US Army wants to ban the use of all DJI drones due to cybersecurity concerns

The Pentagon has ordered the US military to stop using DJI drones, following reports on the potential security vulnerabilities associated with DJI products released by the US Army Research Laboratory (ARL) and the US Navy.

A memo from the US Army is directing all branches of the military to immediately halt the use of any DJI products, including all unmanned aerial vehicles (UAV) by the Chinese manufacturer, as well as flight computers, cameras, radios, batteries, speed controllers, GPS units, handheld control stations, and devices with DJI software applications installed.

"DJI Unmanned Aircraft Systems [UAS] products are the most widely used non-program of record commercial off-the-shelf UAS employed by the Army," the US Army's Lieutenant General Joseph Anderson states in the memo, first seen by drone business news site sUAS News.

The Army Aviation Engineering Directorate has issued over 300 separate Airworthiness Releases for DJI products in support of multiple organisations with a variety of mission sets. Due to increased awareness of cyber vulnerabilities associated with DJI products, it is directed that the US Army halt use of all DJI products."

The memo is dated 2 August, but the the Navy memorandum "Operational Risks with Regards to DJI Family of Products" and ARL's classified report, entitled "DJI UAS Technology Threat and User Vulnerabilities", are dated 24 and 25 May respectively, which shows the Pentagon has been considering this course of action for a while.

DJI caught by surprise

"We are surprised and disappointed to read reports of the US Army's unprompted restriction on DJI drones as we were not consulted during their decision. We are happy to work directly with any organisation, including the US Army, that has concerns about our management of cyber issues," DJI told IBTimes UK.

"We'll be reaching out to the US Army to confirm the memo and to understand what is specifically meant by 'cyber vulnerabilities'."

The memo comes as a blow for the world's largest consumer drone manufacturer, which has been making a strong case this year for UAVs to be used during natural disasters and in civil defence by first responders. In some cases this would include the military and elite police marksmen SWAT teams.

Cybersecurity concerns

In mid-July, Israeli drone enthusiast Niv Stobenzki was arrested for deliberately flying a DJI Mavic Pro in the flight path of Sde Dov Airport in Tel Aviv. At the time, DJI told IBTimes UK that the only way the drone was able to take off near the airport — a restricted zone — would be if its firmware had been hacked.

Some enthusiasts have sought to hack into DJI's Go app and firmware, and the manufacturer said that it is vigilantly patching all security vulnerabilities it is made aware of. Could this be what the Pentagon is concerned about?

Another issue being speculated on by drone enthusiasts is concerns about what happens to the data collected when a pilot flies the drone.

"We want to emphasise that DJI does not routinely share customer information or drone video with Chinese authorities — or any authorities," DJI said in a statement in April 2016.

"DJI complies with national laws wherever we operate, and we urge our customers to do the same. If one of our drones is implicated in a potentially illegal flight, authorities in any country may seek flight data information from us as part of their investigation.

"Like other tech companies around the world, we would consider only valid legal requests on a case-by-case basis and would provide information if we believed it was necessary to comply. Unless a customer has chosen to sync flight data via the DJI Go app or sent the aircraft back to DJI, we would have no flight data to provide.

"The policy is the same for requests from authorities in China, in the US, in Europe, and anywhere else in the world."

However, if the US Army doesn't wish to share flight data with the drone manufacturer, all it has to do is change the settings in the Go app, so it is unlikely that this is the cybersecurity concern that the military is referring to.