Kivu’s report on DJI’s UAV Data Transmission and Storage practices – Are DJI drones really spying for China?

Last Monday, we wrote about the Kivu report’s findings. Today we are taking a closer look as DJI has sent us a copy of the full report. Because of competitive reasons the Chinese drone maker has requested us not to post the entire report online or share any of the images. However, we are free to share segments of the text with you. The 27-page document is the result of Kivu Consulting’s forensic investigation of DJI’s UAV Data Transmission & Storage practices and contains information about Kivu’s methodology, analysis, findings, and explains up to a degree what information is collected and to which servers it is going. For their investigation, Kivu independently bought a DJI Spark, Mavic Pro, Phantom 4 Pro and Inspire 2 model drones as well as a Huawei Honor 5x smartphone with the Android operating system and an iPhone SE running iOS. We went through the entire report to see if any new information came to light and to see where your information might be going to.

The purpose of the report

DJI dealt with a number of data security issues last year (details here), that resulted in the U.S. Army issuing a ban on the use of unmanned aerial devices from the Chinese drone maker. Later in the year, U.S. officials started to wonder whether DJI’s products could be used to spy on the U.S. and if sensitive information was possibly being sent back to China.

DJI took these allegations seriously and denied them outright. The U.S. is an important market for DJI as evidenced by the many global product launches that took place here, the introduction of the Mavic Air in New York being the latest. To stem the growing concerns about DJI’s data security practices, the company decided to hire a forensic investigation company, Kivu Consulting, Inc. (“Kivu”) to independently review DJI’s UAV data transmission and storage practices.

The full report states that:

“Kivu was asked to conduct a data security analysis regarding DJI’s unmanned aerial system (“UAS” or “drone”) products. The scope of the engagement included analyzing the types of data collected and stored by the drones and associated flight control software, as well as the types of data that are transmitted to remote servers, the conditions for transmission, and the location of the remote servers. The engagement also included conducting a data security and vulnerability analysis on the drone products and the remote networks used for transmission and remote storage of data.”

Kivu was retained by McDermott Will & Emery LLP (“MWE”) on behalf of its client, SZ DJI Technology Co., Ltd (“DJI”) on October 11, 2017. The report was completed on February 13, 2018, and the findings were shared with the public in a press release on April 23, 2018.

Executive Summary

Since we already covered the findings in detail in our previous post, we’re keeping this section short. Kivu’s executive summary boils down to this:

“Kivu’s analysis of the drones and the flight control system (drone, hardware controller, GO 4 mobile app) concluded that users have control over the types of data DJI drones collect, store, and transmit. For some types of data, such as media files and flight logs, the drone user must affirmatively initiate transmission to any remote server. For other types, such as initial location checks or diagnostic data, the user may prevent transmission by deactivating settings in the GO 4 application and/or disabling the Internet connection.”

In short, the user is in control over what data he or she wants to upload to DJI’s servers and can even prevent any data from being uploaded at all by using a smartphone or tablet without an Internet connection.

Let’s talk about DJI’s servers

This left us wondering, where does your information go when you do start the DJI Go 4 app, upload, sync or update your firmware? Which DJI servers does the Go 4 app connect to and where are they located. Could it be that DJI’s drones are being used to spy on the U.S. and does information, such as photos, video footage, and flight logs, actually get transmitted back to China?

Let’s take a deeper look.

1) Upload photos, video, and audio to DJI’s Skypixel

If a U.S.-based user to captures photos and video footage with their drone AND uploads the media files to DJI’s Skypixel, their information will be sent through an encrypted tunnel with SSL/TLS to Alibaba Cloud servers located in San Jose, California. The report also mentions that “Kivu did not identify any instance of photos, video, or audio being sent to DJI servers without direct user action and authorization.” The drones that were analyzed by Kivu have no ability to record audio. Audi can be recorded on the smartphone but that feature is turned off by default.

2) “Fly Safe” and Flight Record Data

When you start up a DJI drone and the DJI Go 4 app, a generalized location within a 10km radius of the actual drone location will be chosen and will be referenced against a database of No-Fly Zones. The report states that “to help users maintain safe drone operation and avoid flying in restricted airspace, DJI implements “Fly Safe” through the use of “No Fly Zone” (“NFZ”) databases. These databases contain information relating to areas where drone flight is prohibited.”

