Department of Defense Bans Purchase of all Commercial Over-the-Shelf Drones Due to Cybersecurity Concerns

The Department of Defense (DoD) issued a ban on May 23, 2018 on the purchase and use of all commercial over-the-shelf (COTS) unmanned aerial systems (UAS) until the Pentagon develops a plan to mitigate any cybersecurity risks that may be found in the units. In a memo published on May 14, 2018, the DoD Inspector General found that the “DoD has not implemented an adequate process to assess cybersecurity risks associated with using commercial-over-the-shelf (COTS) Unmanned Aerial Systems (UAS).” The memorandum states, “Effective immediately, you must suspend the purchase of [and] the use of COTS UAS until DoD identifies and fields a solution to mitigate known cybersecurity risks”.The concern over cybersecurity concerns for the US has grown since August, 2017 when the Army banned the use of DJI drones citing “cyber vulnerabilities.” One week later, the Los Angeles office of Immigration and Customs Enforcement (ICE) issued an Intelligence Bulletin claiming that DJI is enabling China to spy on the United States through DJI hardware given that DJI’s target markets include government and private entities in sectors of critical infrastructure along with law enforcement.     

In addition, software engineers uncovered a back door vulnerability in the DJI Go phone app that allowed remote access to the phone without the knowledge of the user and code allowed the app to track each user’s GPS coordinates. Students at John Hopkins University also uncovered three additional security vulnerabilities in the app, including automatically-tagged GPS imagery; access to facial recognition data (even when the system was off); and access to all phone data including user identification, e-mail addresses, full contact data, images, videos and other computer credentials. The information collected was sent back to cloud servers located in China. 

After these issues were exposed, DJI took steps to address the security concerns and closed the back door on the app. In February 2018, DJI hired KIVU, a consulting company that conducts cybersecurity investigations, to conduct a third party examination of their drone systems. The report was released in late August, 2018 and concluded that users have control over the data that is collected, stored and transmitted by the drone. The report noted that when connected to the internet, the DJI GO app does not broadcast user data unless the user specifically enables the uploading and transmission and while the servers used by DJI are China-owned Alibaba servers, they are located in the United States. Additional vulnerabilities were discovered in the servers and the DJI GO app which have been resolved by DJI.    

U.S. Federal agencies have not yet addressed the changes noted in the Kivu report and the DoD directive against using DJI drones is still in place. With that in mind, DJI users should remain wary and exercise extreme caution when using DJI drones and consider potential cybersecurity vulnerabilities and national security risks when using them for sensitive research activities. If required, other drone alternatives are available and should be considered.

If you continue to use the DJI Go Phone app, you should make sure you have the latest update. Search for it on the Android or iOS stores. In addition, you should consider using a dedicated tablet for drone control versus a personal cell phone.The Office of Research and Creative Activity supports UAS usage and has information about drones including NDSU policies and procedures. In addition, the UAS Working Group is a resource for anyone interested in utilizing UAS equipment and is held monthly for faculty, staff, and students monthly throughout the school year. For more information, contact Aaron Reinholz.

Additional questions may be directed to: 

 

Aaron Reinholz, Director of Research Operations
aaron.reinholz@ndsu.edu
701-231-5338

Sharon May Export Control Administrator
sharon.may@ndsu.edu
701-231-6455

Top of page