Written by Shannon Vavra

The U.S. Navy issued an internal warning in 2017 about vulnerabilities in systems made by Chinese-based drone company DJI that could allow adversaries to siphon data from devices, according to a document obtained through the Freedom of Information Act.

“Overall, the system should be considered highly vulnerable in the cyber security realm and employed accordingly,” the document, obtained by the George Washington University’s National Security Archive and shared with CyberScoop, reads.

In the warning, the Navy pointed out issues with the way a DJI drone communicates and sends data to a ground station.

“While encrypted, open source research indicates numerous techniques available to passively view the video and metadata from the air vehicle as well as assume control over the air vehicle by adversaries,” the warning, dated May 2017, reads.

The document has been made public as technology made by Chinese-based companies, which powers much of the internet’s underlying infrastructure, faces increased scrutiny throughout the U.S. government. Among the worries is a Chinese law that currently compels businesses to comply with the country’s intelligence agency requests.

DJI has previously refuted claims that it may be sending flight logs or other data to the Chinese government.

The document, drafted by the Navy & Marine Corps Small Tactical Unmanned Aircraft Systems Program Manager, provides a new arc to the Department of Defense’s years-long reluctance to use DJI drones. While the U.S. Army banned the use of DJI drones in August 2017 due to an “increased awareness of cyber vulnerabilities,” the Pentagon provided few details at the time about what concerns were driving the decision.

The document, sent to the Small Unmanned Aircraft System Program Manager, warned that when equipment in the Ground Control Station (GCS) for DJI’s drones is connected to the web, “images, video and flight records could be uploaded to unsecured servers in other countries via live streaming.” The DJI assistant application could aid in this transmission, according to the Navy.

In a statement shared with CyberScoop, DJI noted that the company has worked to remedy the issues the Navy memo raised.

“While DJI does not design or market its products for military use, we have long since addressed the concerns expressed in this 2017 memo as part of our continuous commitment to safety and security, including adding advanced data encryption features, storing data shared with DJI on secure U.S.-based AWS servers, and adding the ability for users to eliminate connection between the drone and the internet,” the statement reads.

Although DJI has pushed back on espionage concerns, the company has admitted in interviews with CyberScoop that its tech has lagged behind Department of Defense standards.

“These drones were never built to meet or align with DOD requirements,” Mario Rebello, head of DJI North America, previously told CyberScoop.

Recommendations with limited visibility

The Navy recommended at the time that the GCS should not be connected to military networks using wireless or wired connections, that the camera should be covered, and that it should not be used in close range of adversaries or areas that are operationally sensitive.

The program manager also recommended that personnel not use a DJI device with micro-SD cards installed, since they may store images and videos. It was also determined that all data, such as images, videos, and flight records, should be deleted from SD cards.

“While these systems are commonly available and low cost, the DoD has minimal technical information to thoroughly understand the impact of their use,” the memo reads. “A thorough study of the cyber vulnerabilities of these systems is not available at this time.”

Other areas of the U.S. government still have limited visibility into vulnerabilities on DJI drones, according to an October report from the Department of Homeland Security that CyberScoop obtained.

“…[A] deeper examination of the hardware, software, firmware, and wireless signals could not be performed,” the data leakage report, produced for the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, notes. “It is recommended that further protocol analysis of the data and telemetry stream be performed to reduce the security risk.”

The report, produced at Idaho National Laboratory, has recommended supply chain verification, as well as a high-level software, firmware, and hardware reverse-engineering examination to assess their integrity.

In the meantime, DHS projects that DJI will continue to dominate the drone market in the U.S., even as it faces a possible ban from all federal agencies.

“DJI’s competitors, especially U.S.-based ones, will have difficulty in capturing significant portions of the UAS market in the future,” the report reads.

You can read the full Navy letter below.