As we reach the end of 2017, it’s impossible not to look back on a year in the drone industry without recognizing the ups and downs of leading manufacturer, DJI. Most of the ups have of course been product-related: The Spark hit the market, as did the CrystalSky monitors, Mavic Pro iterations, DJI Goggles and a range of new cameras and accessories.
Most of the downs have been related to data security, from US Army memos to ICE documents and a turbulent bug bounty program. In 2017, DJI has cemented its position as the leading supplier to both recreational pilots and professionals. But with that domination has come more scrutiny. This past year the company has been under the microscope more than ever, which isn’t in itself a negative thing. With great power comes great responsibility, after all.
Michael Perry, managing director of North America for DJI, sat down with Ian Smith of the Commercial Drones FM podcast for an in-depth conversation on all of the above and more. Among the topics covered were:
- Drone re-registration
- New products – AeroScope and FlightHub
- U.S. Army memo & Local Data Mode
- Bug bounty program
- U.S. and non-U.S. server locations
- ICE Report on DJI drones “sending critical U.S. infrastructure data back to China”
- DJI’s role in the drone industry moving forward
But we’re going to focus on the data security topics. Not because they are the most interesting necessarily, just because it’s nice to end the year with the hope that we can talk about something else come January…
So what did Michael Perry have to say on:
The US Army memo that circulated over the summer…
It’s interesting to hear Perry’s thoughts on the US Army memo, which was arguably the catalyst for a number of stories and announcements that followed. In case you don’t remember, the memo recommended that all military use of DJI drones be halted, due to ‘Cyber Vulnerabilities‘.
Most interesting is the fact that DJI still has no idea what ‘cyber vulnerabilities’ the memo was referring to. Although there are a few things the memo could have been referring to. Here’s what he had to say:
“The army memo generally was talking about ‘cyber vulnerabilities’, and we’ve not seen the report that they’ve cited in Army research lab or Navy research lab memos that they’ve cited in the report. So we don’t know what they’re responding to specifically. They were just talking about ‘cyber vulnerabilities’ as a larger bucket.
“To our mind that that could be one of two things. One is about the safety of the integrity of the data that’s collected by the drone or you know the ability for malicious actors to attack the drone while it’s in operation.”
Local Data Mode…
Interestingly, Perry reveals that both the Bug Bounty program and the Local Data Mode that followed were actually in development before the memo went public. Although ‘in progress‘ could mean anything from a concept on a whiteboard to beta testing.
“The two announcements that you were talking about were actually things that were in progress ahead of that memo, just because they were challenges that we anticipated earlier this year… we ended up having to accelerate the announcements just to show ‘hey look, we’re working on these things’.”
Perry says that Local Data Mode was brought about by enterprise clients’ requests for absolute security.
“Local Data mode actually came out of a request from over a year ago when we were working with some of our enterprise clients, who said ‘Look, I understand that DJI has the ability to capture flight logs and can upload pictures and videos to Skypixel’. We’ve done a lot of work to help show that that’s a manual operation that people have to opt into.”
According to Perry, the fact that flight logs had to be manually uploaded was not convincing enough for some customers, particularly those dealing with sensitive operations.
“We demonstrated that to the client and they said, ‘Okay, got that. It’s not being passively pulled to someplace else. But we also know that a lot of the operators in the field using your equipment might accidentally push a button that they’re not supposed to and there are OPSEC requirements in terms of how they handle data.”
“We started doing that over a year ago… And earlier this year we started getting that request more frequently from our enterprise customers. So it was a priority for us to start rolling this out sooner rather than later.”
The locations of DJI’s servers…
Part of the perceived cyber vulnerability of DJI drones and software was probably due to question marks over the location of the company’s servers and the notion that drones are sending sensitive information to China. Here’s what Perry had to say on this issue:
“Obviously, as a global company, we have servers all over the world. That includes Amazon Web Services servers here in the US. So when somebody uploads their data to DJI, that’s stored on an AWS server. American users, when they upload something to DJI, it’s stored on an AWS server here in the States.”
So that’s about as definite as he could have been about where American pilots’ manually uploaded data is going.
Typically, he says, this information is stored for the sake of customer service. When somebody crashes their drone or has a technical issue, DJI can take a look at the flight logs and determine what happened.
Adapting to the responsibility that comes with being more than a consumer company…
There are two schools of thought surrounding DJI and the company’s data security issues. On the one hand, a vocal minority believe that the actions of the Chinese manufacturer are nefarious, a threat to national security and amount to espionage.
