A recent cybersecurity assessment conducted by FTI Consulting has provided fresh evidence supporting DJI’s Data Security claims, potentially reshaping the ongoing debate about banning the company’s drones in the US. This comprehensive audit, completed in 2024, comes at a crucial time as lawmakers and industry stakeholders grapple with concerns over the security of Chinese-made drones.
Background and Context
The future of DJI drones in the United States has been uncertain due to recent legislative developments and ongoing debates about data security.
The U.S. House of Representatives recently passed the Countering CCP Drones Act (H.R.2864) with bipartisan support. This bill, if enacted into law, would add DJI Technologies to the Federal Communications Commission’s (FCC) Covered List, prohibit new models of DJI drones from operating on U.S. communications infrastructure, and ban the use of federal funding for purchasing or maintaining DJI equipment or services.
Despite these legislative pushes against DJI, the central allegation that the company shares user data with the Chinese government remains unsubstantiated. DJI has taken several steps to address these concerns, including subjecting its products to security audits by federal agencies and independent experts since 2017, as detailed on their Trust Center page.
Audit Methodology and Scope
The 2024 assessment by FTI Consulting focused on the DJI Mavic 3 Enterprise Series Thermal (DJI Mavic 3T) drone, using DJI Pilot 2 firmware version 10.1.0.30 and DJI RC Pro version 2.01.0507. The audit employed a rigorous methodology, capturing and analyzing network activity using commercially available tools and methods. FTI conducted various flight scenarios, including idle state collection, flying collection, and testing with reduced entitlements.
Key Findings
One of the key findings of the audit was that all first-party data transmissions stayed within the US.
The report states, “The collections and analysis of the assessment, which was completed on the East Coast of the United States, support the conclusion that all first-party data transmissions, or transmissions to DJI owned infrastructure, resided within the United States.”
The audit also found that DJI employed security best practices, including certificate pinning and Transport Layer Security (TLS) encryption on network communications. These practices help protect against man-in-the-middle attacks and ensure secure data transmission.
Restricted Network Mode and Local Data Mode
Another significant finding was the effectiveness of DJI’s Restricted Network Mode (RNM). The audit concluded that RNM significantly reduced traffic to both first-party and third-party services.
According to the report, “RNM reduced the drone’s functionalities after enabling the setting. For example, DJI’s ‘Map Service’ required access to DJI’s API for identifying the drone’s location using GPS. With RNM enabled, end users can switch functionalities like ‘Map Service’ off, which prohibits the software from sharing location information with third-party map service providers.”
Perhaps most notably, the audit found that Local Data Mode (LDM) completely eliminated outbound traffic.
The report states, “FTI concluded that the use of LDM on the DJI Pilot 2 application resulted in no outbound traffic to either first-party or third-party services. The use of LDM appeared to disable all features and resulted in no network requests being captured.”
Implications for the Industry
The potential ban on DJI drones has raised concerns among various sectors. Many private companies and public agencies rely heavily on DJI equipment for operations in agriculture, emergency services, and infrastructure. As reported by DroneXL, representatives of over 6,000 public safety agencies have expressed opposition to the ban, citing potential negative impacts on their drone programs.
In response to these concerns, DJI has implemented several security features to address data privacy concerns. In addition to LDM and RNM, DJI ensures that data shared by U.S. operators is stored on servers within the United States.
The drone maker has also obtained various security certifications, including ISO 27001 certification for DJI FlightHub 2, FIPS 140-2 compliance, and a TÜV SÜD audit confirming compliance with NIST IR 8259 and ETSI EN 303645 standards.
The Ongoing Debate
The discrepancy between legislative actions and security audit findings has intensified the debate over DJI’s presence in the U.S. market. While lawmakers cite security concerns, multiple independent audits have failed to find evidence supporting these claims. This gap between perception and technical reality highlights the complex nature of the debate surrounding drone security and international tech companies.
As the situation evolves, DJI is considering U.S. manufacturing to address concerns, though it has stated it won’t exit the U.S. market. The outcome of this situation will likely have significant implications for the Drone Industry and various sectors relying on DJI technology in the United States.
DroneXL’s Take
This comprehensive audit adds another layer to the complex debate surrounding DJI drones in the US. While legislative concerns persist, the technical evidence increasingly supports DJI’s security claims. As we’ve seen in our ongoing coverage of drone data security, the gap between perception and reality in this space can be significant.
The audit’s findings about LDM and RNM are particularly noteworthy. These features give users powerful tools to control their data, potentially addressing many of the security concerns that have driven the push for a ban. The ability to completely eliminate outbound traffic with LDM is a significant security feature that could allay fears about unauthorized data transmission.
Moreover, the confirmation that all first-party data transmissions stayed within the US challenges the narrative that DJI drones pose a unique risk to national security. This finding, combined with DJI’s ongoing efforts to obtain security certifications and subject its products to independent audits, suggests a commitment to transparency and security that lawmakers should consider in their deliberations.
As the drone industry continues to evolve and play an increasingly crucial role in various sectors, from public safety to agriculture, it’s essential that policy decisions are based on technical realities rather than perceptions. The FTI audit provides valuable data that should inform these discussions.
What’s your take on this latest development? Does it change your view on the security of DJI drones? How do you think policymakers should balance security concerns with the practical needs of industries relying on Drone Technology? Let us know your thoughts in the comments below.
Discover more from DroneXL.co
Subscribe to get the latest posts sent to your email.
+ There are no comments
Add yours