New Report Gives DJI's Data Security Passing Marks
Third Party Audit Confirms DJI's Data Storage and Transmission Practices
By Jonathan Jacobs
DJI, the market leader in consumer drones, has had a rough few months regarding their security and they have finally responded. While it hasn’t slowed their march to market dominance, it has raised questions among DoD leadership who, last year released a memo ordering the Army to cease use of all DJI aircraft and systems due to ‘cyber vulnerabilities.’ DJI hopes that this new report by independent third-party auditors will lay to rest these concerns and allow them to further develop their presence in the commercial/enterprise sectors of the U.S. market.
Why the Need for An Audit?
The growing suspicion against Chinese manufacturers is nothing new, with companies like ZTE and Huawei also finding themselves unwelcome in U.S. markets due to their connections with the Chinese government. Like other Chinese manufacturers, DJI was faced with accusations that it routinely shared user data (such as flight records and imagery) with the Chinese authorities. Coupled with the widely publicized issue regarding DJI’s handling of their SSL and firmware keys, it’s clear that they really needed to begin rebuilding confidence in their ability to safely handle (potentially sensitive) data. So, DJI hired a third party, Kivu Consulting, to be the first ever outsider to review DJI’s proprietary systems to include their drones, hardware controllers, Go4 Mobile App and storage servers.
THE RESULTS ARE IN…
So, does this new report give DJI a clean bill of health? Sort of. A summary provided by Douglas Brush, Kivu’s Director of Cyber Security Investigations, doesn’t exactly answer all of the questions but the broad strokes do seem to paint a favorable view DJI’s process. They pointed out that all flight data originating in the U.S. is stored on AWS and Alibaba Cloud Servers in the U.S. Region (so no data leaves U.S. soil) and all of the Cloud Servers used (both AWS and Alibaba) are now properly secured. They further noted that all data transmission can be terminated by deactivating settings within the DJI Go4 app or simply disabling the internet connection.
Still, the brief nature of the summary leaves some questions unanswered. While the report does manage to address some of the more egregious security concerns (unsecured S3 buckets; seriously??) it does fail to address accusations that DJI willingly shares data with the Chinese Government. Willing dissemination of data is obviously quite different than a security breach and would likely not have been covered in this audit.
Even with this report, it remains unseen if the U.S. Army and other U.S. officials will soften their stance on the use of DJI aircraft. Ultimately, someone will have to blink because it appears that no one can supplant DJI as the global market leader in commercial unmanned aircraft.