releases for DJI products in support of multiple organizations with a variety of mission sets.' We are surprised and disappointed to read reports of the U.S. Army's unprompted restriction on DJI drones as we were not consulted during their decision. We are happy to work directly with any organization, including the U.S. Army, that has concerns about our management of cyber issues. We'll be reaching out to the U.S. Army to confirm the memo and to understand what is specifically meant by 'cyber vulnerabilities.' Until then, we ask everyone to refrain from undue speculation."

45 comments

  1. Just don't plug it in to the Internet by ColdWetDog · · Score: 1

    The drones can't download anything to anywhere without you actually and in fact connecting the control software (DJI Go) to the Internet. While it likes to do that as a default (as does everything this side of your toaster) it's easy to block. There are a lot of people flying DJI stuff that purposely DON'T allow the software to update in order to keep DJI from screwing things up. They have a very checkered history when it comes to 'updates' (Oops, you crashed).

    Just don't understand what the paranoia is. Surely, somebody in the Defense Department's Cyber vetted the software. Yes?

    --
    Faster! Faster! Faster would be better!
    1. Re:Just don't plug it in to the Internet by EndlessNameless · · Score: 3, Interesting

      Just don't understand what the paranoia is. Surely, somebody in the Defense Department's Cyber vetted the software. Yes?

      That's where you run into problems with companies that release dodgy software.

      Let's say you vet v1.1 to ensure it has no operational bugs that will affect your mission profile. You also verify that the software is not compromised in any appreciable way.

      Eventually, there will be a vulnerability in v1.1, and you will have to upgrade to v1.2---ideally before any new missions are scheduled.

      But wait, there's a critical bug in v1.2 so you cannot upgrade. You either accept the risk of operating with the v1.1 vulnerability, you postpone the mission, or you find another way to accomplish the objective.

      If a manufacturer routinely releases poor-quality updates or takes too long to fix vulnerabilities, then it is absolutely reasonable to blacklist them.

      And in this particular case, where the code is supplied by a company from an adversarial nation, maybe it is reasonable to exclude their products from consideration entirely.

      --

      ---
      According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
    2. Re:Just don't plug it in to the Internet by dAzED1 · · Score: 2

      did you say /maybe/ it is reasonable to exclude potential security products from adversarial nations? Every DITSCAP, DIACAP, or DIARMF process I've ever driven has *required* that. Anything actually assigned a mission assurance category - even MACIII - can't just be regular-ol' COTS. It has to be COTS that is then assessed, and part of that is if any sensitive information is ever involved, the COTS product likely can't stay COTS anymore (because none of them do labeling by default) and suddenly you now can't have developers that don't have security clearances. I can't wrap my head around a use case for these drones in the military that wouldn't already have excluded anything developed by non-cleared personnel.

    3. Re:Just don't plug it in to the Internet by PolygamousRanchKid+ · · Score: 1

      Well, at least the US military is not using routers made in China . . .

      . . . oh . . . wait . . .

      --
      Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
    4. Re:Just don't plug it in to the Internet by Anonymous Coward · · Score: 0

      That's what they get for not using APK's hosts file to block out all of the bad stuff on the Internet....

    5. Re:Just don't plug it in to the Internet by ColdWetDog · · Score: 1

      A lot of it is open source software anyway. I think the majority of the Phantom firmware has been hacked and is now on Github.

      --
      Faster! Faster! Faster would be better!
    6. Re:Just don't plug it in to the Internet by drinkypoo · · Score: 1

      The drones can't download anything to anywhere without you actually and in fact connecting the control software (DJI Go) to the Internet. While it likes to do that as a default (as does everything this side of your toaster) it's easy to block. There are a lot of people flying DJI stuff that purposely DON'T allow the software to update in order to keep DJI from screwing things up. They have a very checkered history when it comes to 'updates' (Oops, you crashed).

      But don't they also have all kinds of 'features' that might require you to connect to the internet before you can even fly because their software is so lousy?

