Governance & Risk Management

US Army Nixes Use of DJI Drones Over Cybersecurity Concerns

Pull Batteries Out and Uninstall Apps, Army Says

A DJI drone

The U.S. Army will immediately stop using drones made by the world's largest manufacturer, DJI of China, and has ordered that batteries and storage media be removed and applications uninstalled.

See Also: Move Beyond Passwords

A publication focused on drones, sUAS News, broke the story after it obtained a U.S. Army memo hand-dated Aug. 2. The memo notes: "Due to increased awareness of cyber vulnerabilities associated with DJI products, it is directed that the U.S. Army halt use of all DJI products."

The memo says DJI's Unmanned Aircraft Systems are the most widely used commercial off-the-shelf drone used by the Army.

A statement from DJI says the Army gave it no prior warning of the ban. But it noted that governments around the world use DJI products for sensitive and mission critical operations.

"We are happy to work directly with any organization, including the U.S. Army, that has concerns about our management of cyber issues," DJI says in its statement. "We'll be reaching out to the U.S. Army to confirm the memo and to understand what is specifically meant by 'cyber vulnerabilities.'"

sUAS News updated its story later saying the U.S. Army had confirmed the memo but said that the guidance is under review. It is unclear if that means the policy is in flux and could be reversed.

Memos Cited

The U.S. Army memo doesn't elaborate beyond citing unspecified vulnerabilities in DJI products. But in justifying the ban, it cites a classified Army Research Laboratory report titled "DJI UAS Technology Threat and User Vulnerabilities" dated May 25.

It also cites a U.S. Navy memorandum dated May 24: "Operational Risks with Regards to DJI Family of Products."

There's no lack of enthusiasm for hacking drones. Hobbyists and security pros have been tinkering with drones ever since commercial sales began to take off more than a decade ago.

It would appear that the U.S. military is getting cold feet after taking a closer look into DJI's products. Last month, The Register reported that DJI erred by leaving debugging code in its Assistant 2 software. That allowed hackers to circumvent built-in controls, such as flight elevation limits and geofences, which prevent drones from straying into restricted airspace. It appears that drone enthusiasts began discussing the flaw as early as April.

Still, it took DJI months to patch. On Aug. 1, the company issued a news release saying it issued a firmware update to solve the issue. The company does not have a bug bounty program. Instead, it relies on tops through its customer service channels.

Supply Chain

The U.S. government has been increasingly concerned over software supply chains and the influence of home governments where those products are manufactured.

Last month, the U.S. General Services Administration, which manages IT procurement for the U.S. government, removed the security company Kaspersky Lab from its list of approved suppliers. Kaspersky Lab is headquartered in Moscow, and the concern revolves around the company's relationship with the Russian government (see Trump Administration Restricts Kaspersky Lab Product Use).

The move does not ban Kaspersky Lab products, but instead makes the products more difficult to procure. It also does not mandate that agencies currently using the products stop. Kaspersky refuted that it works with the Russian government in a way that would undermine the security of its users' products.

DJI ran in trouble last year after what it describes as a junior spokesperson misspoke to journalists during a press tour, suggesting that data collected by drones might be shared with China's government.

DJI countered that it does not share customer information or drone video with Chinese authorities. But it did say - like many other technology companies faced with valid legal orders - that it would provide data if necessary to comply with the law.