US Army Calls Halt On Use of Chinese-Made Drones By DJI

Due to "an increased awareness of cyber vulnerabilities with DJI products," the U.S. Army is asking all units to discontinue the use of DJI drones. The news comes from an internal memo obtained by the editor of SUAS News. It notes that the Army had issued over 300 separate releases authorizing the use of DJI products for Army missions, meaning a lot of hardware may have been in active use prior to the memo, which is dated August 2nd, 2017. The Verge reports: SUAS News published a piece back in May of this year that made a number of serious accusations about data gathered by DJI drones. Author Kevin Pomaski starts out writing, "Using a simple Google search the data mined by DJI from your provided flights (imagery, position and flight logs) and your audio can be accessed without your knowing consent." However, he never follows up with evidence to demonstrate how this data becomes public or can be found through a Google search. Pomaski also point out, correctly, that when DJI users elect to upload data to their SkyPixel accounts through the DJI app, this data can be stored on servers in the U.S., Hong Kong, and China. This data can include videos, photos, and audio recorded by your phone's microphone, and telemetry data detailing the height, distance, and position of your recent flights. DJI provided the following statement to The Verge: "People, businesses and governments around the world rely on DJI's products and technology for a variety of uses including sensitive and mission critical operations. The Department of the Army memo even reports that they have 'issued over 300 separate Airworthiness Releases for DJI products in support of multiple organizations with a variety of mission sets.' We are surprised and disappointed to read reports of the U.S. Army's unprompted restriction on DJI drones as we were not consulted during their decision. We are happy to work directly with any organization, including the U.S. Army, that has concerns about our management of cyber issues. We'll be reaching out to the U.S. Army to confirm the memo and to understand what is specifically meant by 'cyber vulnerabilities.' Until then, we ask everyone to refrain from undue speculation."

Just don't plug it in to the Internet

[ColdWetDog]

The drones can't download anything to anywhere without you actually and in fact connecting the control software (DJI Go) to the Internet. While it likes to do that as a default (as does everything this side of your toaster) it's easy to block. There are a lot of people flying DJI stuff that purposely DON'T allow the software to update in order to keep DJI from screwing things up. They have a very checkered history when it comes to 'updates' (Oops, you crashed).

Just don't understand what the paranoia is. Surely, somebody in the Defense Department's Cyber vetted the software. Yes?

Re:Just don't plug it in to the Internet

[EndlessNameless]

Just don't understand what the paranoia is. Surely, somebody in the Defense Department's Cyber vetted the software. Yes?

That's where you run into problems with companies that release dodgy software.

Let's say you vet v1.1 to ensure it has no operational bugs that will affect your mission profile. You also verify that the software is not compromised in any appreciable way.

Eventually, there will be a vulnerability in v1.1, and you will have to upgrade to v1.2---ideally before any new missions are scheduled.

But wait, there's a critical bug in v1.2 so you cannot upgrade. You either accept the risk of operating with the v1.1 vulnerability, you postpone the mission, or you find another way to accomplish the objective.

If a manufacturer routinely releases poor-quality updates or takes too long to fix vulnerabilities, then it is absolutely reasonable to blacklist them.

And in this particular case, where the code is supplied by a company from an adversarial nation, maybe it is reasonable to exclude their products from consideration entirely.

Re:Just don't plug it in to the Internet

[dAzED1]

did you say /maybe/ it is reasonable to exclude potential security products from adversarial nations? Every DITSCAP, DIACAP, or DIARMF process I've ever driven has *required* that. Anything actually assigned a mission assurance category - even MACIII - can't just be regular-ol' COTS. It has to be COTS that is then assessed, and part of that is if any sensitive information is ever involved, the COTS product likely can't stay COTS anymore (because none of them do labeling by default) and suddenly you now can't have developers that don't have security clearances. I can't wrap my head around a use case for these drones in the military that wouldn't already have excluded anything developed by non-cleared personnel.

Re:Just don't plug it in to the Internet

[PolygamousRanchKid+]

Well, at least the US military is not using routers made in China . . .

. . . oh . . . wait . . .

Re:Just don't plug it in to the Internet

[ColdWetDog]

A lot of it is open source software anyway. I think the majority of the Phantom firmware has been hacked and is now on Github.

Re:Just don't plug it in to the Internet

[drinkypoo]

The drones can't download anything to anywhere without you actually and in fact connecting the control software (DJI Go) to the Internet. While it likes to do that as a default (as does everything this side of your toaster) it's easy to block. There are a lot of people flying DJI stuff that purposely DON'T allow the software to update in order to keep DJI from screwing things up. They have a very checkered history when it comes to 'updates' (Oops, you crashed).

But don't they also have all kinds of 'features' that might require you to connect to the internet before you can even fly because their software is so lousy?

