In Defence of DJI: Why Hackers Are Wrong to Play Games


Plenty of controversial drone industry issues can be found within the text of a single article from our colleagues at sUAS News, titled ‘Don’t be Evil DJI‘. We’re still trying to get to get a grip on exactly what the point of the piece was. But a number of claims were made against the Chinese drone manufacturer.

These claims included references to “DJI’s part in what appears to be phishy things when it comes to regulations and FAA rulemaking” and links to sites for people keen to hack their way past the company’s Geofencing functionality. There was also justification for doing so:

“Why so angry then DJI when people unlock your products to remove the restrictions you put in place? Did you really think that people would do nothing and just happily accept losing functionality, functionality that they paid for essentially?”

On top of that is a lingering conspiracy theory – perpetrated by the same site and its contributors – that drones made by the DJI are being used to share sensitive data with the Chinese government.

On Unfair Influence

We may be missing something here. But there isn’t anything fishy about an industry leader offering input on regulations for the emerging drone space.

Along with Parrot, GoPro and 3DR, DJI is a member of the Drone Manufacturer Alliance, a group specifically set up to share ideas with policy makers. DJI is also represented on the FAA’s Drone Advisory Committee, along with leading business figures such as Intel CEO Brian Krzanich, Precision Hawk’s Michael Chasen and members from Facebook, Amazon Prime and 3DR. Hardly a collection of Chinese sleeper agents. The members of this group are recommended by the RTCA with final approval of all members coming from the FAA.

These are not backroom deals. Clearly, no corporation is benign. But it appears as though DJI is influencing policy through official industry channels.

So what’s the root of this antipathy towards an otherwise popular drone manufacturer? The answer is a complicated one. Aside from industry domination and the (uncomfortable for some) idea of a Chinese company having a seat at the US regulatory table, the company’s Geo system and the measures it has taken to enforce it have caused controversy.

How the Geofencing Controversy Unfolded

Geofencing is nothing new. Just under 5 years ago, DJI drones featured an element of restriction to ensure no-fly zones and limits on operating heights weren’t breached. But it was in 2015 that DJI’s Geofencing system took on greater significance. The move to prevent its drones from operating in restricted areas was in response to public concern and a number of high-profile incidents involving drones flying where they shouldn’t. These included airport ‘near-misses’ and even a crash on the White House lawn.

The idea was simple: coordinate with national regulatory bodies to enforce no-fly zones near airports, prisons and the like. Those who did have permission to be operating within a no-fly zone would have to authorize their device, provide some personal information and have a verified DJI account.

The latest DJI Geo System is just an updated iteration of that concept. However, there has been growing controversy over the manner in which it has been forced onto DJI pilots, as well as legitimate questions asked about data storage and security.

Things came to a head in May when DJI announced a new ‘Activation process‘ that would ensure pilots “use the correct set of geospatial information and flight functions for your aircraft, as determined by your geographical location and user profile”.

The most controversial aspect of this update was, in the eyes of many DJI customers, the restrictions that would be placed on flights if the software and firmware updates weren’t installed and each pilot’s account information wasn’t verified:

If this activation process is not performed, the aircraft will not have access to the correct geospatial information and flight functions for that region, and its operations will be restricted if you update the upcoming firmware: Live camera streaming will be disabled, and flight will be limited to a 50-meter (164-foot) radius up to 30 meters (98 feet) high. 

There seem to be two camps of dissatisfied DJI customers. The first believe that the company has no right to regulate its products once they have been sold, and that the question of obeying FAA legislation is between a pilot and the national government.

The second camp is made up of commercial pilots who have been inconvenienced or completely grounded by the latest software updates to Geo. Clearly, this is not ideal for people who have jobs to get on with, and downright embarrassing if it’s been happening in front of clients.

Whichever camp you’re in, there’s a consensus that DJI hasn’t handled the situation very well. Poor communication and less than adequate customer service are both things that have been associated with the Chinese manufacturer in the past.

Enter the Hackers

Many DJI pilots have grown frustrated at the fact that DJI continues to oversee flights once ownership of a drone has moved from the company to an individual.

And wherever there are disagreements concerning software features, you can bet there’ll be people offering to alter the code to suit the highest bidder. Last month it became clear that plenty of pilots were doing exactly that. Russian hackers began selling pre-coded software patches and DIY coders set up social media groups to share reverse engineered solutions.