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    7. Re:Just don't plug it in to the Internet by rtb61 · · Score: 1

      Why the hell would you bother screwing with software, that can easily be checked. You always hack the little stuff. So preferred logical target, capacitors. You have high efficiency expensive small capacitors and low efficiency cheap large capacitors (same load). So you make small capacitor, fix a chip to it's surface in the current path and add a larger package over it. So in the chip in current path where transmissions can be received, has only one purpose, wait for the encrypted signal to be received and then short out, job done. On the operator end, the motherboard died, all motherboards died, crap, get new board from storage for emergencies, swap them in and they die. Now you are in deep shit, all equipment down, all spare parts die when installed, you can not order more because your systems are down and it depends on how far you can spread your capacitors as too how much of a countries digital infrastructure utterly collapses. You can create boards with hidden internal communications layers, you can create CPUs with a second hidden CPU in the package, micro electronics can be shoved in all over the place, even into the CPU itself. It doesn't take many transistors to wait for a specific message in order to shut down, more complex to retransmit data via power circuits but at high capability entirely doable. No countries digital infrastructure should be reliant on another country, that puts you pretty much at beggar status, entirely dependent upon that other country. Disobey and your country goes digitally down and that means fiscal collapse, starvation, suspension of medical service and collapse of government administration, making repairs extremely difficult and very lengthy. Of course the country that should be least trusted is the US, there are other countries that should be trusted less ie Israel, Saudi Arabia, North Korea plus a bunch of African, South American and Asian states, but they tend not to produce much to infest your infrastructure, so the US is by far the greatest threat in that regard, Israel probably number 2. In the most absurd fashion imaginable China is more trustworthy than the US, oh my how far the mighty and arrogant have fallen and Russia is way more trustworthy. Of course there are a bunch of European states that are more trustworthy even the UK squeaks ahead of the US, having chosen to follow the US down a path of corruption.

      --
      Chaos - everything, everywhere, everywhen
    8. Re:Just don't plug it in to the Internet by dAzED1 · · Score: 1

      where did I say anything about software? And wow but was that a whole pile of words you just gave us...

    9. Re: Just don't plug it in to the Internet by Anonymous Coward · · Score: 0

      Like Lenovo?

    10. Re:Just don't plug it in to the Internet by Anonymous Coward · · Score: 0

      Appy apps like apps like not afraid to like Luddite appy apps. Apps!

    11. Re:Just don't plug it in to the Internet by Anonymous Coward · · Score: 0

      missing the point everyone.

      this has way less to do with the software and everything to do with the real time data that is being sent to dji.

      that's sending us army drone flight location data in real time to dji in china. also (surely) the manufacturer could have potential to takeover those devices remotely. that would be scary intelligence data to leak to a random chinese company.

      that's the real problem here as far as i'm concerned.

  2. Commies BURN IN HELL!! by Anonymous Coward · · Score: 0

    And we should thank PRESIDENT DONALD JOHN TRUMP for sticking it to teh commies!

    TRUMP powa!

  3. Re:OK, they're idiots in the first place by Tablizer · · Score: 1

    DJI are simply profit-hungry assholes that depend on open-source to give them clues. They have ripped off and stolen everything they have ever done. This is the Chinese way.

    American companies invent their own evil.

    --
    Table-ized A.I.
  4. Idle speculation by NoNonAlphaCharsHere · · Score: 1

    We'll be reaching out to the U.S. Army to confirm the memo and to understand what is specifically meant by 'cyber vulnerabilities.' Until then, we ask everyone to refrain from undue speculation."

    I'm going to go ahead and speculate that if they don't know what 'cyber vulnerabilities' means, then they shouldn't be making drones.

    1. Re:Idle speculation by Anonymous Coward · · Score: 0

      I wonder if DJI will consider suing the US Army for slander? Especially if it causes them to lose a lot of their customers!

    2. Re:Idle speculation by Anonymous Coward · · Score: 0

      No, because then it'd go to public court, and the actual source code would become the issue. When DJI's source is shown to have some vulnerability (because ALL software does), they'll lose the case, have revealed their source code, AND embarrassed themselves.

    3. Re:Idle speculation by Anonymous Coward · · Score: 0

      I'm going to go ahead and speculate that if they don't know how americans define 'cyber vulnerabilities' means, then they shouldn't be making drones.

      FTFY.

  5. In other news, Sheep calls Wolf for babysitting... by laupark · · Score: 0

    Who the F didn't see this coming? A ChiCom psuedo-corporation providing spy equipment to the US and it "might" have a backdoor? LOL - USA has jumped the shark for sure.

  6. What Kind of Certification Program does Army Have? by mykepredko · · Score: 4, Insightful

    I guess the DJI drones are cheap, easy to use and reliable, but I would have thought somebody who gives out the certifications to buy the units would have enough tech savvy to ask questions whether or not data from the drone was stored and where was it stored.

