Connect with us

Drone Articles

Independent study shows DJI does not harvest user data without consent

Published

on

DJI are touting the results of a new study into their drones showing they are not using their customer’s private data without consent.

The testing was carried out by a San Francisco-based company Kivu Consulting which specialize in computer forensics, cyber security and data breaches.

Are these results legit? What did the testing involve?

Kivu analyzed DJI flight control system including the drone, hardware controller and GO 4 mobile app.

The company makes it clear in their letter that DJI did not send them the drones. Rather, they independently purchased a DJI Spark, DJI Mavic, DJI Phantom 4 Pro, and DJI Inspire 2 and sourced the GO 4 mobile app from the Apple and Android stores. They also had access to DJI engineers and managers in California and Shenzen who assisted Kivu staff for several days in determining what data was collected, stored and transmitted by the drones flight control system.

Among the report’s finding, which are available in full here, were the following:

  • Users have control over the types of data DJI drones collect, store, and transmit.”
  • “For some types of data, such as media files and flight logs, the drone user must affirmatively initiate transmission to any remote server. For other types, such as initial location checks or diagnostic data, the user may prevent transmission by deactivating settings in the GO 4 application and/or disabling the Internet connection.”

Cloud Server Issue

The report notes that certain information stored on DJI’s AWS cloud servers had been “inadvertently made publicly available.” Kivu confirmed that DJI had corrected this issue with the cloud server access and has complied with all notifications required by law regarding this incident.

Do DJI drones use facial-recognition software?

Kivu said that while certain DJI drones have the ability to use features called FaceAware and Gesture Control that enable users to control the drone with their bodies. Kivu determined the drones could not identify individual faces or distinguish between them and ultimately, does not utilize facial recognition software.

A relief for DJI

These results are a vindication for DJI who have frequently being fast and loose with user data. In 2017, a Los Angeles Immigration and Customs Enforcement bureau (ICE) memo accused DJI of using commercial drones to spy on critical US infrastructure in order to send data back to China. Similarly, the US Army directed the American public to stop using its products due to “cyber vulnerabilities.”

At the time, DJI strongly refuted the accusations and subsequently implemented a ‘bug bounty’ program. The program rewards security researchers who report potential security concerns on DJI platforms and makes payouts are based on DJI’s risk assessment of the potential impact of the threat, range from $100 USD to $30,000 USD.

Regardless of what drone you use – you can take a few steps to secure your UAV against hacks. One of the key steps is choosing a communication system that is not WIFI-based but that uses a private network. This will immediately mean your drone is more difficult to access for unauthorized users. If the server is encrypted, even better. Also be careful about who has access to your drone.

Prev Page1 of 2
Use your ← → (arrow) keys to browse

Advertisement
Comments

Our Videos