The US military has a lot of drones—and an unending demand from troops in the field for more. As a result, the Army has for some time allowed units to purchase hundreds of off-the-shelf drones made by DJI, the Chinese consumer drone maker. The Army Aviation Directorate has provided “airworthiness releases” for DJI drones over 300 times for a variety of missions, according to a memorandum issued by the directorate’s deputy chief of staff.
But now all of those drones are getting pulled from service, as the result of classified findings in a May study by the Army Research Lab at Aberdeen Proving Grounds in Maryland, as well as a Navy memorandum citing “operational risks” in using DJI drones. The memorandum ordering the ban was obtained by Small UAS News.
The reason may be related to information gathering by DJI’s products that could include geographic location of flights, audio, and video.
DJI has faced privacy complaints in the past. Last year, the company issued a statement asserting that DJI only stored drone data via DJI’s GO app when it was submitted by the customer. “DJI cannot, and we believe should not, access your live feed, the video files on your drone’s memory cards, or the video files on your phone or tablet connected to the flight controller,” a DJI spokesman said in the April 2016 statement. “Since we cannot access it, we cannot provide it to anyone else—even with a court order or another valid legal demand.”
However, DJI has also included software in many of its drones that use geolocation to determine whether the drone is in a No Fly Zone. And the company’s privacy statement notes:
We may preserve and disclose your information if required to do so by law or in the good-faith belief that such action is necessary to comply with applicable laws, in response to a court order, judicial or other government subpoena, warrant or request, or to otherwise cooperate with law enforcement or other governmental agencies.
DJI stores data it collects on servers in the United States and China.
Intentional collection by DJI is likely not the issue found by Army Research Labs, however. The problem may be related to others gaining access to telemetry data in the field, including adversaries. The Islamic State has used DJI drones heavily in Iraq and Syria, even rigging them to drop grenades on their enemies. Since the drones are so ubiquitous and the control protocols are well known, ARL may have found that an adversary could hijack a control session through a bug in DJI’s protocol, or obtain telemetry, audio and video covertly.
In any case, Army Air Directorate’s deputy chief of staff Lt. General Joseph Anderson issued a memo on August 2 ordering units to “cease all use, uninstall all DJI applications, remove all batteries/storage media from devices, and secure equipment for follow-on direction.”
“We are surprised and disappointed to read reports of the U.S. Army’s unprompted restriction on DJI drones as we were not consulted during their decision,” said Michael Oldenburg, DJI’s senior communication manager for North America in an e-mail to Ars. “We are happy to work directly with any organization, including the U.S. Army, that has concerns about our management of cyber issues.We’ll be reaching out to the U.S. Army to confirm the memo and to understand what is specifically meant by ‘cyber vulnerabilities’. Until then, we ask everyone to refrain from undue speculation.”
This post originated on Ars Technica