Rumors of DJI security issues have dogged the company – and their many users – since the beginning of the U.S. government’s trade arguments with China, and Chinese communications company Huwei.  Now, a new report from consulting giant Booz Allen Hamilton finds that DJI systems do not send data to DJI, China, or any other “unexpected” third party.

DJI has had to address security fears repeatedly, and with discussions over the U.S.  Drone Origin Security Enhancement Act leading to the Department of the Interior downing its fleet of nearly 800 DJI drones.  At the heart of fears over Chinese drones is the issue of data gathered by the drones being passed to the Chinese government or other third party.

The fears about DJI security issues have had a negative effect on many DJI clients and partners, who are caught between the need to reassure industrial clients and hardware requirements: DJI’s affordable and advanced hardware solutions have few competitors in the same price range not manufactured in “listed countries” including China.  One client, legendary drone company PrecisionHawk, worked with Booz Allen to develop a framework for testing the security of drone technology.  Their initial tests were performed on DJI drones – and the report is the result of that testing.

Threat Vectors and Vulnerabilities: DJI Drones or Drones in General?

The report states clearly that they found no evidence of data transmission to DJI or China, which backs up DJI’s assertion that users have complete control over their own data.  However, the report does identify technical vulnerabilities, such as when using the Map Services App – which does ping addresses like Google and AWS (Amazon’s cloud services.)  Customers looking for an absolutely secure platform will have to use the mitigations suggested – just turning off the “Allow Map Services” function.  But vulnerabilities like these need to be put into context.  These are the risks associated with any system, the report points out:  “Any drone that provides the feature of externally-sourced map services would be expected to make such connections and to present similar vulnerabilities.”

DJI has responded to the report saying that they appreciate the further evidence that their systems allow users total control over the data – and that they will make use of the detailed list of potential vulnerabilites and threat vectors.

“We take these findings extremely seriously and are already implementing concrete steps to address many of the threat vectors identified in the report,” says a DJI blog post. “Some have already been remediated, and we are actively working on several others, for our current products and longer-term approaches to security. All but two of these threat vectors relate to physical proximity or access to the drone itself.”