The editor of SUAS News has obtained what appears to be an internal memo from the US Army asking all units to discontinue the use of DJI drones due to “an increased awareness of cyber vulnerabilities with DJI products.” The memo notes that the Army had issued over 300 separate releases authorizing the use of DJI products for Army missions, meaning a lot of hardware may have been in active use prior to the memo, which is dated August 2nd, 2017.
DJI provided the following statement to The Verge:
People, businesses and governments around the world rely on DJI’s products and technology for a variety of uses including sensitive and mission critical operations. The Department of the Army memo even reports that they have “issued over 300 separate Airworthiness Releases for DJI products in support of multiple organizations with a variety of mission sets.”
We are surprised and disappointed to read reports of the U.S. Army’s unprompted restriction on DJI drones as we were not consulted during their decision. We are happy to work directly with any organization, including the U.S. Army, that has concerns about our management of cyber issues.
We’ll be reaching out to the U.S. Army to confirm the memo and to understand what is specifically meant by ‘cyber vulnerabilities’. Until then, we ask everyone to refrain from undue speculation.
SUAS News published a piece back in May of this year that made a number of serious accusations about data gathered by DJI drones. Author Kevin Pomaski starts out writing, “Using a simple Google search the data mined by DJI from your provided flights (imagery, position and flight logs) and your audio can be accessed without your knowing consent.” However, he never follows up with evidence to demonstrate how this data becomes public or can be found through a Google search.
Pomaski also point out, correctly, that when DJI users elect to upload data to their SkyPixel accounts through the DJI app, this data can be stored on servers in the US, Hong Kong, and China. This data can include videos, photos, and audio recorded by your phone’s microphone, and telemetry data detailing the height, distance, and position of your recent flights.
When you fly a new DJI drone for the first time, you have to register an account. That is in accordance with FAA regulations. But after that, you don’t need to use a mobile device to fly the drone. Most people will, since you need it for a live feed, but you can launch, fly, and initiate recordings and photos with just the remote control. You can also fly the drone with a mobile device in airplane mode, giving you a screen for the live video feed, while ensuring no data will be uploaded. Users who want to fly without worrying about sharing data could also elect to use the new DJI Goggles, which can pair with the drone and offer a live video feed without connecting to a cellular network to upload any data.
We’ve reached out to the Army to confirm the authenticity of the memo and for additional comment.