During a flight, the DJI drones capture and store very detailed information, such as GPS locations along the flight path, GPS locations, and thumbnails of photos taken as well as any video recordings. Furthermore, the drone records specifics such as time-stamps, speed, direction, battery information, compass error, mode, altitude and a lot more detailed information about the drone and the flight. The report informs us that “users have the option to upload their flight logs to DJI servers for backup purposes or submit them to DJI for review in the event of a crash or malfunction during flight. Notably, DJI drones do not automatically upload or transmit flight logs.” When users in the U.S. chose to synchronize their flight logs with DJI the information is sent to an Amazon Web Services (AWS) server located in Ashburn, Virginia, USA.

“Kivu did not identify any part of the GO 4 application designed to automatically or intentionally send user data such as media, flight logs, or precise location data to DJI servers without user authorization.”

3) User Experience Data

In the report, it states that “user Experience data refers to basic information about the drone’s usage. Examples are flight distance, duration, average number of photos taken during each flight, etc. This type of data differs from flight logs due to the lack of GPS information and user data. By default, user experience data automatically transmits to DJI servers but can be disabled by the user within the application.” Exactly which servers the data is sent to is not specified in the report.

4) Diagnostic data

5) Additional Data Transmission

When you update the firmware on the DJI drone or controller communications are established with an AWS server located in Ashburn, Virginia, USA if you are using the DJI Assistant 2. When you are updating using your smartphone a connection is established with an AWS server in Seattle, Washington. In certain situations, connections were also established with an AWS server in Dallas, Texas.

Upon opening the DJI Go 4 app a number of DNS requests are made to various servers in several regions and countries, such as two Tencent cloud computing servers in Shenzhen and Beijing, China, an Alibaba cloud server located in Hong Kong and in San Mateo, CA, as well as number of AWS servers in Ashburn, Virginia, Seattle, Washington and Miami, Florida. The information that is transmitted to the Alibaba cloud server in Hong Kong contains “the country code, mobile device operating system, and a serial number.”

6) Personally Identifiable Information

From the Kivu report: “When a user first uses the GO 4 application they are asked to create a user account which contains an email address as a username. However, DJI does not validate the information, so a user can input an anonymous or invalid email address if they choose, with no effect on drone operation. This information is collected and stored within the GO 4 application. Based on Kivu’s analysis, except for the email address and phone number collected at the time of product activation, DJI drones and flight control applications do not collect, store, or transmit any Personally Identifiable Information (“PII”) such as user identity, full names, phone numbers, user credentials, photos, or videos of users (other than photos or videos captured and/or transmitted with the express authorization of the user, as discussed above). Additionally, Kivu did not identify DJI drones having the capability to access any PII stored by the user on Android or iOS mobile devices (when connected via the GO 4 application) or on computers (when connected with the DJI Assistant 2 software).”

7) Facial Recognition

From the Kivu report: “DJI drones cannot recognize individual faces or identify people by facial recognition. The feature called “Gesture Control” uses another feature commonly referred to as “FaceAware.” The DJI Spark utilizes this technology by allowing a user to control the Spark while in flight by making physical hand gestures. To enable Gesture Control and FaceAware, the user must explicitly turn the feature on within the application. To register the user’s face with the Spark, the user must hold the Spark on their palm in front of them while the device generically recognizes the shape of a human face and its distance relative to the device. Kivu tested the feature to determine whether it could distinguish between individual faces by having a different user (who did not stand in front of the drone to enable the FaceAware technology) attempt to control the drone with their gestures. The drone responded to gestures from various people, regardless of which person performed the registration. Ultimately, Kivu determined DJI drones are not capable of recognizing an individual based on facial recognition.”

8) Information Security Audit

The report also mentions that: “Kivu is aware that certain information stored on DJI’s AWS cloud servers was recently and inadvertently made publicly available, and Kivu has confirmed that DJI corrected this issue with the cloud server access.” Without specifying exactly what situation Kivu is referring to, it almost certainly is the case where security researcher Kevin Finisterre found sensitive information stored on AWS servers and ultimately walked away from a $30,000 bug bounty last summer.

