A memo from the U.S. Department of Homeland Security (DHS) warns that China-based Da-Jiang Innovations (DJI), one of the world’s largest drone manufacturers, has been providing information on critical infrastructure and law enforcement to the Chinese government.
The Los Angeles office of Immigrations and Customs Enforcement (ICE), specifically its Special Agent in Charge Intelligence Program (SIP), issued an intelligence bulletin back in August claiming that DJI is helping China spy on the United States.
A copy of the memo, marked “unclassified / law enforcement sensitive,” was published recently by the Public Intelligence project. The document, based on information from open source reporting and a “reliable source” in the unmanned aerial systems industry, assesses with moderate confidence that DJI is providing data on U.S. critical infrastructure and law enforcement to the Chinese government. The authors of the memo provide several examples of law enforcement and critical infrastructure organizations using DJI drones.
The agency also assesses with high confidence that the company is targeting government and private entities in these sectors in an effort to “expand its ability to collect and exploit sensitive U.S. data.”
ICE claims two of the Android applications provided by DJI for some of its drones automatically tag GPS imagery and location, register facial recognition data even when turned off, and access data in the user’s phone. The data, which the agency claims to include personal information and other sensitive data, such as power control panels and security measures for critical infrastructure sites, is allegedly stored on cloud servers to which the Chinese government “likely has access.”
“SIP Los Angeles assesses with high confidence the critical infrastructure and law enforcement entities using DJI systems are collecting sensitive intelligence that the Chinese government could use to conduct physical or cyber attacks against the United States and its population,” the memo reads. “Alternatively, China could provide DJI information to terrorist organizations, hostile non-state entities, or state-sponsored groups to coordinate attacks against U.S. critical infrastructure.”
The intelligence bulletin also points to a recent memo of the U.S. Army, which instructs units to stop using DJI drones due to cybersecurity vulnerabilities, and a U.S. Navy memo on the operational risks associated with the use of the Chinese firm’s products. DJI has taken some measures to improve privacy following the Army ban.
The ICE document also claims that DJI aggressively dropped drone prices in 2015 to force its main competitors out of the market.
“The bulletin is based on clearly false and misleading claims from an unidentified source,” DJI said in response to the ICE memo. “Several of the key claims made by this unnamed source show a fundamental lack of understanding of DJI, its technology and the drone market.”
The company claims its products are not capable of recognizing a person’s face for identification purposes – a feature exists for tracking the movement of the shape of a person or the shape of their face in order to control the drone, but DJI claims it only works when the system is powered on and the Active Track mode is enabled.
DJI also refutes claims that its pricing strategy has caused competitors to stop production, and denies selling its products cheaper in the U.S. than in China.
“DJI does strive to comply with local laws and regulations in each country where its drones operate and to facilitate compliance by our customers. To the extent that there are location-specific rules and policies within China, we ensure that our systems comply with these rules, including the need to register or include no-fly zones on board,” DJI stated.
“In compliance with the Chinese regulation, DJI utilizes the user’s IP address, GPS location, and MCC ID to determine if a drone is being operated in China. If so, DJI provides the customer with the features necessary to comply with Chinese regulations and policies. Otherwise, DJI provides no information about or data collected by the drone to the Chinese government,” the company added.
DJI has also shared some more information regarding a recent incident involving a researcher who took part in the company’s bug bounty program. The expert had been offered $30,000 after finding some serious vulnerabilities, but he walked away from the deal due to an agreement DJI had asked him to sign.
The accusations brought against DJI are similar to the allegations that Kaspersky Lab is spying for the Russian government. Kaspersky’s products have been banned in U.S. government agencies by the DHS after several media reports on the topic. However, no evidence has been provided to back the claims.
Related: Design Flaws Expose Drones to Hacker Attacks
Related: Chinese Cyberspies Target European Drone Maker, Energy Firm