The US Navy Just Declassified the DJI Memo. Here’s What You Should Know.

The US Army banned the use of DJI Corporation Unmanned Aircraft Systems (UAS) in August 2017, citing security concerns in a memorandum obtained by sUAS News. Now, thanks to the declassification of an internal US Navy memo listing DJI UAS vulnerabilities, we know why. 

According to CyberScoop’s article on Dec 2019, the vulnerability discovered by the US Navy created a back door for Chinese nation-state actors and other hackers to potentially intercept and siphon encrypted data and video from the flow of information between drones and ground control.

Critical DJI UAS Vulnerabilities Revealed 

The declassification of the US Navy’s Operation Risks With Regards To DJI Family of Products memo confirmed some long-held suspicions and revealed new complications in the use of (and trust in) Chinese DOD hardware in UAS and Ground Control Systems (GCS). Of particular concern in the DJI Family of Products memo were the following issues: 

1. The Data Link Connecting DJI UAS to GCS

Even though data gathered by the UAS and transmitted to the GCS was encrypted, the US Navy’s open-source research discovered vulnerabilities allowing multiple techniques adversaries could use to passively intercept and view video and metadata from the UAS. Adversaries could even exploit this vulnerability to commandeer the UAS.

2. DJI’s Lightbridge and GCS Assistant Application

The memo disclosed that DJI’s GCS included a commercial off the shelf (COTS) transmitter, controller, phone, or tablet utilizing WiFi or DJI’s proprietary Lightbridge video transmission system. After conducting open-source research, the US Navy discovered that should DJI transmitters, controllers, tablets, or phones connect to the web, adversaries could live-stream images, video, and flight records to unsecured servers in other countries. Images, video, and flight records transmitted from the UAS to the GCS could also be intercepted using the DJI assistant application. 

3. Unreliable Hardware

Cybersecurity vulnerabilities aside, the US Navy cited “anecdotal evidence” showing that DJI UAS did not perform consistently in typical military environments. In addition to the many security vulnerabilities, the expandability of the aircraft remained a problem, and the US Navy questioned the wisdom in investing in hardware that malfunctioned so frequently. 

Hardware Vulnerabilities or Government Backdoors?

DJI rejected allegations of espionage, citing instead that the vulnerabilities occurred due to DJI’s own technological inability to meet the Department of Defense’s UAS performance standards. Despite DJI’s claims, Chinese hardware has a history of ambiguous vulnerabilities. 

The Risk of DJI Hardware on US Companies’ Cyber Defense

Tom Kellermann, the previous commissioner on Cyber Security under President Barack Obama, isn’t convinced that DJI is as innocent as they claim to be, disclosing that drone software usually includes backdoors for control updates and configurations. The problem with DJI’s backdoors, however, is that hackers or government actors can install malware through these backdoors for cyberspying. “This is compounded by the fact that this technology likely has a remote access Trojan (RAT) embedded in it,” Kellerman says. “‘Made in NATO member states’ should become a mantra.” 

When it comes to safeguarding critical assets and network infrastructure, even if DJI truly isn’t involved in espionage work, the backdoors left in their devices are worrying. And even though DJI is now banned from federal agencies, they still lead commercial drone sales in America. 

If a company can’t control their supply chain, they must address vulnerabilities themselves, potentially at great cost. When it comes to ensuring the protection of your critical assets, choose a hardware-centric, highly effective, prevention-based approach to protection. To learn about similar issues in IP Cameras and Vericlave’s approach to network protection, read our white paper.

IP Camera Use Case 

The Hanwha Techwin Vulnerabilities

In 2018, researchers at the security company Kaspersky Lab discovered 13 vulnerabilities in more than 2,000 Internet Protocol (IP) cameras manufactured by Hanwha Techwin. These vulnerabilities enabled command and control access to networks, but also seemed to allow access to hidden functions within the IP cameras. Such backdoors were accessible via public IP addresses on the open Internet.

While attacks on the cameras were only possible if those attempting to compromise the devices knew the serial number of the targeted camera, the serial numbers were less than secure. The creation method of the Hanwha Techwin serial numbers made them susceptible to brute-force attacks — especially against the unprotected camera-registration system.  

Using the compromised camera, attackers could then access the rest of the network by distributing modified firmware exploiting an undocumented, hidden capability for switching the web interface. Such firmware would provide outside attackers with privileged rights and full Linux functionality of the device.

Accessing these rights could allow the exfiltration of information and create an opening for attackers to gain command and control access to connected networks. Worse, Kaspersky Lab found that attackers could use compromised cameras to steal credentials from camera users via the routine social media and email notifications sent to users. 

Perhaps the Hanwha Techwin vulnerabilities were accidental, but the particular nature of the vulnerabilities gave researchers pause. The number of vulnerabilities rivaled the number of camera features in the user manual, and the existence of hidden IP camera features (let alone features accessible only through a vulnerability) indicated that the vulnerabilities were likely government installations, not mistakes.