Creating innovative and safe products is at the core of what we do at DJI. It is our passion and our mission.
We know great products need to be trusted, secure, and consistently improved. That is why we welcome the results of a new independent cybersecurity audit of DJI drone products, which found no evidence that the data or information collected by these drones is being transmitted to DJI, China, or any other unexpected party.
The security audit was performed by the cybersecurity team at global consulting firm Booz Allen Hamilton, on behalf of PrecisionHawk’s Unmanned Aerial Intelligence Technology Center of Excellence (UAS COE), as part of its ongoing effort to assess threat vectors facing unmanned aerial technology platforms. It examined three specific DJI commercial drone products: The Government Edition Mavic Pro, Government Edition Matrice 600 Pro, and the Mavic 2 Enterprise.
Today, the UAS COE released an executive summary of the audit, which we encourage all customers to read fully. It is another independent validation of the security of DJI products following reviews by the U.S. National Oceanic and Atmospheric Administration, U.S. cybersecurity firm Kivu Consulting, U.S. Department of Interior, U.S. Department of Homeland Security, and others. The audit is a critical step toward ensuring emerging drone technology is secure and able to be trusted for government and enterprise operations.
The audit found no evidence of data transmission connections between these drones and DJI, China, or any other unexpected party. From our perspective, this important finding from an independent, globally recognized leader in cybersecurity indicates that DJI customers have control over the data they collect when using our drones, contradicting reports that data from DJI devices is surreptitiously routed to other parties.
In addition to this important conclusion, we appreciate that Booz Allen’s extensive penetration testing and security review have provided us with further opportunities to enhance the security of our products. Through their extensive testing, the audit discovered several low or moderate severity threat vectors that pose a low-security risk to DJI users and that are also present in comparable commercial drone products. This is a welcome opportunity to further enhance the security profile of our products, even beyond the requirements requested by our government partners when our Government Edition was developed. We look forward to continuing to secure our products if more security issues are discovered.
We take these findings extremely seriously and are already implementing concrete steps to address many of the threat vectors identified in the report. Some have already been remediated, and we are actively working on several others, for our current products and longer-term approaches to security. All but two of these threat vectors relate to physical proximity or access to the drone itself.
For example, one threat vector relates to the type of encryption used on the radio signal between the drone and the remote controller. Older forms of encryption could make it easier for sophisticated actors located near the drone to intercept local radio transmissions. Although government users did not request stronger encryption, we have already taken COE’s advice and implemented the more robust AES-256 encryption on new and future enterprise products, including the Mavic 2 Enterprise. The threat vectors can also be remedied with additional security measures from DJI and by using the best practices that we outlined last year.
These actions reflect our commitment to security as part of our DJI Security Principles — to be transparent, to work with and learn from experts like the UAS COE, and to continuously improve our products to ensure DJI drones are some of the most secure and trusted products in the commercial drone industry.
If you are a customer using one of the drone platforms in the audit, we encourage you to visit the DJI Security Response Center to learn more about the steps we can take together to address and mitigate these risks, as well as get in touch with our team at firstname.lastname@example.org if you have any questions.
As an industry leader in the commercial drone market, we remain committed to working with customers, partners, industry, and experts around the globe to address security concerns. We encourage continued participation in the DJI Bug Bounty Program, the details of which can be found on our Security Response Center website. Taken together, these efforts will ensure our industry-leading products remain secure and trusted.