Dept. of Interior Bans use of DJI products due to national security concerns
The quoted post, below, appeared on the Facebook group “Commercial sUAS Operators” on July 7th. It was taken down very rapidly and no further discussion on the topic appeared. I spoke with Dennis Bosak SSA this morning and he confirmed the statement as written. Any further details must be requested in writing.
Another story is circulating that the DOI has either retracted the ban or it was never in place. However no copy of that memo can be made available and Mr. Bosak stood by his statement as of 0730 this morning.
To summarize, the Department of the Interior is banning any internal use of DJI products due to concerns about the product’s automatic uploading of telemetry and other information to DJI servers during firmware updates.
Last year I developed a presentation on cyber security and consumer/commercial UAVs. In that presentation I noted that we are self selecting areas of interest – test crops, critical infrastructure, disaster sites, … – and sending highly detailed information about these sites to often poorly understood cloud infrastructure.
Apparently, according to this post, the Department of the Interior has also identified this risk. Worse, it appears that DJI products are automatically sending sensitive telemetry information to their own servers. As the following announcement notes, DJI is a Chinese firm and some conclusions must be considered.
Many applications collect profile and debugging information for legitimate purposes. Most of those applications give the user an opt-in option. DJI could quickly defuse this situation by releasing an update that provides this option while also demonstrating that all such communication has been terminated. Regaining the trust of their clients, and of the U.S. Government, may be more difficult.
DJI is just one vendor. There are many others, hardware, software, and service. What are these vendors doing with the data you are collecting about your potentially sensitive sites?
OAM – Office of Acquisition Management
DOI – Department of the Interior
OAM had a telecom this morning with the aviation manager at DOI.
During that conversation we learned that they have banned the use of DJI products (which include the popular Phantom and Inspire aircraft) as they discovered that their products record telemetry information, to include routes flown, altitudes, etc., and send that recorded information to DJI each time the aircraft is plugged into a computer to perform a software/firmware update. As DJI is a Chinese company the security issue is readily apparent.
OAM highly recommends that, before choosing any particular aircraft, from any manufacturer, especially those that might be used for sensitive purposes, that your technical people fully understand what information may be transmitted, to whom it might be transmitted to, and whether it matters to your program.
Please distribute this information as widely as possible.
Dennis Bosak SSA
Department of the Interior
Office of Law Enforcement and Security
1849 C Street NW
Washington DC 20240