Independent Report Concludes DJI’s Data Security In-Check

BLOG POST 04.05.18

DJI’s Security Practices are Validated by Kiva Consulting’s Independent Study


Last week, DJI announced they had employed Kivu Consulting to conduct an independent study to review their data security. For the first time, an outside party was given full access to all of DJI’s data practices to support their 2017 official statement that DJI “provides no information about or data collected by the drone to the Chinese government.” Well, the report is finally complete, and snippets of information have now been released to the public that confirm DJI are in the clear.

“This is the first time DJI has allowed outsiders to examine its proprietary computer code, and the result is the first independent verification of what we have said all along: DJI provides robust tools to help our customers keep their data private,” said Michael Perry, DJI managing director North America. “This comprehensive report clearly debunks unsubstantiated rumours about our products and assures our customers that they can continue flying DJI drones with confidence.”

What Did the Study Entail?

It’s good to know everything’s in check, but how exactly did Kivu come to this conclusion? As DJI’s recent press release confirmed, Kivu independently obtained the DJI Spark, DJI Mavic, DJI Phantom 4 Pro, and DJI Inspire 2 model drones for testing and analysis in the United States late last year. “Kivu set up systems to capture all data transmitted through iOS and Android devices running DJI GO 4, and reviewed source code, application data, server addresses, and data generated during operation.” Furthermore, “Kivu’s engineers comprehensively examined the code repositories for DJI’s mobile apps and tested whether DJI’s drones could transmit sensitive user data without connecting to the DJI app. DJI had no input into Kivu’s findings or conclusions.”

“Kivu’s analysis of the drones and the flight control system (drone, hardware controller, GO 4 mobile app) concluded that users have control over the types of data DJI drones collect, store, and transmit,” explained Douglas Brush, Kivu’s director of Cyber Security Investigations. “For some types of data, such as media files and flight logs, the drone user must affirmatively initiate transmission to any remote server,” Brush further explained. “For other types, such as initial location checks or diagnostic data, the user may prevent transmission by deactivating settings in the GO 4 application and/or disabling the internet connection.”

kivu consulting

So, you have control over what data you want to share with DJI’s servers. But the next question is, when you do share your data – where does the information go? This is a big deal, especially for our friends across the pond where cyber security concerns with China seem to be at the forefront of everyone’s minds. Remember last year when the U.S. Army declared they would no longer use DJI drones…? Anyway, let’s check the diagnostics:

Data Storage and Transmission

Kivu found that DJI drones and DJI Go 4 app do not automatically create and upload media files to servers. This can only be achieved by the user capturing the data themselves.

Audio

DJI drones cannot actually record audio themselves. The DJI Go 4 app can but only if the user does so through their mobile / tablet device.

Flight Logs

DJI drones will record flight logs on your drone and in the GO 4 app but will only upload the data to the server if the user has chosen to sync to the server.

Diagnostics and “No Fly Zone” Data

DJI drones transmit diagnostics when the device is turned on as a default. The user can stop this by disabling the internet connection and deactivating them in the GO 4 app. Users with android devices can also use Local Data Mode.

Personally Identifiable Information

Currently, users only need to provide email addresses and phone numbers when the drone is activated, however this data isn’t verified.

DJI Servers

Kivu confirmed all data uploaded to the cloud is stored on secure servers in the USA, including Amazon Web Services and Alibaba Cloud.

Facial Recognition

Kivu confirmed that DJI drones don’t use facial recognition software and therefore cannot facially recognise users.

Cloud Storage Security Audit

Kivu confirmed “DJI’s network access controls are in order and designed to prevent unauthorized access to information stored on DJI’s AWS cloud servers.”

In short, DJI are doing everything right to keep your data as secure as can be. Realistically, there’s no guarantee that this couldn’t be hacked by the wrong people, but let’s not get ahead of ourselves – we don’t think there’s anything sinister to worry about. If you do want to ensure your data is 100% secure, you can use a device without an internet connection to keep it offline.


For more information about DJI Aircraft and CAA Approved Drone Training, contact our team of experts on 0330 111 8800 today!


 

© Uplift Drone Training T/A Uplift Drones 2018 - All rights reserved. Company No: 10064089. VAT No: 260036345.