More likely – and something that’s eluded to by Perry – is the fact that DJI is having to adapt to data responsibilities that come with having a huge number of enterprise clients. There have been teething problems:
“As we’re moving into a more enterprise field we’re having to step up our data security game. We have to start thinking about how large companies are using software to capture and store data, and I think that’s not a unique challenge for DJI. You know several other consumer electronics categories have had to deal with the same issues.”
“That includes smartphones. As you probably know it wasn’t until the iPhone 5 that phones were accepted on military bases. And you know even still there’s that segmentation between that consumer technology which is the iPhone, and specific applications where you have to use a Blackberry even now because of the level of encryption. So I think DJI is finding our role within that.”
The Bug Bounty Program…
DJI’s rollout of a Bug Bounty program hasn’t been a smooth one. Things came to a head in November, when a security researcher walked away from a $30k bounty and claimed that DJI had sent him legal threats. Here Perry is slightly contradictory.
On the one hand, he states that the Bug Bounty program was in response to the news that DJI drones were being hacked to get around no-fly zones and altitude limits. There was no formal channel for researchers who wanted to help with this issue and that needed to be addressed.
But he also admits that the announcement of the rollout came before the necessary infrastructure was in place. Reading between the lines, the Bounty Program was rushed to help DJI look like it was taking security seriously – so it can’t have been that far along in terms of development. Perry suggests that this led to a mismatch in expectations between the company and researchers submitting reports:
“The frustrating thing to us was that we didn’t have a formalized channel for people to let us know that there was a problem. And that’s a challenge for us as an organization because we have to be able to be able to respond to some of the potentially malicious attacks against our systems.”
“So we started talking about creating a bug bounty to respond to that specifically and then again talking about this broader bucket of cyber vulnerabilities. We wanted to provide a mechanism in case this was one of the key concerns that some of our users had about our equipment. We wanted to show that we’re doing due diligence.”
“Unfortunately, the announcement proceeded a lot of the necessary infrastructure in order to make that sort of system work. So, particularly in the early days of that program, there was a mismatch of expectations between the DJI side and the security researchers’ side. I won’t go into the specifics of Kevin’s case but I would just say that generally at that early stage there is just a total mismatch of expectations.”
“But now we have implemented a formalized terms o the agreement. We’ve set up a website and as of today we have had over 25 successful bounty claims through the program and again from researchers from all over the world”.
That ICE memo…
The final topic of interest that was covered in the interview was the ICE memo that circulated and made headlines last month. In effect, the memo stated that DJI was passing on data to the Chinese government – a notion the company dismissed as “insane” at the time.
Perry took the opportunity to set a few things straight:
On claims that data on US critical infrastructure was being sent back from DJI drones and made available to the Chinese government, he said, “Categorically no. That is not true.”
“If you read the full report, you’ll see that all of it is based on one unidentified source, who apparently has deep knowledge of the drone industry. But if you start actually looking through some of the specifics of what this source is claiming, it’s pretty outrageous.”
“I mean the claims range from the small and insignificant the pretty large misses. Like saying that Yuneec and Parrot are no longer manufacturing, that we’ve (DJI) sold X amount of units shipped through this port that don’t match our numbers for what we actually sell. And the even more outlandish claims, like that our systems do facial recognition even when the system is turned off.”
“And all that’s really hard to stomach. So that’s the basis on which this report is coming from which is an unidentified, unreliable individual. That said, we have to make sure that we’re addressing the concerns systematically. And that’s an area where we have to do better. We have to be clear about what we do and what we don’t do. And the easiest defense that we can point to right now is just saying DJI doesn’t want your data.”
“We’ve provided a ton of tools in order to make sure that you don’t give us your data that includes you know making sure that you can fly without an internet connection. But more fundamentally, we do have to do a better job to show how people’s data is being managed when it comes to DJI and that’s something that we’ll be working on through 2018.”
It’s certainly an interesting interview and well worth listening to. Although it’s a gentle conversation and it could be mre challenging at points, it’s good to hear Perry admit (although not directly) that mistakes have been made with regards to the Bug Bounty program and DJI’s communication in general regarding data security.
But in many ways, slip-ups are to be expected. Broadly, all of the recent steps – setting up AWS servers, Local Data Mode, attempting a working Bug Bounty Program – should go a long way to reassuring recreational and enterprise customers as we head into 2018.
Hopefully it won’t be too long before the focus shifts towards the positives that DJI brings to the drone table: innovation, new hardware, software advancements and increasing industry recognition.