    Anything with a camera that has internet access and could store data on the "Cloud" used by military personnel should be an immediate concern and should be investigated before allowing it to be purchased. I doubt it could affect operations in real time, but it could provide images of the faces of allied forces as well as a record of tactics used.

    Somebody in the Army needs to understand where the certification process doesn't work and fix it.

    --
    Mimetics Inc. Twitter
  7. wut? by WolfgangVL · · Score: 0

    The US Army is buying DJI hardware? This really blows my mind. How come the Airforce has not created the manpack combat quadcopter yet? If they have, why haven't they shared it with the Army?? What is the Army core of engineers doing while in garrison? Why on earth would any highly funded combat focused organization use consumer level quadcopter shit? I bet there are lower enlisted in barracks building their own racing quads right under their noses.

    Nobody anywhere up the chain of command thought, "Gee, showing the enemy how to effectively use off-the-shelf and easily available high tech gear in combat operations might not be the best idea." ????

    Why bother with microfilm when you can just amazon prime your very own unit?

    I guess they are so busy fighting off the SJW onslaught over trans in the military they just don't have time to ask questions?

    The military applications for quadcopters are damn near endless. Somebody is asleep at the wheel.

    --
    You are being ripped off every second of every day, so that advertisers can help rip you off even more tomorrow.
    1. Re:wut? by Anonymous Coward · · Score: 0

      They're not using the same quadcopters that you can buy on amazon. They have custom quadcopters built just for them.

    2. Re:wut? by Max_W · · Score: 1

      It is not that easy to build a quad-copter which can match the DJI. Even if the US Army builds its own quad-copter it would be build still from components made in China, from the aluminum produced in Russia, plastic made from Iranian oil, etc.

      DJI copters are incredibly reliable. I own DJI F450, DJI Phantom 3, Phantom 4 Pro+, and Spark. They all still fly well, and my US EBlade quad is somewhere in a forest, where it dropped from the sky.

      The problem is that in the USA there is no base. The FAA produces layers upon layers of regulations, seven hundred pages of them. It forbids any meaningful usage of civil UAVs. And it is not possible to build good aircraft if there is no market.

  8. Not a bad idea... by DanielNS84 · · Score: 0

    Honestly, I don't blame them...I was in the Army and frequently I was worried with some of the risk taking. Now that I'm out and working in IT I just had a customer purchase a "refurbished" laptop from China and we had to spend hours removing rootkits and trojans from it (maybe not the norm, but still worrying). It's simply not worth the risk, especially when dealing with something as important as defense.

    --
    Marky Mark Killed Jason Bourne!
    1. Re:Not a bad idea... by Anonymous Coward · · Score: 0

      I just had a customer purchase a "refurbished" laptop from China and we had to spend hours removing rootkits and trojans from it (maybe not the norm, but still worrying).

      It certainly is not the norm to spend that much time removing Windows 10.

  9. for some reason... by Lead+Butthead · · Score: 1

    the Second Cylon War comes to mind.

    --
    ELOI, ELOI, LAMA SABACHTHANI!?
  10. how to win a war by Anonymous Coward · · Score: 0

    step 1: sell drones to the US army
    step 2: let the army arm them
    step 3: update the firmware.

  11. Don't remember if it is them or Yuntec.... by Anonymous Coward · · Score: 0

    But one or the other is using Intel Realsense, which means it is running on an Intel based SoC, which should mean, as long as the OS only relies on local data transfer (and if not, demand a custom milspec operating system/source code, plus custom signing keys for military models if necessary...) then the only issues would be if anything was being transmitted in the clear, and/or if the device can be remotely exploited to provide either GPS information or a video feed which could be used to backtrace the unit's landing location and thus the location of part or all of the army unit utilizing them.

    Really though, other than the 'buy american' crap, I don't see any reason they shouldn't be using them for recon until PROPER US Army issued models are available, just like in the past with personnel bringing body army or personal sidearms because the military bureaucracy wasn't issued what the soldiers needed in the field in a timely fashion. People often forget just how often soldiers have relied on third party equipment in the field because the military cannot/will not get the equipment they need out to them while the most heated parts of the war are still active.

  12. Maybe they should take some of those billions by future+assassin · · Score: 0

    that is spent on the war machine and use a few millions to create a company to build US made drones that can be sold to military and civilians.