As part of the forensic study as performed by Kivu on DJI’s behalf, the consulting company performed an “information security audits including industry-standard asset inventories, security checks, and vulnerability scans.” All findings were communicated directly to DJI and Kivu says that they “worked with DJI to complete the recommended steps and then validated the remediation.”

9) Access control

Kivu mentions in the report that of all the data that is stored on the AWS cloud servers in the U.S., they were able to review the security policies that are in force as well as the user accounts and security groups that have access privileges to these servers. Kivu confirms that as of the date of their report “DJI’s network access controls are in order and designed to prevent unauthorized access to information stored on DJI’s AWS cloud servers.”

In the same paragraph, Kivu briefly mentions the Alibaba cloud servers used for storing the Skypixel social media sharing platform and media files. About which they said earlier in the report: “Both AWS and Alibaba Cloud are widely used by global organizations and have the best in class security controls available to their customers. DJI maintains, manages, and accesses these server resources through their internal IT department.” Kivu does not specifically say that it has confirmed or reviewed the security measures and access controls for the Alibaba cloud servers, which are based in San Manteo, CA and Hong Kong.

Kivu does not make a statement on the security measures and access controls of the Tencent servers in Beijing, and Shenzhen.

DroneDJ’s take

Kivu’s 27-pages report is very detailed and technical at times and certainly leaves the impression that it is a very thorough report. However, you have to keep in mind that even though the forensic investigation of “DJI’s UAV Data Transmission & Storage” practices has been performed by an independent contractor, DJI paid their bill. Whether this has influenced the way in which Kivu wrote the report, is impossible to know but the possibility is there.

Gizmodo mentioned that DJI had been privately sharing the “preliminary conclusions” of Kivu’s independent research with, among others, some U.S. military officials since at least February 14 and that “Prematurely releasing the positive results of an ongoing forensic analysis is out of the ordinary, to say the least.” The report is dated February 13, so the information that was shared on February 14 and later should not be the preliminary conclusions but should have been the final report. Why DJI waited until April 23 to finally release the findings of the report to the public is unknown.

Kivu concludes that “DJI drones do not automatically transmit most types of user data without explicit user authorization,” and that “other types of data are transmitted by default but users can prevent these transmissions if desired,” but that “the user can prevent these transmissions by deactivating them in the GO 4 application settings and/or using a mobile device that is not connected to the Internet.” This means that an informed user can make sure that no data captured by the drone is sent through the DJI 4 Go app to any server anywhere in the world.

Does the report indeed remove any doubts related to “DJI’s UAV Data Transmission & Storage” practices? I would say for the most part yes.

First, because as a user of a DJI drone you can make sure that no information is transmitted to any of DJI’s servers by simply keeping your smartphone or tablet disconnected from the Internet. Android users have the option to fly their DJI drone in “Local Data Mode”, which is specifically designed to overcome this concern.

Second, according to the report, most of the detailed information such as high res photos and video footage remains on servers in the US and is encrypted during transmission. Even the detailed flight log information stays on AWS servers in Ashburn, Virginia, USA.

Third, Kivu emphasizes that the AWS and Alibaba cloud servers are very secure and that at least for the AWS servers they were able to confirm all the security measures and access controls. As far as the Tencent servers are concerned we do not know for sure.

Fourth, the Kivu report also tells us that the DJI drones do not have any facials recognition capabilities and that no sensitive data is being transmitted to China, making the claims from ICE and other U.S. officials about DJI drones spying on the U.S. and sending that information back to China seem farfetched.

However, even if DJI’s data transmission and storage practices are 100%, it still doesn’t guarantee that it is entirely impossible for any data captured by DJI drones to end up in the wrong hands. Governments, hackers, and security researchers may still find ways to access data that is stored in the cloud and DJI may not be aware at all. Seemingly the only way to make sure that your data from your drone does not leave the country is to keep your drone offline.

What do you think about the Kivu report? Let us know in the comments below.

Email sign-up form

Would you like to receive our DroneRise email every weekday morning? Enter your email below and look for an activation email in your inbox to confirm your DroneRise email sign-up.

Note: Support DroneDJ by buying your next drone through our site. You can use the following links directly from manufacturers, such as DJI, Parrot, Yuneec or retailers like Amazon, B&H, BestBuy or eBay. Thank you!