back to article Drone firm DJI promises 'local data mode' to fend off US government's mooted ban

Chinese drone maker DJI has commissioned yet another security audit with FTI Consulting that's given it a clean bill of health, as the US government reportedly prepares to ban its remote controlled aircraft from American skies. DJI, whose headquarters are in the Chinese city of Shenzhen (the firm’s full name is Shenzhen Da- …

  1. DavCrav Silver badge

    "A code audit carried out by FTI Consulting was said to have revealed no causes for concern, with DJI posting the exec summary (but not the full audit) on its website as a PDF. It had access to 20 million lines of source code, according to the summary, with analysis focusing on code concerned with “communication protocols and network activity with host infrastructure”."

    1) 20m lines? So FTI Consulting read through (approximately) 2000 books' worth of code? Sure they checked every single last bit of it.

    2) And how (unless it's open source, and that was not mentioned in the article) does the end user know that the compiled version of the code on their drone is that audited by FTI?

    3) And who thinks that any number of code audits will actually make a difference?

    1. Jellied Eel Silver badge

      I'm more curious how much code is per drone & controller. 20m lines seems excessive, especially if controller functions are/should be via the host OS. I like the idea of a local data mode though, but how local that can be in a system like Android or iOS is anyone's guess.

      1. doublelayer Silver badge

        You could test it by connecting both the drone itself and the phone controlling it to a network which logs all the packets. While a company which wants to collect could think up a sneaky way to hide data, it's a lot harder to communicate without an interested party seeing that it's happening. Unless they've decided to include a ridiculously expensive and pointless cellular connection circuit, they will either have to use your network or keep things local. It should be provable whether they've lied here.

        1. Jellied Eel Silver badge

          Flying sharks

          You could test it by connecting both the drone itself and the phone controlling it to a network which logs all the packets.

          Yup. I don't know how drones talk to their controllers, just seen people using their mobile phones. So seems a bit more challenging than slapping Wireshark or equivalent on a laptop/tablet. So then it'd be trying to monitor airside interfaces, and those being encrypted. Or the payloads being encrypted making packet analysis a tad tricky.

          1. doublelayer Silver badge

            Re: Flying sharks

            Drones which don't have additional controller hardware but operate from a phone are almost certainly using WiFi. They might also have a Bluetooth connection, but it is shorter range so it's not likely (and that can be logged as well). For that, you can in fact tap the connection on the phone's end or with something in the middle. For drones with a separate controller, it's harder but you can still figure out some things. For example, you can figure out what the frequency is and see if you have to worry about someone listening to it. If it's a band used by cellular providers, then it could theoretically be using that to exfiltrate (and if it's not using the mobile networks but still using those frequencies you shouldn't be operating it), but most likely it's a higher frequency and the only way to listen to your commands, even for someone who does have the decryption keys, is to be near you.

    2. Anonymous Coward
      Anonymous Coward

      Why are you so happy to believe the FUD being spread about China and Chinese companies? You seem to have lost your ability to think rationally.

      1. Qumefox

        And if you believe the propaganda that comes out of the PRC, you've demonstrated your inability to think rationally as well.

        The Chinese government has their fingers in pretty much every company that it allows to operate there. Those that don't allow that, don't stay operating in China for long. So it's not exactly unwise to be weary of possible data collection by them.

        I have no love of the POTUS or his knee-jerk protectionism policies. However, I can assure you that none of the chinese made IOT devices (mostly cameras) I own are given unfettered access to the internet. and that was MY policy even before the current idiot in chief came in to office. Because I have yet to find many that don't attempt to phone home for some reason, even when they have zero need to.

      2. Throatwarbler Mangrove Silver badge
        FAIL

        Neither of the posters above gave any credit to the notion that the drones are compromised, they just pointed out some rather glaring shortcomings in the audit process. Perhaps you have some reason for not posting your identity and trying to defend China . . . 战友. (That last bit is tongue-in-cheek . . . jeez you guys are thin-skinned.)

        1. martinusher Silver badge

          We don't need to 'defend' China

          I'm quite sure that China can take care of itself. Its been around for 5000 years in one form or another, its survived some colonization and some really brutal treatment and its developed from nothing to a global power in less than one lifetime. Because its so large and diverse its difficult to generalize, our attempts invariably fall short. I'm pretty sure that the primary reason why a company like DJI came into being is that it saw a way to make a lot of money rather than seeing it as an avenue for Global Domination. In that respect its no different from an American enterprise apart from the ability to deliver a useful product at a $500 price point rather than $50,000 or so (....and no, I'm not joking......that's what my daughter's father in law was working on before he retried, a Gen-u-ine MilSpec drone with a price tag to match that 'almost worked').