The aim is simple: to remove all of DJI’s flight restrictions and liberate pilots around the world.

Here’s one example of an early software hack on offer for the Mavic Pro, for $200, from the ironically named Russian company CopterSafe:

coptersafe

There are even reports that liberated pilots are having altitude photo contests.

DJI Responds

In a Motherboard article, Ben Sullivan outlines the arms race underway between pilots and a manufacturer trying to wrestle back control of its aircraft. DJI has since removed versions of its firmware that are vulnerable to hacking from its servers, and auto-updated DJI drones that already had vulnerable firmware installed.

“A recent firmware update issued for all DJI drones fixes reported issues and ensures DJI’s products continue to provide information and features supporting safe flight,” the company said in a statement. “DJI will continue to investigate additional reports of unauthorized modifications and issue software updates to address them without further announcement.”

We’ve also spoken with DJI. The company’s head of global policy, Brendan Schulman, had this comment to share on the news that many DJI pilots are seeking to work their way around GEO:

“The recent headlines you may have read are fueled by a very small minority of customers who are attempting to circumvent the safety features of DJI drones, like our Geospatial Environment Online (GEO) and our No Fly Zone (NFZ) systems.

Most of the commercial and government operators we talk to appreciate that DJI has taken proactive steps to protect areas that are very sensitive for aviation safety or national security.”

It’s now come to light that UAS security consultant Kevin Finisterre is selling a hacked DJI drone on eBay. Whatever his particular motivations, is this the beginning of a black market for emancipated DJI drones?

Concerns over DJI’s Forced Updates

There are some legitimate concerns over DJI’s recent update, which was essentially forced upon its user base with the threat of flight restrictions for pilots who didn’t adhere.

People don’t like being forced into anything. Instead of threatening and implementing operational restrictions, the company should have handled the situation better and done more to communicate the continued benefits of the Geo system and the update. The press release detailing the update back in May was poorly worded and made it easy to jump to the conclusion that something sinister was going on.

But concerns over forced updates are only half the reason for this DJI pilot rebellion.

Frustrations with Restrictions

Frustrations over flying restrictions have been around since Geofencing was introduced. It’s essentially an ethical question. In a perfect world, regulations governing drone flight would not be needed. But irresponsible pilots exist and, as long as they continue to fly in dangerous ways and areas they shouldn’t, rules will be introduced to stop them. Whether it’s cars, guns, alcohol or drugs, a minority will always ensure that regulations are required for the majority.

Most pilots agree with this position. But plenty disagree that enforcing those rules should be within DJI’s remit.

This is taken from an angry DJI customer posting on Facebook, summing up a fairly common point of view:

“I had my reservations about DJI when I purchased it a few months ago but this latest effort to place new restrictions on users they never agreed to when they purchased the product is a massive fail on the part of DJI’s marketing team. The way a product is used should be strictly between the user and his government, NOT, the manufacturer of the product.”

Simple to understand, easy to dismantle.

The Hypocrisy of ‘Freedom’ and the Irony of Drone Emancipation

There have been plenty of reports – and even some videos – of pilots using the DJI ‘Jailbreak’ for their Phantoms, Mavics and Inspires. But this need to be free from DJI’s safety features is both hypocritical and dangerous.

No fly zones are being enforced for a reason. It only takes one drone pilot exercising his or her ‘freedom’ to collide with a passenger jet. Not only could it cause a fatal accident but it would likely bring the emerging hobbyist industry crashing down in the process.

What about those passengers’ freedom to fly safely? Or sports fans’ freedom to go to a game without worrying a drone is going to fall out of the sky into the crowd? Freedom is an empty justification if it robs others of their basic rights.

On several sites, the hacking of DJI drones has been referred to as some kind of independence day. But the ironic thing about drone emancipation is that it will inevitably lead to stricter regulations being imposed on the entire pilot community. One incident is all it will take for public opinion to shift dramatically. And when that happens, regulations will tighten and the same pilots who complained about Geofences being enforced today will be left wishing things could go back to how they were.

We are fortunate that to date there have been no fatal drone accidents or collisions. Removing the central safety features of the world’s most popular manufacturer is a sure way to increase the likelihood of that happening.

