Drone King DJI Has a Serious Pentagon Problem
What a difference a month makes. On Aug. 2 the U.S. Army issued a memo directing its personnel to stop using drones made by SZ DJI Technology Co. and to uninstall all DJI software. The Army had become aware of security holes in the Chinese company’s products, according to the memo, a leaked copy of which soon appeared on the drone site SUAS News. Initially, the company brushed off the news. “DJI makes civilian drones for peaceful purposes,” it said in a statement at the time. “If military members choose to buy and use our products as the best way to accomplish their tasks, we have no way of knowing who they are or what they do with them.”
That was then. DJI now says it will introduce a bug bounty program—meaning it will pay independent hackers who find flaws in its systems—and has announced updates aimed at securing its software and user data. “We’re rapidly retooling our software development process to address our needs,” says spokesman Adam Lisberg. “It’s an increasing concern of ours.” The bug bounty rewards will range from $100 to $30,000, he says.
What changed so quickly? DJI dominates the $6 billion market for nonmilitary drones, accounting for two-thirds of the sub-$4,000 models sold in North America. But the leaked memo undermined DJI’s pitch to its biggest potential growth market: commercial users like Jes Chosid.
Her company, Reign Maker LLC, uses drones to help businesses and government agencies design and manage buildings, bridges, and water-quality projects. She relies mostly on DJI’s quadcopters. “DJI has crushed it, because they make the best drones for the price point and the quality,” says Chosid, who once worked for Bloomberg Businessweek parent company Bloomberg LP. The Army ban, however, left her wondering how secure her data was. “If the community feels unsafe using their tech for industrial works, it will eat away at DJI’s market share,” she says.
Drone enthusiasts worried about security have been more specific than the Army. Over three days starting on Aug. 12, Kevin Finisterre, a software engineer who develops ways to disable or redirect drones that go buzzing where they’re not wanted, tweeted a series of screenshots showing that the DJI Go app contained a backdoor that allowed it to be altered remotely, without the knowledge of users or the iOS or Android app stores. In the iOS version, someone using the email address Spy.firstname.lastname@example.org had added code that allows the app to track users’ GPS coordinates. (Yes, really. Spy.) Security researcher Lanier Watkins says he and his students at Johns Hopkins University have uncovered at least three security vulnerabilities over the past year and a half but were met with silence when they tried to alert DJI by email.
Left unsaid in the Army memo is that DJI has the added burden of being a Chinese company, fueling suspicion it may accede to its government’s demands for data and intelligence. (An Army spokesperson said in a statement that the Army holds each manufacturer to the same standards.) In June, China’s government gave itself much broader powers to demand data from companies operating there. “It would be reasonable to assume that the Chinese government is aware of the data that DJI has and is making use of that data,” says David Kovar, who runs Kovar & Associates LLC, a drone security and data-analysis business. “I don’t know if DJI is complicit in that.”
In the wake of all this, the dronemaker has become more proactive. In a nod to business users, DJI said on Aug. 14 that it’s working on a “Local Data Mode” feature that will allow users to keep DJI apps from sending or receiving any information via the internet. It’s also committed to closing the backdoor Finisterre discovered by September. Shortly after DJI responded to questions for this story, the company sent Watkins an email saying the vulnerabilities his team exposed would be fixed.
Walter Stockwell, DJI’s director of technical standards, says the code Finisterre flagged was only used to quietly add minor fixes to drone software that shipped with bugs. The bug bounty program, he says, will be available within the next month.
“We want to set up a system to engage our customers and engage people who are really looking at us and have them help us figure out vulnerabilities in the equipment,” Stockwell says. “Instead of fighting with people, find a way to bring them in and use all that talent.”