Official Navy memo on DJI drones noted cheap cost risk By Kelsey D Atherton 2019-12-16 The cheap cost and commercial availability of DJI drones mean many have found their way into military use Nancy C diBenedetto Navy When the Army moved to ban drones made by China-based manufacturer DJI in the summer of 2017 it did so on the advice of the Navy While the Army’s memo was made public in August 2017 the Navy memo has not yet been published until today The memo warns of a range of cyber vulnerabilities inherent in the system and offers a range of mitigation strategies Obtained by the National Security Archive through a FOIA request the Navy memo is housed online as part of the NSArchive’s Cyber Vault project Titled “Operation Risks With Regards To DJI Family of Products ” the Navy’s memo is dated May 24 2017 and goes into much greater detail than the Army memorandum that was publicly released Specifically “Operation Risks” warns about the data link between the aircraft and the ground station pointing to open-source research that exists allowing adversaries to passively view video and metadata from the drone and even assume control over the vehicle Despite the cybersecurity risks feared with the drones the low cost and ease of availability made the drone prevalent in military use The Navy memo does not call for an outright moratorium on using the commercial drones Instead it outlines a range of risk mitigations possible to manage cyber vulnerability electromagnetic compatibility and the need for training and technical support A fourth category of risk low reliability is self-mitigated The memo notes that “loss of the air vehicle through damage or malfunction should be considered highly probably over time DJI systems are expendable ” Much of the cybersecurity risks are common across internet-connected commercial off-the-shelf devices The memo recommends not using a removable SD memory card in case it is lost when the drone is lost but notes that memory on such cards and on the cache of the drone’s ground control station can also be wiped before connecting to the internet Other recommendations are broadly common sense for any device that when connected to the internet could store data in servers outside the jurisdiction of the United States These include “conduct training in areas that are not operationally sensitive ” “cover the camera when not in use” and “do not connect the ground control station to military networks using wired or wireless connections ” Overall the Navy memo gives a reason portrait of the baseline risks expected incorporating a useful hobbyist toy into military service It is also worth reading the Navy memo in light of the subsequent development of DJI’s “Government Edition” hardware and firmware for the drones While not in use nor designed for use by the military Government Edition was built in collaboration with the Department of the Interior to provide the utility of low-cost commercial drones without the security compromises inherent in just buying an internet-connected device off the shelf In October 2019 Interior grounded all its DJI drones as well as other drones made by China or incorporating parts made in China citing security risks It is unclear especially with the existence of Government Edition what security risks persist in the DJI-made products In the meantime the military has been unable to find a product that matches the utility and price point of DJI drones while meeting security standards The newly released Navy memo gives insight into the risks as first identified and what mitigation measures were recommended at the time About this Author Kelsey Atherton Kelsey Atherton blogs about military technology for C4ISRNET Fifth Domain Defense News and Military Times He previously wrote for Popular Science and also created solicited and edited content for a group blog on political science fiction and international security https www c4isrnet com unmanned 2019 12 16 official-navy-memo-on-dji-drones-noted-cheapcost-risk