Who really has the drone industry’s best interests at heart?

All of that leads to the question: Who really has the drone industry’s best interests at heart? Rogue pilots who put their right to fly dangerously ahead of the safety of others? Or a global brand which has done more than most to advocate positive drone uses?

Clearly, DJI and its fellow manufacturers have a lot to lose from a serious accident involving one of its drones and tighter regulations. Questions over liability will emerge when something does eventually happen, and the company needs to be seen to be doing what it can to prevent such a situation.

But the fact that DJI’s profits and long-term security are tied to maintaining public safety is no bad thing. The success of the industry is in the company’s best interests. Because of that they have pioneered obstacle avoidance technology, publicized life-saving applications and are slowly getting there with Geo.

Authorization = Accountability

A key point in the defence of DJI’s Geofencing is accountability. Now that the FAA’s registration rule has been successfully challenged in court, there is no guarantee it will be possible to trace rogue drones back to their pilots.

Many critics make the point that, for example, car manufacturers don’t put speed limits on their vehicles. You can go out there and buy a gun if you so choose. You’re punished if you commit the crime, not restricted from doing so before the event. But the problem with drones will always be accountability.

Being behind the wheel of a speeding car is very different from being behind the controls of a rogue drone. You could be miles away while your actions are causing chaos; you can fly without putting yourself in danger and the sense of personal responsibility is pretty far removed. You’re basically anonymous.

That’s why a preventative system is so important.

How Geo Works

At the moment, DJI’s Geo system requires varying levels of authentication depending on which type of no-fly zone you want to operate in. The authorization process is, in theory, simple to navigate. It gets more complicated if you want to fly in Authorization or Restricted zones.

dji geo system

The different zone categories in DJI’s Geo System

From a practical perspective, these restrictions will no doubt frustrate commercial pilots when they occur unexpectedly. But it shouldn’t be too difficult to check ahead of time and arrange authorization before a flight is due to take place.

There are questions over the accuracy of the system, which might have something to do with DJI being more safe than sorry – also known as ‘an abundance of caution’:

Sometimes the Zones in GEO do not necessarily match the parameters or shape of official geospatial features due to an abundance of caution or technical reasons. Each user is responsible for checking official sources and determining what laws or regulations might apply to their flight.

Ironing out the kinks in Geo

We spoke with Kevin Finisterre, a long-term critic of DJI’s approach to security and the hacker behind the “Red Herring” exploit that allows pilots to overcome NFZs and altitude restrictions.

From a personal perspective, Finisterre is frustrated because his flights are being restricted despite the fact that he has permission to operate in his local NFZ. But this, he says, is a widespread problem and is indicative of the “dumpster fire in implementation” DJI has introduced with GEO. 

“DJI made a mistake by entering the digital arms race with their end users under the guise of “safety”… They claim GEO is “advisory only”, yet they actually “enforce” (and do so poorly). My goal is to raise awareness on the farce that is GEO. Either do it right… or hang it up. The moment you start preventing people from downgrading, forcing logins, etc… you’ve entered an arms race,” he said.

Finisterre insists that the aim of his work is to “drive DJI to do better”, and when challenged on his method, denied that his actions are encouraging dangerous drone flights and rogue pilots.

“I am enabling rogue pilots no more so than the next person selling DIY FPV gear and I sure as f**k am not encouraging it… I shun it regularly.”

Whatever your opinion of Finisterre’s work, there’s no doubt that it’s a consequence of DJI’s lapse approach to security. That hackers are now able to exploit loopholes and get around no-fly zones should be a concern for all involved in the industry.

Getting authorized to fly in the NFZ has been a contentious point for pilots like Finisterre, who say that the “forms don’t work and they [DJI] never reply or take weeks to.”

Speaking with Dronelife, DJI’s Brendan Schulman went through the authorization process for flying in restricted airspace.

“Authorization Zones can be unlocked by our verified users instantly, on the scene of the drone operation. The more sensitive Restriction Zones involve an online form that we process in a few days, or more quickly if there’s an urgency,” he said.

“For public safety agencies such as fire departments, we can unlock the entire jurisdictional area in advance so that they can operate in a sensitive location whenever they need to. Our goal is to balance serious safety and security concerns with the innovative and beneficial applications for our technology.” 

