Firmatek’s CDO Addresses Security Concerns with Chinese Drones

By Andrew Maximow, Chief Drone Officer.

It seems as though every other week we hear about data protection concerns in the news. This past month, a 2017 app known as FaceApp resurfaced on social media with a vengeance. The viral app gained traction as users downloaded and allowed access to their personal information in exchange for augmented pictures of themselves, making them appear decades older or younger. Although it provided temporary amusement for several days, controversy sparked over extreme privacy terms and fine print service agreements.

This is just one example of the privacy data concerns we’re faced with in our online lives. Now more than ever, we’re aware of our personal data and how much we’re willingly handing out. Whether it’s through data upload, social media, or allowing applications to have access to your private info, it’s important to think twice about what you’re doing with your data.

In our industry, I often receive questions related to data security concerns with drones, specifically about drones manufactured outside of the US. With this in mind, it’s valuable to equip you with an overview of the drone security concerns being widely reported on and discussed in the media, particularly with drones made in China and in some cases, DJI specifically.  In this article, I will discuss several recent developments that have occurred in the last few months.

Firmatek’s Commitment to Security

Before I get into the details, it is worth mentioning that Firmatek handles all of its client data with a high level of confidentiality and uses standard security protocols when analyzing, storing, and publishing the data.  Additional security measures are being implemented in our Client Portal 2.0.  Despite the concerns expressed in the drone industry and discussed in the media, Firmatek is not taking any extraordinary precautions. We treat all of our drone hardware, software, and peripherals, such as SD memory cards, as another IT device that is connected to the public Internet.  We deploy the best tools possible, including DJI drones, to give our clients the utmost confidence in our data analysis and subsequent decision making.

Background Information

After reviewing many of the articles and forum posts, the primary concerns seem to be the potential security risks associated with using Chinese drones in military operations and around critical infrastructure.  Specifically, the risk and concern is that the sensitive collected client data (photos, videos, and flight logs), will allegedly be sent to the drone manufacturers’ computer servers without the drone operator’s consent or knowledge.

The media often references internal memos originating from the US Government, including memos like the “US Army Bans Use of all DJI Drones” following the Hikvision camera scandal, and other various memos from the NSA and members of Congress.  Most of the debate is focused on the military or other federal government use. However, some go as far as banning the use of DJI products for Public Safety, which would include the use of law enforcement and firefighting, citing national security risks.

DJI is partially to blame. For example, they fumbled their bug bounty program, particularly with the Kevin Finisterre debacle. Additionally, concerns boiled over when DJI announced a Government Edition drone product. This product idea backfired, adding further speculation that non-government edition drones were insecure.

As often is the case, there are many contradictions in the media, including blatant errors,  negative messaging, and hype.  Just last week there was a scathing report from the BBC, to which DJI fought back with an open letter.  In recent months, DJI has focused their efforts on addressing security concerns associated with their products.

Firmatek’s Process

First, all photos and videos collected with DJI platforms and used by Firmatek are stored on an on-board SD memory card, which is physically removed by the operator and transferred to a Firmatek computer. This information is then transferred over the Internet to the Data Processing team located in our HQ office in San Antonio, Tx.  Essentially, there is an air gap between the drone and the Internet.  These photos are either processed on Firmatek-owned computers or processed on secure AWS machines running our software.

Occasionally, our drones are programmed automatically to transfer drone data from the drone to the drone operator’s smartphone, or tablet and then automatically to the Pix4D Cloud for processing. We do not transfer any client data to DJI, except when necessary, we may transfer them to DJI Support for troubleshooting.

Flight logs are stored on the drone and SD cards for US regulatory compliance, but never uploaded to DJI.

DJI does require a login on their flight planning apps, such as DJI Go, GS-Pro, GSR, or Pilot, which allows them to track usage of the app. This is common practice with software companies.

The Industry Perspective

It is important to note there are other China-based drone companies, like Yuneec and Autel Robotics. Parrot drones, like the Anafi, are made in China as well. While the Department of the Interior (DOI) purchased drones from US-based company, 3D Robotics, those drones were also manufactured in China.

In response to all the media coverage, DJI launched a significant PR campaign with the following:

  1. Announcing Government Edition products and computer servers located in the US.
  2. Plans to manufacture drones in the US.
  3. Local Data mode for Pilot software applications.
  4. Testified before US congress.
  5. Issued press releases.

This past month the US DOI certified the DJI Government Edition drone.

DJI commissioned a 3rd party assessment by Kivu Consulting.  The published results are fairly technical and targeted towards IT professionals. The report gets into the technical details of the test methodology, technology, and results. If you are interested, you can find it here.

This past year, 3D Robotics aligned itself with Chinese drone manufacturer, Yuneec, citing that the flight control system used by Yuneec is based on open-source code maintained by Drone Code, therefore less susceptible to hacking and security breaches. Their hardware solution is aimed at government and public safety markets.

In conclusion, most site locations for our customers are exposed to online mapping resources such as Google Earth anyway, and real-time drone imagery poses little risk. That said, Firmatek will always treat our client data with the strictest confidentiality, and we make it a priority to understand and stay on top of issues like this. While we should certainly never ignore data security concerns, they should always be backed by factual research as provided in this article.

 Recommendations and Best Practices:

  1. Make sure that drones and drone data are included in your company’s IT data security policies.  Drones should be treated like any other device on the network (computer, laptop, WiFi hotspot, etc), with similar precautions in place.
  2. For reference: DJI established a landing page with FAQs and other valuable info.
  3. DJI commissioned a 3rd party assessment by Kivu Consulting.  The published results are fairly technical and targeted towards IT professionals.