Almost all Arizona law enforcement agencies with drones use DJI, which have security vulnerabilities serious enough to lead the U.S. military to bar their use.
SZ DJI Technology, commonly known as DJI, is a Chinese technology company headquartered in Shenzhen. DJI is one of the leading manufacturers of drones around the world, and in 2017 their drones accounted for more than 70% of the market.
Virtually all the drones utilized by law enforcement in Arizona are some form of DJI drones, and the company offers partnerships and specialized versions of their drones for law enforcement and firefighting purposes.
A review of Federal Aviation Administration records by the Arizona Mirror found nine different agencies in Maricopa County, including fire departments, that utilize drones. Of the 37 drones those agencies own, 32 are made by DJI.
Late last month, security researchers discovered a flaw in an app related to the DJI drones and contended that the app collected large amounts of information that could be exploited by the Chinese government.
“We are aware of the potential security issue with the DJI product, but based on our use, we do not think it is a concern,” Scottsdale Police Department spokesman Officer Kevin Watts said. “We will continue to use the product. We will also continue to purchase DJI products unless we find an alternative capable of meeting or exceeding their performance. So far, we have found nothing that comes close.”
The Mirror received a similar response from the Arizona Department of Public Safety, who owns the largest fleet of DJI’s in the state. Of the agency’s 17 drones, only one wasn’t manufactured by DJI.
“We have worked closely with DJI to mitigate those vulnerabilities,” DPS spokesman Capt. Jesse Galvez said, adding that the department has a facilitator who speaks with DJI to keep them “up to date.”
Galvez said the drones have been useful for clearing out traffic accidents more quickly and in a safer manner for both troopers and citizens on the state’s busy highways.
However, there are still security concerns, and the purchasing ability for agencies may come under fire.
U.S. Sen. Martha McSally has joined other senators in asking U.S. Department of Commerce Secretary Wilbur Ross ito investigate whether DJI has harmed national security.
McSally has also introduced legislation, titled the “Securing Our Skies Against Chinese Technology Act.” The bill would require that any private entity, local or state government prove they are not using Chinese-made drones in order to receive federal funding.
“At a time when federal agencies are banning or grounding Chinese drones base (sic) on cybersecurity concerns, China is now donating them to state and local law enforcement across the United States,” McSally said in a press release about the bill.
DJI has called the bill “fear-driven.”
“Senator McSally’s copycat bill tries to put a new face on the old and discredited idea of taking lifesaving technology away from America’s first responders, including firefighters and law enforcement officers across Arizona,” the company said in a statement. “The government experts who actually use drones agree that banning or restricting drone technology based on where it is made is fear-driven policy that would make America less safe, and that the U.S. businesses and government agencies that use DJI drones can secure and protect the data they collect.”
Meanwhile those who use DJI drones the most are staying mostly mum on the bill.
“We are not able to comment or provide opinion on pending legislation,” Scottsdale police spokesman Watts said when asked about the bill.
Likewise, Tempe Police Department would not answer questions about McSally’s bill.
The Tempe Police Department’s DJI recently made headlines when the department released video from its DJI Phantom Pro 4 that it used to surveil protesters.
One security researcher, who calls himself KF, has been at the forefront of trying to understand what vulnerabilities exist and also what kind of data mining DJI has been conducting.
“To be honest, many folks are ignorant to the risks of data privacy until they have compounded and caused an actual issue,” he told Arizona Mirror in an email. “They should be concerned about potential lapses in situational awareness, and officer safety, as well as the integrity of evidence that may be collected via drone.”
KF sees McSally’s ban on Chinese-made drones as being something that could be good policy, as he has seen some of the issues firsthand that come with a system that is not secure.
“I have said openly a number of times that I was able to locate various countries’ military troops *in theater*, at specific forward operating bases in active war zones, based on their email addresses and subsequent log files as uploaded to DJI’s servers,” KF said. “Even if DJI’s intent was never for military folks to use their products, they DO, and the subsequent data collection program on DJI’s behalf impacts the national security of several countries’ military programs, never mind law enforcement and end consumers.”
The servers in question were on Amazon Web Services and were able to be accessed due to authentication certificates being easily accessible online. Some of the authentication certificates KF used were more than 4 years old.
Within the server, KF was able to see unencrypted flight logs, passports, drivers licenses and identification cards.
There was also information such as a slideshow presentation with a title that roughly translates to “Data Platform,” the Mirror confirmed from a copy of some of the data that has been posted online. In that presentation is a heat map that shows where flights had been taking place in 2016.
Other documents viewed by the Mirror from the online repository include presentations about increasing how the company handles data, increasing its public perception and what appear to be flight logs.
Other security researchers found that the app used to control DJI’s drones doesn’t just collect some information from users but can also force updates to the app on Android phones without a user’s knowledge, likely violating Google’s terms of service for developer use.
DJI has called the report “inaccurate” and “misleading,” saying that many of the issues were fixed and that the app does not auto update as the report says.
DJI pointed to its bug bounty program, and other defenders have noted out that the source code for DJI drones is available online. However, the code was posted in 2017 and the webpage has not changed since.
There are other options out there though, according to KF.
“I’ve always been a proponent of the open source market, both airframes and flight controllers are open source,” KF said. “The key is getting rich features that fit your mission, or paying someone to develop them.”
Or you could always just hack your DJI to stop it from sharing data with China.