Homeland Security Flags Chinese Drones as Security Risk

An unclassified memo from the U.S. Department of Homeland Security (DHS) alleges that Chinese UAS maker DJI is “providing U.S. critical infrastructure and law enforcement data to the Chinese government…[and] is selectively targeting government and private-owned entities within these sectors to expand its ability to collect and exploit sensitive data.” DHS also alleged that DJI was leveraging its lower manufacturing costs “combined with illegal dumping tactics” to give it monopoly power in the U.S. “As a result, U.S. companies have fewer options and are more likely to purchase DJI UAS.”

The memo was drafted this past summer but widely released recently. DJI—Dà-Jiāng Innovations Science and Technology,  headquartered in Shenzhen, Guangdong—is one of the largest manufacturers of recreational and commercial drones worldwide. Its models include the Phantom and Mavic Pro. It holds an estimated 50 percent share of the overall North American market and nearly 70 percent of the North American market for UASs priced between $1,000 and $4,000. It also has technology partnerships with powerhouses including Sony, owns a majority interest in Swedish camera maker Hasselblad, and offers its units for sale in Apple stores. Competitors have alleged that the company engages in dumping and other unfair trade practices.

In late November, DJI issued a strong statement rebutting the DHS memo. “The bulletin is based on clearly false and misleading claims from an unidentified source” and shows “a fundamental lack of understanding of DJI, its technology, and the drone market.” DJI’s statement also refuted claims of dumping, “DJI does not sell products at a loss or cheaper in the United States than in China.” It also disputed charges that its drones are equipped with facial-recognition software or that it widely shared data with the Chinese government.

Limited Data Sharing

To the extent that data is shared with the Chinese government, the company said, it has done so to comply with “location-specific rules and policies within China” related to registration and no-fly zones. “In compliance with Chinese regulation, DJI utilizes the user's IP address, GPS location, and MCC (mobile country code) ID to determine if a drone is being operated in China. If so, DJI provides the customer with features necessary to comply with Chinese regulations and policies. Otherwise, DJI provides no information about or data collected by the drone to the Chinese government.”

However, the company did say that its advanced new products have “Active Track” algorithms that “can track the movement of the shape of the face or the shape of the person to facilitate control of the drone or movement of the camera.” It also acknowledged several actual or potential recent security breaches, including compromise of its secure web certificate and the DJI website, receiving a report that its Amazon Web Services server repository was accessible by unauthorized parties. In both cases, DJI said, it promptly fixed the problems. The company also noted that it maintains a “Bug Bounty Program” that pays security researchers to identify potential vulnerabilities in DJI's technology.

Nevertheless, the DHS memo notes that the U.S. Army has stopped using DJI products due to “an increased awareness of cyber vulnerabilities associated” with them. Earlier this year, the U.S. Navy issued its own memo on “operational risks” associated with operating DJI vehicles.

Despite the U.S. military's misgivings, DJI is establishing a foothold with U.S. law enforcement and contractors and companies with critical security and infrastructure links. DHS pointed out that a DJI Inspire UAS is currently used by the Los Angeles County Sheriff and on site by a contractor that is building DHS's own National Bio and Agro-Defense Facility in Manhattan, Kansas.

It also noted that DJI's U.S. infrastructure customers include American Water, Union Pacific Railroad, and American Electric Power. The company is additionally targeting water utilities in Chicago, Los Angeles, New Jersey, and New York as well as railway companies in Omaha, Nebraska; Los Angeles; and Dallas. DHS asserted that DJI's target client list “appears to focus on the account holder's ability to disrupt critical infrastructure. The DHS also alleged that the Chinese government could use DJI data to “disrupt and degrade” the U.S. food supply and to surreptitiously evaluate assets planned for purchase.

The DHS concluded that the Chinese government could use data gleaned from DJI systems to conduct physical or cyber attacks against the U.S. or could share the information with terrorist organizations or other parties that seek to strike the U.S.