Skip to main content

DJI releases findings of Kivu report to stem concerns that China might use DJI’s drones to spy on the U.S.

Last year DJI dealt with a number of cybersecurity-related issues, including a hot-patch mechanism in their DJI Go 4 app, a researcher who found sensitive user data accessible on Amazon Web Services servers, the U.S. Army declaring to no longer use DJI drones, a claim from U.S. Immigration and Customs Enforcement (ICE) that DJI drones could perform facial recognition and U.S. officials who wondered whether DJI was sending sensitive information back to China. Today, DJI released the summarized findings of an independent report, but paid for by DJI, from Kivu Consulting, Inc. in a response to these allegations. Kivu concluded that “users have control over the types of data DJI drones collect, store, and transmit.

Users control the types of data DJI drones collect, store, and transmit

2017 was a rough year for DJI when it comes to cybersecurity. In short succession, the Chinese drone maker had to deal with a number of data-related issues.

  • First cyber researchers had shown that DJI had built in a hot-patch mechanism that basically allowed the Chinese drone manufacturer to make drastic changes to the DJI Go 4 app without having to go through the required approval processes.
  • In a separate case, a well-known researcher had exposed sensitive customer data on DJI’s servers, including driver’s licenses and passports.
  • During the summer The U.S. Army announced that it had decided to stop using DJI’s drones over cyber vulnerabilities.
  • Later in August, a bulletin issued by the Los Angeles office of U.S. Immigration and Customs Enforcement (ICE) surfaced in which concerns were expressed about DJI’s drones being able to perform facial recognition even when the system is off.
  • Lastly, in November, U.S. officials started wondering whether sensitive information captured by DJI’s drones was possibly sent back to homeland China.

Like I said, 2017 was a rough year for DJI. The world’s largest drone maker responded with a public statement saying that the company “provides no information about or data collected by the drone to the Chinese government” and later, it said that it had hired an independent company to review its handling of sensitive data from its customers.

Today, the Chinese drone maker issued a press release touting the findings of San Francisco-based Kivu Consulting, Inc. that was hired by DJI to perform an independent study of DJI’s data practices.

For its analysis, Kivu independently bought “DJI Spark, DJI Mavic, DJI Phantom 4 Pro, and DJI Inspire 2 model drones for testing and analysis. Kivu also obtained copies of the GO 4 mobile apps directly from the respective Apple and Android stores and installed the software on brand new, independently obtained, Apple iOS and Android devices.”

In addition to the having the necessary hardware, Kivu also had access to managers and engineers from DJI in both Palo Alto, Calif. and Shenzhen, China to discuss software, product development, and information security practices. DJI even allowed Kivu’s team access to proprietary code.

“This is the first time DJI has allowed outsiders to examine its proprietary computer code, and the result is the first independent verification of what we have said all along: DJI provides robust tools to help our customers keep their data private,” said Michael Perry, DJI Managing Director, North America. “This comprehensive report clearly debunks unsubstantiated rumors about our products and assures our customers that they can continue flying DJI drones with confidence.”

What Kivu looked into

Kivu looked into the following areas of DJI data security:

  • Data Storage and Transmission – DJI drones and DJI Go 4 app do not automatically create and upload media files to servers. Only when the user chooses to do so.
  • Audio – DJI drones cannot record audio. DJI Go 4 app can but only if the user chooses to do so.
  • Flight Logs – DJI drones record flight logs on drone and in-app but will only upload the data to the server if the user selects to sync the information on the device to the server
  • Diagnostic Information and “No Fly Zone” Data – By default DJI drones transmit some information when the device is turned on. This can be prevented by disconnecting from the Internet, deactivation in the app or by using Local Data Mode on Android devices
  • Personally Identifiable Information – Users are asked to enter email addresses and phone numbers when the product is activated. This data is not verified and does not have to be filled in accurately. No other Personally Identifiable Information (“PII”) is collected.
  • DJI Servers – All information that is uploaded to the cloud is stored on servers from Amazon Web Services and Alibaba Cloud servers located here in the U.S.
  • Facial Recognition – DJI drones cannot identify individual faces and do not use facial recognition software.
  • Cloud Storage Security Audit – Kivu confirmed that DJI has remedied the data that was accessible on AWS servers and that the company complied with applicable laws.

