The US Army has increasingly used small consumer drones in the field, purchasing them as needed from consumer manufacturers like the well-known Chinese maker DJI. But documents indicate that the Army Aviation Directorate is now enforcing new orders, banning DJI drones "due to increased awareness of cyber vulnerabilities associated with DJI products." The documents, first obtained by Small UAS News, don't explain the Army's security concern, but refer to classified studies about DJI drones that first went out at the end of May. Previously, hackers have been able to jailbreak some DJI drones to control and modify things like safety features on the devices. Some reports have also indicated that DJI can gather location, audio, and even visual data from user flights.
NEW YORK – The U.S. Army has ordered its members to stop using drones made by the Chinese manufacturer SZ DJI Technology Co. Ltd. because of "cyber vulnerabilities" in the products. An Aug. 2 army memo posted online and verified by Reuters applies to all DJI drones and systems that use DJI components or software. It requires service members to "cease all use, uninstall all DJI applications, remove all batteries/storage media and secure equipment for follow-on direction." The memo says DJI drones are the most widely used by the army among off-the-shelf equipment of that type. DJI said in a statement that it was "surprised and disappointed" at the army's "unprompted restriction on DJI drones as we were not consulted during their decision."
According to a memo obtained by sUAS News, the US Army will stop using DJI drones, effective immediately. "Due to increased awareness of cyber vulnerabilities associated with DJI products, it is directed that the US Army halt use of all DJI products," said the memo, which listed flight computers, cameras, radios, batteries, speed controllers, GPS units, handheld control stations and any device with DJI software applications installed on it as products that must cease being used. According to the document, the Army Aviation Engineering Directorate has issued over 300 Airworthiness Releases for DJI products. "Cease all use, uninstall all DJI applications, remove all batteries/storage media from devices, and secure equipment for follow on direction," the memo continued. The memo cites a report from the Army Research Laboratory and a memo from the US Navy, both compiled in May, that reference operational risks and vulnerabilities with DJI products.
Check Point Researchers developed an attack to hijack DJI drone user accounts that may contain the user's sensitive information as well as access to the device itself. Researchers developed an XSS attack that could be posted on a DJI forum that is used by hundreds of thousands of DJI customers, to intercept the identifying token and use it to log in as the customer, according to a Nov. 11 blog post. The attack demonstrates the vulnerability in the drone's cloud network which can be accessed from anywhere by highlighting the need for a two-factor authentication mechanism, better identification mechanisms, and the importance of segmentation for organizations across their IT networks in order to contain and limit the damage inflicted by a potential attack. The attacker enters the web forum, steals the cookie ID and login, then either uses the stolen information to either bypass SeNeo Mobile protection to access a DJI mobile app or to access the full DJI Flight Hub. Once this is done, the threat actor has access to the drone's flight records, photos taken during flight, payment details, real-time access to the drones camera,, and a live view of the drone pilot's camera and location.
A drone flies May 11, 2017, in the showroom of the DJI headquarters in Shenzhen, China. A Chinese company that is the world's largest drone manufacturer said Friday it is "surprised and disappointed" by reports the U.S. Army has halted use of its remote-controlled aircraft because of cyber vulnerabilities. An Army memo Wednesday, obtained by sUASnews.com The memo from Lt. Gen. Joseph Anderson, the deputy chief of staff, cited possible threats from any DJI electrical components, software, cameras, radios, GPS units or handheld controllers, the publications reported. It ordered U.S. Army personnel to uninstall all DJI applications and remove all batteries and media storage devices.