Re:Just don't plug it in to the Internet

[rtb61]

Why the hell would you bother screwing with software, that can easily be checked. You always hack the little stuff. So preferred logical target, capacitors. You have high efficiency expensive small capacitors and low efficiency cheap large capacitors (same load). So you make small capacitor, fix a chip to it's surface in the current path and add a larger package over it. So in the chip in current path where transmissions can be received, has only one purpose, wait for the encrypted signal to be received and then short out, job done. On the operator end, the motherboard died, all motherboards died, crap, get new board from storage for emergencies, swap them in and they die. Now you are in deep shit, all equipment down, all spare parts die when installed, you can not order more because your systems are down and it depends on how far you can spread your capacitors as too how much of a countries digital infrastructure utterly collapses. You can create boards with hidden internal communications layers, you can create CPUs with a second hidden CPU in the package, micro electronics can be shoved in all over the place, even into the CPU itself. It doesn't take many transistors to wait for a specific message in order to shut down, more complex to retransmit data via power circuits but at high capability entirely doable. No countries digital infrastructure should be reliant on another country, that puts you pretty much at beggar status, entirely dependent upon that other country. Disobey and your country goes digitally down and that means fiscal collapse, starvation, suspension of medical service and collapse of government administration, making repairs extremely difficult and very lengthy. Of course the country that should be least trusted is the US, there are other countries that should be trusted less ie Israel, Saudi Arabia, North Korea plus a bunch of African, South American and Asian states, but they tend not to produce much to infest your infrastructure, so the US is by far the greatest threat in that regard, Israel probably number 2. In the most absurd fashion imaginable China is more trustworthy than the US, oh my how far the mighty and arrogant have fallen and Russia is way more trustworthy. Of course there are a bunch of European states that are more trustworthy even the UK squeaks ahead of the US, having chosen to follow the US down a path of corruption.

Re:Just don't plug it in to the Internet

[dAzED1]

where did I say anything about software? And wow but was that a whole pile of words you just gave us...

Re:OK, they're idiots in the first place

[Tablizer]

DJI are simply profit-hungry assholes that depend on open-source to give them clues. They have ripped off and stolen everything they have ever done. This is the Chinese way.

American companies invent their own evil.

Idle speculation

[NoNonAlphaCharsHere]

We'll be reaching out to the U.S. Army to confirm the memo and to understand what is specifically meant by 'cyber vulnerabilities.' Until then, we ask everyone to refrain from undue speculation."

I'm going to go ahead and speculate that if they don't know what 'cyber vulnerabilities' means, then they shouldn't be making drones.

What Kind of Certification Program does Army Have?

[mykepredko]

I guess the DJI drones are cheap, easy to use and reliable, but I would have thought somebody who gives out the certifications to buy the units would have enough tech savvy to ask questions whether or not data from the drone was stored and where was it stored.

Anything with a camera that has internet access and could store data on the "Cloud" used by military personnel should be an immediate concern and should be investigated before allowing it to be purchased. I doubt it could affect operations in real time, but it could provide images of the faces of allied forces as well as a record of tactics used.

Somebody in the Army needs to understand where the certification process doesn't work and fix it.

for some reason...

[Lead+Butthead]

the Second Cylon War comes to mind.

Is this how it starts...

[Trax3001BBS]

North Korea shoots off new USA hitting Missle

The USA test anti-missile weapon July 30 http://www.cnn.com/2017/07/30/...

China test out anti-satellite weapon Aug 2 http://freebeacon.com/national...

Now this...

Re:Is this how it starts...

[DivineKnight]

Makes you wonder what we have in space...

Re:Maybe they should take some of those billions

[TheGratefulNet]

agreed; the ability to make them here, entirely from scratch silicon EXISTS. its BEYOND STUPID to send money to china for drones for the military! unbelievably stupid.

not only would it be good for our economy, but given the sensitive nature of military gear, NO parts from unfriendly nations (ie, almost all of them, at this point; lets be honest) should be put into such gear.

and since the military is not cost sensitive (like a consumer would be) there's zero reason to not make them here. they'll cost more, but they'll have an audit trail you can trust.

Re:wut?

[Max_W]

It is not that easy to build a quad-copter which can match the DJI. Even if the US Army builds its own quad-copter it would be build still from components made in China, from the aluminum produced in Russia, plastic made from Iranian oil, etc.

DJI copters are incredibly reliable. I own DJI F450, DJI Phantom 3, Phantom 4 Pro+, and Spark. They all still fly well, and my US EBlade quad is somewhere in a forest, where it dropped from the sky.

The problem is that in the USA there is no base. The FAA produces layers upon layers of regulations, seven hundred pages of them. It forbids any meaningful usage of civil UAVs. And it is not possible to build good aircraft if there is no market.

The military should not use Chinese anything.

[sabbede]

Given that conflict between the US and China is hardly impossible, it is absolutely ridiculous for the military to use anything made in China. Why not just hand over our nuclear codes to them?

Stupid, stupid, stupid.