    --
    by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
    1. Re:Maybe they should take some of those billions by Anonymous Coward · · Score: 0

      There are many US companies developing drones for defence and other government applications. Problem is that they are insanely expensive. You could probably give every soldier his own DJI drone without really affecting the budget, but with most of these US made systems (eg AeroVironment) that would absolutely be cost prohibitive.

    2. Re:Maybe they should take some of those billions by TheGratefulNet · · Score: 1

      agreed; the ability to make them here, entirely from scratch silicon EXISTS. its BEYOND STUPID to send money to china for drones for the military! unbelievably stupid.

      not only would it be good for our economy, but given the sensitive nature of military gear, NO parts from unfriendly nations (ie, almost all of them, at this point; lets be honest) should be put into such gear.

      and since the military is not cost sensitive (like a consumer would be) there's zero reason to not make them here. they'll cost more, but they'll have an audit trail you can trust.

      --

      --
      "It is now safe to switch off your computer."
    3. Re:Maybe they should take some of those billions by Anonymous Coward · · Score: 0

      Buy Brazilian!

  13. Is this how it starts... by Trax3001BBS · · Score: 1

    North Korea shoots off new USA hitting Missle

    The USA test anti-missile weapon July 30 http://www.cnn.com/2017/07/30/...

    China test out anti-satellite weapon Aug 2 http://freebeacon.com/national...

    Now this...

    1. Re:Is this how it starts... by DivineKnight · · Score: 1

      Makes you wonder what we have in space...

  14. Open your eyes. by Anonymous Coward · · Score: 0

    It's not surprising that the US army uses DJI - They are cheap, and better than anything the US can manufacture at the price. Commonly there is no budget assigned to mini-drone use, and they solve a problem that is otherwise unsolvable.

    Recently, I saw some operators using DJI drones, and I thought it would be rude to mention the security implication of where they had stored the drones so I didn't. Instead, I noted that they are going to need some expertise in that area in a few years when they do notice the security implications of using chinese recording devices in special forces compounds. So I started learning to "drone".

    This means the US military will need drones, motors, flight controllers and ESCs sourced locally, eventually - As well as camera and gimbal technology. All areas in which the chinese are leading the US. And they aren't going to buy their minidrones for US$1Million from General Dynamics.

    Maybe it's time some slashdotters realized this is a business opportunity, not a chance to make fun of the military.

  15. As an RF engineer... by Anonymous Coward · · Score: 0

    and someone who has been designing 4-rotor helicopters since 2003, I would say the issue is probably related to DJI's choice of communications. The military really needs something better than hobby-grade RF technology for controlling these units from afar. Doesn't surprise me one bit that they got this far with a shit RF link though. Tax payer money doesn't require excellence in anything.

  16. Re:What Kind of Certification Program does Army Ha by Anonymous Coward · · Score: 0

    I don't understand why they would buy from DJI? DIY drones are more popular, cheaper, way more fun and flies just as well with opensource software/hardware. DJI needs to die already.

  17. Biggest problem: We don't have a full set of code by Anonymous Coward · · Score: 0

    We're restricted to using these and other devices with our smart phones and there is no source code for the apps. They should release a full set of code for both any apps and the drones themselves. And we should have code for GNU/Linux and any other operating system one might want to build the software for. And it should be under a free software license of some sort. Fix this and we can begin to talk about security.

  18. Re: OK, they're idiots in the first place by Anonymous Coward · · Score: 0

    They fucking make the best commercial drones out there.

    Now I really hope one day that one of our companies could catch up with DJI...

    I mean a lot of China hate is justifiable, but DJI is one of the few that really impress.

  19. LOL by Anonymous Coward · · Score: 0

    This is what happens when you outsource all of your production / manufacturing to a foreign country. They end up producing the best hardware, and your own products can't compete. So their software goes into the firmware.

  20. Civil ban is on its way by Anonymous Coward · · Score: 0

    not anymore they don't.
    >People, businesses and governments around the world rely on DJI's products and technology

    Google and others are going to be paying attention this --The shrink-wrap/click-thru terms of service are barely legal to begin with, but start streaming operator A/V feeds (including more targets than just the original purchaser) across state and national boundaries and you WILL pay.

  21. The military should not use Chinese anything. by sabbede · · Score: 1
    Given that conflict between the US and China is hardly impossible, it is absolutely ridiculous for the military to use anything made in China. Why not just hand over our nuclear codes to them?

    Stupid, stupid, stupid.