Schulman pointed out that commercial pilots having issues and being grounded in front of clients are a rare event. “In some cases,” he said, “the pilots have submitted an incorrect product verification number, or they have not fully updated their device software to the latest versions. We invite anyone experiencing these issues to contact us directly at [email protected].”

The Conspiracy Theories: Is Something More Sinister Going On?

justify dji hackers

Rob Thompson, author of the comment above, is another sUAS News contributor.

Is DJI a front for the most audacious spy program in history? Are thousands of Chinese intelligence officers sifting through hours of aerial footage, growing wearier by the day at the endless selfies and sunsets captured with your DJI products?

It’s not a point of view that we share. Particularly when DJI has confirmed that it has no way of accessing footage taken with its drones. Unless that footage is uploaded to SkyPixel – the company’s social media sharing hub. Hardly the place where data concerning national security is being stored.

It is true that DJI will share information that you have given to them with governments or security organizations if requested. But this is no different to companies such as Apple and Google, who have been known to cooperate with criminal investigations in the past. This is also consistent with provisions in 3DR and Parrot terms of service.

We can’t help but feel that there’s a mistrust from certain media elements for two reasons. The first is that DJI is a Chinese company that nobody can seem to compete with. The second is that having a foreign company play a role in US legislation is uncomfortable for some, even if they are leading the way technology-wise and have a significant stake in the US market.

We do not give any weight to these manufactured theories.

Legitimate Concerns Over Big Data

To pretend that data in the drone industry isn’t an issue would be wrong. Commercial operators are rightly concerned that everything from telemetry data to personal details and the end result (photography, mapping, industrial and environmental modelling) could be vulnerable to hackers.

As industry analyst and occasional DroneLife contributor Colin Snow writes in a recent report on inspection services, “Businesses are not in the habit of measuring, inspecting, and photographing things that aren’t important to them”.

The fear is that this data could get into the wrong hands, particularly with regards to industrial espionage. The concern revolves around the large number of external service providers working within the drone space. The longer the chain of custody over commercial data is, the higher the risk.

There have also been concerns that manufacturers like DJI are collecting telemetry data for analysis. Having a global corporation know when, where and how you are flying isn’t exactly a comforting thought, even if the objective is to harness that information to produce better drones in future.

However, in an email exchange with DJI’s head of global policy, Brendan Schulman, dispelled that notion:

As part of DJI’s commitment to customer data and privacy, we want to emphasize that we do not collect any personal data or information from or about a user, except what the user chooses to manually upload and share with us. The same holds true for flight data, including any photos or videos taken during flight.

For those of you who may have read about DJI storing telemetry data for analysis, it appears as though that’s the scenario only for DJI’s SDK customers, which makes plenty of sense. Developers working on new solutions could provide data to DJI that might come in handy for improving performance further down the line.

Our Take

Companies, just like people, are flawed. They will make mistakes. In this instance, DJI has certainly made mistakes that are, at best, a public relations mess and, at worst, a security risk.

But DJI has done more than most to address regulatory concerns and public mistrust around drone technology. The current iteration of Geo may not be perfect. There may be bugs, inaccuracies and issues with the verification process. There are certainly question marks over implementation. But no system of this scale was spot on first time around. And there’s no doubting the importance of its intention.

The deeper you dig, the more it seems a small but vocal minority of DJI pilots are frustrated at the company’s involvement in implementing restrictions. These frustrations, added to concerns over data collection and security, are a toxic combination that has created an environment in which hackers are enabled and encouraged.

The ethics of drone hacking are sketchy at best. The obvious fear is that an increase in hacked DJI products will lead to more dangerous flights and make a terrible, life-threatening accident more likely. Any serious situation involving a drone will be enough to justify firmer regulations that will halt the pace of innovation in the consumer and commercial markets. For that reason, we strongly advise our readers against such actions.

Technology always outpaces regulatory frameworks and laws. DJI will not get everything right and will probably continue to make mistakes. However, the company should be commended for advancing drone technology while attempting to keep our skies safe. 

Malek Murison is a freelance writer and editor with a passion for tech trends and innovation.
Email Malek
Twitter:@malekmurison



Source link

We will be happy to hear your thoughts

Leave a reply