DJI drones may be sending data about U.S. critical infrastructure and law enforcement to China

The US DHS has accused the Chinese Da-Jiang Innovations (DJI) of cyber espionage on U.S. critical infrastructure and law enforcement.

The US Department of Homeland Security (DHS) has recently accused the Chinese Da-Jiang Innovations (DJI), one of the largest drone manufacturers, of sending sensitive information about U.S. critical infrastructure and law enforcement to China.

A copy memo from the Los Angeles office of the Immigration and Customs Enforcement bureau (ICE) was published recently by the Public Intelligence project. The copy was marked as “unclassified / law enforcement sensitive, it alleges “with moderate confidence” that DJI drones were used by the Chinese Government as spying tools.

The authors of the memo provide several examples of law enforcement and critical infrastructure organizations using the DJI drones.

The situation is worrisome because data gathered by the DJI could be used by the Chinese government to conduct physical or cyber attacks against the US critical infrastructure (i.e. rail systems, water systems, hazardous material storage facilities, and construction of highways, bridges, and rails).

The concern is related only to DJI drones used by companies and government organizations, not the unmanned vehicles used by hobbyists.

“It is based on information derived from open source reporting and a reliable source within the unmanned aerial systems (UAS) industry with first and secondhand access. The date of information is 9 August 2017.” reads the intelligence bulletin.
“(U//LES) SIP Los Angeles assesses with moderate confidence that Chinese-based company DJI Science and Technology is providing U.S. critical infrastructure and law enforcement data to the Chinese government. SIP Los Angeles further assesses with high confidence the company is selectively targeting government and privately owned entities within these sectors to expand its ability to collect and exploit sensitive U.S. data.”

According to the ICE, the DJI drones operate on two Android smartphone applications called DJI GO and Sky Pixels that automatically tag GPS imagery and locations, register facial recognition data even when the system is off, and access smartphone data.

The ICE revealed the mobile apps also gather user’s identification and personal information, including full names, email addresses, phone numbers, computer credentials, images, and videos.

“Additionally, the applications capture user identification, e-mail addresses, full names, phone numbers, images, videos, and computer credentials. Much of the information collected includes proprietary and sensitive critical infrastructure data, such as detailed imagery of power control panels, security measures for critical infrastructure sites, or materials used in bridge construction.” the ICE memo reads.

“According to the source of information (SOI), DJI automatically uploads this information into cloud storage systems located in Taiwan, China, and Hong Kong, to which the Chinese government most likely has access. SIP Los Angeles assesses with high confidence a foreign government with access to this information could easily coordinate physical or cyber attacks against critical sites.”

The Chinese drone manufacturer denied the allegations, in a statement, the company said the report was “based on clearly false and misleading claims.”

“The allegations in the bulletin are so profoundly wrong as a factual matter that ICE should consider withdrawing it, or at least correcting its unsupportable assertions,” DJI said in a statement, cited by The New York Times.

According to a DJI spokesman, users can properly configure their drones to control over how much data they can share with the Chinese drone manufactures.

“DJI does strive to comply with local laws and regulations in each country where its drones operate and to facilitate compliance by our customers. To the extent that there are location-specific rules and policies within China, we ensure that our systems comply with these rules, including the need to register or include no-fly zones on board,” DJI stated.

“In compliance with the Chinese regulation, DJI utilizes the user’s IP address, GPS location, and MCC ID to determine if a drone is being operated in China. If so, DJI provides the customer with the features necessary to comply with Chinese regulations and policies. Otherwise, DJI provides no information about or data collected by the drone to the Chinese government,” 

Moreover, the DJI has recently implemented a new feature that allows pilots to cut off all outside internet connections while the drone is flying.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – DJI drones, China)

[adrotate banner=”5″]

[adrotate banner=”13″]