Concerns raised about DJI infrastructure security and breaches of user privacy

DJI is one of the largest and well known drone manufacturers in the world. They positioned themselves at the very top of the high-end drone segment. Hardly any other company has managed to step up to the plate and challenge their claim to fame. Recently reports started circulating the web about a lack of infrastructure security and failure to protect user privacy on DJI’s part. It was actually on two separate occasions that DJI dropped the ball big time and it was showed how lax their security mechanisms are, or at least have been so far.

DJI professional drones are used pretty much everywhere

What we’re going to be talking about in paragraphs to come needs to be prefaced by mentioning the extensiveness of DJI drone use by key government agencies and companies worldwide. We’re talking local police, fire departments and even military units of several nations’ armies, they have all used DJI professional drones in their day-to-day operations. Not to mention the various construction and maintenance firms, that handle important projects like nuclear plant repair, who use DJI drones for work-site reconnaissance.

DJI professional drone

DJI drones have found their way in a lot places that are considered to be of great importance for national security of not just the United States, but countless other countries worldwide who also use DJI drones. Having proper data security and user privacy should be a top priority for DJI.

Wait, what kind of data do DJI drones log exactly?

Some of you might be surprised by this, but DJI drones can collect a lot of information during their flights, especially their professional grade drones. I mean, they sort of have to, that is their job. They record detailed pilot ID, GPS locations, flight area covered, videos/photos, etc.

All this data is saved locally, but DJI also offers the option of uploading it to the cloud through their DJI Assistant and Data Upload services. Doing data uploads makes it easier to share recorded data with the rest of your team, or with supervisors in the organization that you work for. It was here that DJI failed to provide proper security to their users.

SSL encryption keys mistakenly published online

First major screw up on DJIs part was when independent security researchers discovered that some of the SSL encryption keys that DJI uses to encrypt data users store on their servers were mistakenly made public through companies’ GitHub pages. They were actually listed online for the whole world to see for years, until attention was brought to this fact a few months ago.

Researchers who initially found the breach were able to use the encryption keys they found to decrypt data that was, you’ve guessed it, publicly accessible. This time there was a problem with DJI server config over at AWS. Together with the SSL keys they were able to decrypt random pieces of info like flight logs, pilot IDs, etc.

Example of a decrypted pilot ID

You might not think that this is such a big deal, it’s not like the entire DJI database was compromised, but you have to admit that this is very sloppy user data handling on DJIs part. As I’ve already mentioned, they are the biggest name in the world of drones, with some of the most expensive drone on the market, so you’d expect a bit more professionalism from them.

SSL breach was initially revealed sometime in November. It was actually a result of a Bug Bounty program setup by DJI that gave $30,0000 cash prizes to people who detect and report security issues to DJI. Since then DJI reported that they’ve fixed the security holes and fired employees responsible for them.

Additional controversy sparked when researchers who discovered the problem were forced to sign very restrictive contracts, that essentially prevented them from speaking out publicly about the security holes they found, before they could get the prize money. Kevin Finisterre, security analyst who reported on the SSL keys being available publicly, actually declined the prize money, because he didn’t want to sign the overly complex contacts DJI required him to sign before the money could be paid out. You can read more about how it all went down in a PDF file that Finisterre published to address the whole situation.

Department of Homeland Security detects suspicious data uploads of drone activity

Latest slap in the face to DJI comes from Department of Homeland Security, their Immigration and Customs Enforcement office. In an internal document that was unclassified just recently there’s talk about data uploads by DJI drones to servers in China, Hong Kong and Taiwan, countries where Chinese government can easily access the data. Uploaded data included detailed imagery and security protocols of sites of great national importance for the US. These uploads were apparently made without the pilot being aware of them, data sharing wasn’t turned on in the DJI application settings.

You can probably see how this type of behavior caused panic in the US. With the whole host of federal, state and local agencies that are using DJI drones, many were left wondering is it safe to use DJI drones considering their lax approach to security. Concerns were even raised by users of commercial drones, since the same thing could even more easily be happening on that front as well.

DJI of course made a statement denying the allegations, stating that data is uploaded only if the drone owners chooses to do so. DJI lawyers asked DHS to provide more info on how they discovered the issues mentioned in the ICE document. We will see how this whole thing turns out in the coming weeks.

What do you think, are DJI drones safe?

I personally won’t stop using DJI drones because of these controversies, although I’ve been itching to switch to Parrot Bebop 2, to see what competition has to offer. This whole thing could be a witch hunt on DJI because they’ve become too ingrained in the US public sector, and they are a Chinese based drone manufacturer after all.

A lot of other major companies, like Yahoo, had much bigger security breaches than that of DJI, but people still use their services. Hopefully all these events will shake things up in DJI and cause them to improve their security practices. That’s all that we as end users can hope for after all.

Zoran Valentak