Douglas Brush, Kivu’s Director, Cyber Security Investigations, had this to say about the findings, that you can download here in a summarized form:

“Kivu’s analysis of the drones and the flight control system (drone, hardware controller, GO 4 mobile app) concluded that users have control over the types of data DJI drones collect, store, and transmit. For some types of data, such as media files and flight logs, the drone user must affirmatively initiate transmission to any remote server,” Brush wrote. “For other types, such as initial location checks or diagnostic data, the user may prevent transmission by deactivating settings in the GO 4 application and/or disabling the Internet connection.”

Interestingly, Gizmodo reported that they have had access to the full 27-page Kivu reports since last Friday and noted that DJI’s Go 4 app does communicate with servers in China through a crash reporting app called Bugly. The files are collected in a database called “Bugly_db_” and “contained the last IP address the mobile device was connected to, along with the International Mobile Equipment Identity (‘IMEI’) of the mobile device.” The locations of these servers in China are not disclosed nor does Kivu make any mention of this detail in their summary. We have asked DJI for access to the full report to verify this but have not yet heard back.

DJI has been aggressively defending itself against the various data security claims the company received last year. The release of today’s findings is the latest but surely not the last chapter in this ongoing story. We will keep you up to date when more information becomes available.

DJI’s press release

Here is the full press release from DJI and link to the Kivu summary:

Independent Study Validates DJI Data Security Practices

Report Finds DJI Systems Keep Customer Data Private

DJI, the world’s leader in civilian drones and aerial imaging technology, Monday released the results of an independent report scrutinizing DJI’s data practices that concludes DJI drone users have control over how their data is collected, stored and transmitted.

The report analyzed drones and software independently obtained in the United States late last year, and confirmed DJI did not access photos, videos or flight logs generated by the drones unless drone operators voluntarily chose to share them.

“This is the first time DJI has allowed outsiders to examine its proprietary computer code, and the result is the first independent verification of what we have said all along: DJI provides robust tools to help our customers keep their data private,” said Michael Perry, DJI Managing Director, North America. “This comprehensive report clearly debunks unsubstantiated rumors about our products and assures our customers that they can continue flying DJI drones with confidence.”

The report by San Francisco-based Kivu Consulting, Inc., was based on a first-of-its-kind detailed examination of DJI drones, mobile apps and servers as well as the data streams they transmit and receive. Kivu’s engineers comprehensively examined the code repositories for DJI’s mobile apps and tested whether DJI’s drones could transmit sensitive user data without connecting to the DJI app. DJI had no input into Kivu’s findings or conclusions.

“Kivu’s analysis of the drones and the flight control system (drone, hardware controller, GO 4 mobile app) concluded that users have control over the types of data DJI drones collect, store, and transmit,” wrote Douglas Brush, Kivu’s Director, Cyber Security Investigations, in a summary available for download here.

“For some types of data, such as media files and flight logs, the drone user must affirmatively initiate transmission to any remote server,” Brush wrote. “For other types, such as initial location checks or diagnostic data, the user may prevent transmission by deactivating settings in the GO 4 application and/or disabling the Internet connection.”

Kivu independently bought DJI drones as well as iOS and Android devices in the United States, and downloaded the DJI GO 4 mobile apps. Kivu set up systems to capture all data transmitted through iOS and Android devices running DJI GO 4, and reviewed source code, application data, server addresses, and data generated during operation.

In recent months, reports have emerged claiming DJI drones can transmit sensitive user data without the user’s knowledge or consent. None of those claims have been supported by evidence beyond speculation. Kivu’s report affirmatively shows DJI enables the protection of personal data, and claims to the contrary are demonstrably false.

DJI continues to emphasize its efforts to resolve concerns about data security, and to assure customers they can continue to rely on DJI products as the most stable, reliable and innovative drone platform.

Email sign-up form

Would you like to receive our DroneRise email every weekday morning? Enter your email below and look for an activation email in your inbox to confirm your DroneRise email sign-up.


Note: Support DroneDJ by buying your next drone through our site. You can use the following links directly from manufacturers, such as DJIParrotYuneec or retailers like AmazonB&HBestBuy or eBay. Thank you!

FTC: We use income earning auto affiliate links. More.

You’re reading DroneDJ — experts who break news about DJI and the wider drone ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow DroneDJ on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel.

Comments

Author

Avatar for Haye Kesteloo Haye Kesteloo

Haye Kesteloo is the Editor in Chief and Main Writer at DroneDJ, where he covers all drone related news and writes product reviews. He also contributes to the other sites in the 9to5Mac group such as; 9to5Mac, 9to5Google, 9to5Toys and Electrek. Haye can be reached at haye@dronedj.com or @hayekesteloo