DJI Enterprise Drones: Safe and Secure
DJI understands how important data security is to its commercial, consumer and government customers. That’s why DJI gives users of its products control over the data they generate, and why the company continually improves and strengthens information security. Below is a brief summary of the steps DJI takes to ensure Enterprise customer data remains secure.
DJI drones do not need to connect to the internet to operate.
Following initial activation, DJI drones can be used entirely offline via “airplane mode” on the phone or tablet attached to the remote controller if Internet access is not required for a mission. DJI also offers a “Local Data Mode” that allows a user to access the Internet for other reasons, such as accessing map services, but prevents any data from being transmitted to or from DJI’s flight apps and the Internet. This essentially acts as an “airplane mode” that applies only to the drone’s software, eliminating the possibility of accidental sharing of videos, photos, or flight information during sensitive operations. What’s more, DJI operators don’t have to use DJI software – if your agency prefers the security configurations and features of drone software developed by other companies around the world, you can choose from dozens of third-party options.
DJI operators have control over the data they collect and generate.
If a user does not want to share photos, videos, and flight logs with DJI, the company cannot access it or provide it to anyone else. The only way that data gets shared is if the operator opts in to share it. Operators can also choose to grant or revoke data permissions at any time, and many models (M300, M30,
Inspire and Mavic 3 Enterprise) allow users to erase logs and cache through the DJI Pilot App. Certain DJI products also support password protection for onboard storage to guarantee the security of sensitive images and resources.
Operators that choose to share data with DJI have multiple layers of protection.
Again, DJI operators are not required to store any data with DJI. For operations in the United States, all user data is kept in U.S.-based data centers. By default, data is not transmitted to any other data centers or shared with third parties, and any sensitive information shared, such as location information, is given AES-256 encryption.
DJI drone systems adopt technologies that raise the bar on security.
Most DJI drones adopt Trusted Execution Environment (TEE) technology which contains security functions such as authentication, key management, firmware decryption and verification, and more. The TEE can also be used to encrypt user information such as flight logs to ensure data confidentiality further. DJI drone firmware is also encrypted and signed by DJI for every step in the boot process, and the firmware can only run after it is verified and decrypted. Similarly, DJI signs and encrypts update packages for new feature releases, bug fixes and security patches –effectively preventing the installation and execution of malware on the drone and ensuring the reliability of its software. End users can also side-load firmware updates, meaning their drones never need to connect to the internet. (M300, M30, Mavic 3 Enterprise)
DJI is committed to further strengthening data security and customer privacy.
DJI has for years operated a Bug Bounty Program for security researchers to earn cash payments for reporting potential security concerns on DJI platforms. Any vulnerabilities found are swiftly addressed. In addition, DJI established an internal Product Security Committee to manage cross-department security initiatives and oversee ongoing internal penetration testing programs.
Independent private sector firms and government agencies have analyzed DJI products and validated their security.
San Francisco cybersecurity firm Kivu Consulting conducted a detailed examination of DJI drones, mobile apps, and servers, as well as data streams they transmit and receive. Kivu purchased DJI drones off the shelf, downloaded DJI software from the Internet, and scrutinized every bit of data they exchanged over the Internet to determine whether customer data was in fact protected. The ensuing report confirmed that “users have control over the types of data DJI drones collect, store, and transmit” and that DJI did not access photos, videos, or flight logs generated by the drones unless drone operators voluntarily chose to share them.
A risk assessment conducted by Booz Allen Hamilton, which tested the data security of DJI drones, found no evidence that the data or information collected by the analyzed drones was transmitted to DJI, China, or any other unauthorized party.
FTI Consulting found thatwhen Local Data Mode is enabled, “no data that was generated by the application was sent externally to infrastructure operated by any third party, including DJI.” In its cybersecurity assessment, it also noted “a number of instances where DJI employed security best practices.” The report also noted that when users opted to share their data with DJI, there was no data transmission to Chinese servers. All data went to servers in the U.S., or western Europe.
The U.S. Department of the Interior (DOI), which has used drones for monitoring wildfires, conducting geological surveys, and inspecting volcanic activity, conducted a flight test and technical evaluation of its DJI drones. After a careful evaluation, DOI concluded that DJI drones were the best suited for accomplishing their missions while at the same time protecting the data they generate.
The Idaho National Laboratory, which conducted a cybersecurity test and evaluation of two DJI drones on behalf of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, found that “there are no major areas of concern related to data leakage.”
The U.S. Department of Commerce validated DJI’s Core Crypto Engine, confirming it meets NIST standard FIPS 140-2, for cybersecurity relating to government procurement
About dji drone