The paper warned that government, defence and business sites, critical infrastructure and crowded places were vulnerable to drones used as both kinetic and cyber weapons for image and signals gathering, espionage, data exfiltration or physical attack.
“Both recreational and commercial operators are at risk of unauthorised access of sensitive information, intellectual property and other data if they operate drones on unsecure networks or using unencrypted communication links,” the paper said.
In July researchers at France-based Synacktiv and US-based GRIMM reported that one of DJI’s Android applications contained features that could allow attackers to install malware and gain full control of users’ phones. In 2018, security firm Check Point found hackers could gain access to an individual DJI user’s flight data through a malicious link.
The Shenzhen-based company has repeatedly rejected security concerns over its products and maintains there has never been evidence of unexpected data transmission connections from DJI’s apps.
The company said there is no evidence that any of the hypothetical vulnerabilities have ever been exploited.
Adam Welsh, DJI’s Asia-Pacific policy director, said the company builds data security into its drones.
“DJI customers can fly their drones without any internet connection, and they always have control of how their photos, videos and flight information is collected, stored and transmitted,” he said.
“This information is never automatically transmitted to DJI or anywhere else. Even if we are presented with a lawful request for data from a government agency, DJI cannot provide information that we don’t have.”
In July, the company signed a strategic partnership with the University of NSW to collaborate on research projects in a move backed by Austrade and the NSW Trade and Investment Office.
The Australian government has conducted a cyber vulnerability review on the usage DJI drones for defence and concluded that it was “comfortable’ with the resumption of using them in non-classified situations. Defence now has more than 400 DJI drones in operation.
“Defence is satisfied that the use of the DJI Multi-Rotor UAS is safe, secure and does not compromise operational security for the purposes for which they are used,” a Defence spokesperson said this week.
However, Colonel John Venable, a retired US Air Force Fighter pilot now a senior research fellow for defence policy at the Heritage Foundation, a conservative think tank in Washington DC, says the defence assessments missed the wider implications of one company dominating the drone market in aerial photography, infrared imaging and terrain mapping.
“This is a gargantuan amount of data that we’re talking about,” he says. “The average drone operator going out and flying a drone over an area in Melbourne or Sydney. They’re basically allowing this drone to capture detail with very precise geolocation capabilities and map the cities. Most people really don’t understand why that shows value, but the Chinese government does.”
Tibor Fekete, a former Australian Army veteran, now head of the drones business unit with Xtek, a Canberra based technology defence materiel company, says Australia’s skies to be swarmed by DJI’s technology.
“If you start including the $50 drones, right up to the $5000 DJI drones then we are talking about a possibility of millions of drones in the country and most of them are coming out of China,” he says.
According to the Civil Aviation Authority, there are almost 33,000 commercial drone operators and license holders. But the regulator has no data on recreational drone numbers. It cites estimates of several hundred thousand to a million.
Allan Liska, a Senior Security Architect at Recorded Future, a global security intelligence provider, says there is no visibility of what happens to the data stored by DJI.
“What they will tell you is, they keep it secure on their servers which happen to be in China . But as we’ve seen with other Chinese companies, just because they say that, it’s not always the case. So, if the Chinese government asks for it, they have to give over the data and DJI does not have to tell you they’ve done so.”
Those concerns were fuelled this week by the release of a significant policy outline from the Chinese Communist Party’s Central Committee. The directions, titled: “Strengthening the United Front Work of Private Economy in the New Era,” lay out the future of the party’s interactions with private enterprise and its ambitions to unite private economic figures around “the majestic force of building the Chinese dream together”.
The notice requests all regions and departments to implement the new policies and “encourage private enterprises to participate in the reform of mixed ownership”. Companies are also being urged to bolster their own internal Communist Party committees, which can influence commercial decisions.
“Party committees at all levels must strengthen their leadership over the united front work of the private economy, fully implement the party’s guidelines and policies, and do a good job in implementing the various decisions and deployments of the Party Central Committee,” the notice said.
“Guide private enterprises to improve their corporate governance structure and explore the establishment of a modern corporate system with Chinese characteristics.”
Welsh said it was not DJI’s position to comment on governments’ strategies or economic policies. “While it is easy to get caught up in the geopolitical issues of the day, we are a technology company and we need to continue to focus on what we do best,” he said.
Liska says that Australia is particularly exposed to any orders to hand over data given by the Chinese government or state sponsored hacking on Australian DJI users after months of tension over the coronavirus, trade strikes, Hong Kong, Xinjiang and the South China Sea.
According to Liska, there’s been an increase of almost 140 per cent of “publicly reported” cyber-attacks on Australia this year.
The nation’s cyber security centre has received a report every 10 minutes of malicious cyber attacks against Australian businesses and government agencies from a state-based actor over the past two months.
Defence Minister Linda Reynolds has not named the nation involved but warned cyber attacks by a national government had risen since June when there was a series of cyber raids on all levels of government, hospitals, local councils and state-owned utilities. Australian security agencies believe China was probably behind the cyber attacks.
Fekete, the former Australian army veteran, says there is no point complaining about DJI’s success. He said Australia needed to innovate its way out of dependency.
“The Americans are working on their own solutions as we are trying to build indigenous capability to meet sovereign capabilities,” he says.
Eryk Bagshaw is the China correspondent for The Sydney Morning Herald and The Age. Due to travel restrictions, he is currently based in Canberra.
Most Viewed in World