It isn’t easy being the world’s largest drone manufacturer, at least not lately.
On Friday China-based DJI got word that the U.S. Army will stop using the company’s products due to cybersecurity-related concerns. Army units were ordered to remove batteries and memory storage devices and uninstall any DJI software from their aircraft. The company responded with dismay, saying that it eagerly awaited conversations with Army leaders to learn more about their concerns. Other U.S. government agencies have taken similar actions, and both the Department of Energy and Department of the Interior began quietly removing DJI drones from their aviation departments last year.
The Army decision came after U.S. Air Force General Mike Holmes, who runs Air Combat Command, cited two incidents involving small drones invading airspace at ACC bases in early July. The general complained that he was legally powerless to prevent such overflights, and that he wanted authorization to shoot them down.
On Monday, he got his wish.
During a Pentagon press conference, Navy Captain Jeff Davis announced that the Department of Defense is now authorizing the U.S. military to shoot down any UAVs deemed to be a threat. Given that DJI products represent approximately 70 percent of all consumer drones in the world, the shootdown authorization appears to be ominous news for the Chinese company.
At the same time, more questions are being raised about what kinds of information DJI collects from drone users, and how. On Monday the technology website Verge wrote about a study by the National Oceanic and Atmospheric Administration regarding the cyber threat posed by the DJI S-1000. This is no kiddy drone—it’s a complex, heavy aircraft usually flown by professionals. According to Verge, the NOAA study found that the S-1000 “presented no threat for data leakage.”
The S-1000 is typically flown using two handheld controllers, each requiring its own operator. One controller flies the aircraft, while the other controls a (very expensive) camera. The NOAA investigation focused on these controllers, which are typically purchased separately from third-party vendors, and found nothing improper or unusual in the way they handled data. However, Verge reported that Ed Dumas, one of the NOAA authors of the S-1000 study, tested his own personal DJI Phantom 3, and “found that the unit was sending encrypted data back to DJI and servers whose location he could not determine.”
For some drone experts, that information was old news. Kevin Finisterre, a Senior Security Engineer for Department 13, which specializes in counter-drone technology, says that he and his coding colleagues across the country have been trying to understand exactly what information DJI collects. DJI has a reputation for building fine, capable aircraft, but also for making frequent updates to its software and firmware, changes that sometimes create more problems than they solve.
Recent changes to the DJI GO application, which allows owners to control their drones using a smartphone or a tablet, added a piece of software known as Tinker. Finisterre says that, in theory, the addition of Tinker to the DJI application could allow DJI [software] developers to silently push any change they wanted to the DJI application. Finisterre and his colleagues suspect that Tinker was one factor that pushed the Army and other government agencies to back away from DJI.
Based on his conversations with DJI this week, Finisterre says the company plans to remove Tinker from future software releases. It’s too soon to know if that alone would move the Chinese drone maker out of the public eye and back in the good graces of the U.S. government. But it seems a sure bet that as soon as the military starts shooting down wayward drones, DJI will once again be in the spotlight.