A CNN report revealed that the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency had warned that Chinese-manufactured drones pose a “potential risk to an organization’s information.”* Even though no particular manufacturer was named in the report, DJI, the Chinese industry leader that has been the target of similar accusations in the past, responded by taking steps in recent years to secure their reputation and their customer data.
Amid ongoing trade tensions between China and the U.S. that has led to concerns about data privacy for DJI drones, DJI continues to enhance the security of their platform. In order to further expand protections for government and commercial drone operators, DJI has, in turn, expanded Local Data Mode – a feature that eliminates the need for internet connectivity, which prevents the transmission of data over the internet – to make it available in the DJI GO4 and DJI Fly flight control apps.
Although those using the DJI Pilot app have been able to use Local Mode for data privacy in DJI drones since 2017, the recent commitment to expand its availability, as stated by a company press release: “follows an independent review and validation of Local Data Mode and DJI’s drone products by FTI Consulting (FTI), a global leader in cybersecurity.”*
A “Kill Switch” Feature
While the findings of firms without a background in drone technology can be misleading, some consulting firms have independently reviewed data privacy for DJI drones. Furthermore, U.S. government concerns over Chinese government involvement in technology companies have also become confused due to fears over actual vulnerabilities in the platform. With the Local Mode feature, DJI is providing what is called “a kill switch,” which has no connection to the internet and thereby the data never leaves the physical storage device, which is in control of the user at all time.
The company press release explains:
“All DJI drones provide data security protections for their users by empowering them to decide whether and when their drone data is shared externally. Local Data Mode provides government and commercial customers with additional assurance that data generated during drone operations is effectively protected. It is an internet connection ‘kill switch’ feature within DJI’s command and control mobile applications that, when enabled, prevents the app from sending or receiving any data over the internet. With this feature enabled, drone operators can easily and effectively cut off all network connections from DJI’s mobile applications and prevent any data from being transferred to DJI or other parties.”*
According to the following press release, the FTI audit confirms the efficacy of the “kill switch” approach:
“The FTI audit found that when Local Data Mode was enabled, no data generated by the drone or application was sent externally to infrastructure operated by any third party, including DJI, validating DJI’s assertions about the utility and function of the feature. FTI also found that using Local Data Mode with the ‘Allow Map Services’ feature enabled, which gives operators additional situational awareness during flight, resulted in data sent and received only to a trusted third-party American mapping provider, Mapbox. FTI’s assessment also confirmed that DJI employs various security best practices.”*
Brendan Schulman, Vice President of Policy and Legal Affairs at DJI explained:
“For commercial and government customers who generate highly sensitive data and operate with rigorous data security protocols, Local Data Mode provides simple and effective operator-controlled assurance that no data from their flights will be transmitted over the internet. This expanded capability for DJI customers builds on the results of FTI’s independent analysis and demonstrates yet again that DJI empowers its customers to protect their data.”*
DJI’s drone hardware is controlled by custom device firmware and software in a way that meets security requirements and it can be used without activation with DJI.
Added Features to Security Requirements
- “No Data Transmission – A permanently enabled Local Data Mode within the custom DJI Pilot application prevents data transfer from the mobile application over the internet to third parties or to DJI.
- Firmware Update Reviews – Government agency aviation and IT departments can review firmware updates in electronic isolation before applying them to their fleets, and have full control over how to validate them and when to install them on DJI drones.
- Restricted Hardware Pairing – Drones and remote controllers running Government Edition solution firmware can only be linked with each other and are not compatible with other DJI products, preventing the use of unsecured hardware and unauthorized third-party applications.”*
Brandon Torres Declet, CEO and Co-Founder at Measure, explains:
“Government Edition allows us to tell our clients that all of their telemetry data, meaning where their drone is flying, is stored securely and not shared with anyone but them. Having Government Edition will allow us more control over that process, and avoiding automatic firmware updates that can potentially impact our operation schedule is important – it’s also important to government customers.”*
Although DJI’s attempt to meet data security needs with expanded local-data mode is a big step in the right direction in allaying security concerns, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency will continue to monitor the potential risk to any organization’s information.