A leaked memo from the US Department of Homeland Security has potentially drawn a cloud over the excitement of unwrapping a DJI drone this Christmas.
As the New York Times reports, the leaked Immigration and Customs Enforcement bureau memo claims with “moderate confidence” that drone manufacturer DJI is “providing US critical infrastructure and law enforcement data to the Chinese government.”
Furthermore, the leaked bulletin (PDF) claims it has “high confidence” that China-based DJI is “selectively targeting government and privately-owned entities… to expand its ability to collect and exploit sensitive data.”
The memo explains that “proprietary and sensitive critical infrastructure data, such as detailed imagery of power control panels, security measures for critical infrastructure sites, or materials used in bridge construction” can be collected by DJI’s drones, and then uploaded to cloud systems “to which the Chinese government most likely has access.”
The bulletin says “with high confidence a foreign government with access to this information could easily coordinate physical or cyber attacks against critical sites.”
The ICE bulletin details examples of how unmanned aerial systems (UAS) have allegedly been exploited by the Chinese authorities, including this slightly less threatening scenario:
“The Chinese government is likely using information acquired from DJI systems as a way to target assets they are planning to purchase. For instance, a large family-owned wine producer in California purchased DJI UAS to survey its vineyards and monitor grape production. Soon afterwards, Chinese companies began purchasing vineyards in the same area. According to the [source of information], it appeared the companies were able to use DJI data to their own benefit and profit.”
At the heart of the problem appears to be concerns that DJI complies with Chinese government requests to hand over data.
Of course, DJI is far from alone in co-operating with the data requests of Chinese authorities, or acceding to demands for data to be stored on servers based within the country. Many Western technology companies also agree to the same in order to gain access to the lucrative Chinese market.
Nonetheless, DJI strongly disputed the contents of the ICE bulletin, claiming it is “deeply flawed.”
“For example, DJI does not access its customers’ flight logs, photos or videos unless customers actively upload and share them with us. Further, DJI’s new Local Data Mode stops all internet traffic to and from the DJI Pilot flight control app to provide enhanced data privacy assurance for customers flying sensitive missions.”
The good news for those receiving a drone as a gift is that the intelligence bulletin does not appear to be directed at owners of “consumer” drones but instead those purchased from market-leader DJI by organisations such as public utilities, property developers, and law enforcement agencies.
Earlier this year the US Army decided to stop using DJI drones because of unspecified “cyber vulnerabilities.”
tags
Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.
View all postsDecember 24, 2024
December 19, 2024
November 14, 2024