DJI Data Security

When talking about the world’s biggest drone manufacturers, DJI (Da-Jiang Innovations) is the first company that comes to many people’s minds. DJI’s turnover accounts for the majority of the world’s drone trade, and has done for years. Unfortunately, with great popularity also comes a lot of complaints, which are sometimes valuable criticisms of a company that dominates the market, but sometimes opinions can be shaped by a lack of information or poor communication about it.

One of the biggest concerns we hear about DJI is the interest of the manufacturer’s home country, China, in the activities of the Western world. Since DJI drones are also used in part by the public sector and for internal security in Western countries, the concern is entirely justified. But are the accusations directly against DJI also justified, and is data actually being collected?

Before answering the question, a couple of important points need to be clarified:

For those who are not familiar with all DJI products, there are two product groups – Enterprise and Consumer. Consumer products make up the largest proportion of DJI products sold and can be found in e-shops, shopping centres and our Droon.ee showrooms everywhere. The Enterprise group is made up of products such as the Matrice 300 RTK, the Mavic 2 Enterprise Advanced and the Zenmuse P1. The Enterprise products are designed with different features and security standards – such as memory card encryption, multiple remote control, better encryption of the control signal, and more. These products can only be found on the shelves of dealers seriously committed to DJI products, and the support dedicated to them goes far beyond just offering a warranty.

DJI products are used in virtually every corner of the world – even for polar bear watching. Because the Mavic 2, Air 2S, Matrice 300 and all other DJI products are made in China, they sometimes get caught in the crossfire of settling scores between different corners of the world. Also at present, Western countries are having difficulties in their dealings with China, which, in the form of various blockades and import-export bans, is affecting trade in practically all sectors. Because DJI technology is so widely used, it is an easy target from which to launch smear campaigns and import bans. In short and more specifically, in addition to blockades, the “DJI collects data” argument is a good way to boycott exports from the People’s Republic of China to Western countries.

Let’s get down to business: Have there been any security audits of DJI systems?

Yes, several. The first most prominent example is a study conducted by the US Department of Interior in 2019 into DJI systems. Quote: “It is recommended GE (Pilot App version 1.3 19743, Assistant 2 GE Version 9-5) equipped Matrice 600 Pro and Mavic Pro aircraft be authorized for Interior fleet and contract use in accordance with additional risk mitigation practices developed by OAS (Appendices A, B).”. The assessment shows that, in the early years, the DJI equipment did not meet the requirements set by the US public sector, but in cooperation with the DOI, the following was created Government Edition systems, which were designed to meet all the requirements that DJI was given.

The next good example comes from the Pentagon’s assessment of DJI systems, leaked to the media, where it was written: “… Da Jiang Innovations (DJI) drones built for government use found “no malicious code or intent” and are “recommended for use by government entities and forces working with US services …”.Since the document is not public, we don’t know what products were tested and under what conditions, but we can infer that the Pentagon was trying to find a hatchet in the closet that wasn’t there.

Audits and assessments have also been carried out by US Department of Homeland Security, U.S. National Oceanic and Atmospheric Administration and a number of other interested parties – yes, there is a different link under each word. As you can see, the systems of the world’s largest drone manufacturer have been scrutinised and there is no evidence of malicious data collection anywhere, and DJI has done its best to ensure that all its systems are developed with the user in control of their data.

Why are DJI products so widely used?

It is easy to answer this question by directly quoting a study conducted by the US Department of Interior : “Subsequent OAS market research to identify additional UAS to meet Interior bureaus’ growing demand for inexpensive and highly capable aircraft indicated the remaining UAS available from U.S. based companies were up to 10X less capable for the same price, or up to 10X more costly than similarly capable DJI aircraft.“. To face the truth, this is still exactly the case when it comes to UAV technology produced in the West. It certainly doesn’t preclude the creation of drones by local companies that are excellent in their specialized uses. In Estonia, too, the development of special purpose drones and UAV software is at a high level.

What are the options to ensure data security?

All DJI drones can be used completely without the Internet once the product has been activated. For consumer devices, you’ll have to give up some convenient features, but for Enterprise products, it’s made quite easy to operate in this way.
If you don’t need to go that far, the DJI Go 4, Fly and Pilot apps have the option to activate Local Data Mode, which completely blocks the app from communicating with the outside world. Admittedly, the first time you use the drone (except the Government Edition) you will need to activate it over the internet, but this can be done with any email address and no further data is requested from the user.
If you want to find out more about what’s possible, DJI has a dedicated website dedicated to data security topics and summarising the latest developments in this area. If required, a DJI Data Security White Paper is also available, which explains in detail DJI’s data collection, how it is protected and the connections between the drone, the user and the server.

Why are we touching on this topic?

Over the years, Droon.ee has increasingly taken the direction of good choice and customer education. We want everyone to be able to leave our stores in Tallinn and Vilnius with exactly the technology they need. Sometimes it can happen that prejudices, rumours, a friend’s opinion and people’s own outlook prevent a drone buyer from making a rational choice. We have managed to address the first three concerns through in-depth training and customer education, but the last issue is closely linked to the political situation in the wider world.

In this short article, we have highlighted the publicly available knowledge that can be used by anyone to explore the issue further and form an informed opinion. If you’re an IT professional, a pen tester or just a drone enthusiast, please write to us with your opinion on DJI data security. If we know about the concerns of the pilots, we can pass them on to DJI so that they can be addressed – every little bit counts.

If you’re interested in reading more on the subject, we recommend an interesting article on DJI’s most commonly held myths: https://viewpoints.dji.com/blog/busted-five-common-myths-about-dji

We look forward to hearing from you in our Drone Friends Facebook group or by email info@droon.ee.