          I've worked with numerous Chinese engineers and they really do come in all sorts of shapes and sizes. They're not anonymous hive beings, they're people like us (but different -- although nothing like as different as a Japanese engineer.....). They have a sense of humor, they can even be quite cynical (quote from one about the Chinese Basic Law of Engineering -- "If at first you don't succeed, lower your expectations"). There's a lot of them and some of them are off the scale smart, scarily so.

          The thing we've really screwed up on -- apart from giving them the farm to goose our short term profitability -- is going all Cold War on them. Until recently they were all good Global Citizens, playing their part and so on. Now we've decided to threaten them they think "We must be doing great if America is scared of us" and so we're now happily fanning the embers of Chinese Nationalism. Wise heads like that Ren Zhengfei (Huawei) fellow will push back against this but you know how seductive nationalism can be. We may yet rue the day that we started this, especially when our semiconductor industry lies in ruins because of "cheap Chinese imports".

          1. SundogUK Silver badge

            Re: We don't need to 'defend' China

            "Until recently they were all good Global Citizens..." That is so naive it's scary.

          2. SundogUK Silver badge

            Re: We don't need to 'defend' China

            And Ren Zhengfei?

            To quote Wikipedia: "...(he) then joined the People's Liberation Army (PLA) research institute to work as a military technologist reportedly in the PLA's Information Technology research unit."

            1. StickThatInYourPieHole
              Flame

              Re: We don't need to 'defend' China

              In other news, Gen. Keith Alexander joins Amazon and nobody cares because USA good. Obviously.

  2. sanmigueelbeer Silver badge
    Coat

    If DJI would just sell their business to an American company like, say, Microsoft, then the ban would be lifted.

    I'm just sayin'.

  3. Anonymous Coward
    Anonymous Coward

    Why does a drone need access to the internet at all? Why does months need to be spend building a 'local mode' feature when surely the simplest solution is not to brick the thing if it isn't able to phone home?

  4. all ears

    DJI dominates the drone market

    Because there isn't any competition at that price. You can't say they've copied somebody else when there isn't anyone else who does what they do. The US demanded geofencing to keep drones away from airports and other sensitive areas, so that's why they need to talk to remote servers.

    If you want a drone in the $500 - $2500 range, nothing else has the features and quality of a DJI. If the US wanted to compete we'd have a long way to go to catch up. Do we really want to deprive ourselves of such excellent machines? Communications can be monitored and vetted if we're so worried about security. And we can always add any security vulnerable areas to the geofence.

    1. sanmigueelbeer Silver badge

      Re: DJI dominates the drone market

      "If the US wanted to compete we'd have a long way to go to catch up."

      I disagree.

      The Americans can really complete with Chinese made products against "American products equally made in China". Same goes with 5G kit with American brands but made exclusively in China.

      It's just a question of greed (and a dash of pride).

      1. all ears

        Re: DJI dominates the drone market

        DJI drones are designed and manufactured in China. Their American offices are for sales and support only. There is nothing American about DJI drones.

  5. tiggity Silver badge

    State Aid

    US govt claims to hate State Aid, but look at the cash spent on "military funding" and the the whole military industrial complex that developed - its essentially a back door way to pump vast amounts of cash into US companies.

    They don't like DJI drones as they massively outperform any US equivalents on cost, so "security issues" are always a convenient excuse (a bit like TikTok attack, yes it sucked lots of data back to China,main concern was how quickly it had gained popularity & user numbers as US competitors such as FB, Instagram etc. suck lots of data back to the US - disclosure, I use none of them obviously)

    1. fajensen Silver badge
      Facepalm

      US govt claims to hate State Aid ...

      They should look at what happened to the UK, with Thatcher: The Tories had the Insiders bs-ing all the time about Purity towards Outside, all while on the Inside they were happily finagling things, however Impure and Socialist the methods.

      Now, a bunch of Outsiders, 3'rd rate flunkies kept away from Important Things for good reasons by the elders, thus ignorant of how things were done, comes into power while totally *believing* the entire bs-fascade of their Saviour Saint and turns the official agit-prop bs into Government Policies ....

  6. kernel_panic

    Putting everything in one bag is never going to work

    I've done dozens if not hundreds of risk assessments in my career. When you analyse a threat, it is paramount to consider the actor, target, likelihood and impact of a risk if it were to materialise (amongst other things of course). Picture this:

    risk in question: the code could allow China to eavesdrop on the drone users' activities

    if the user is the US military --> significant risk, with deep implications that can lead to loss of life

    if the user is the US gov --> high risk that could lead to political espionage, large scale economic impact, civil unrest, etc. even potential loss of life (long list)

    if the user is you or me --> medium to low risk depending on volume of surveillance/data siphoned (widespread vs small audience). No one will die bc China discovers you like to zoom in on your sunbathing hot neighbour in the summer

    Enter risk mitigations:

    You can mitigate #3 by forcing the company to do independent code analysis, open source their code (or invite them to use OS if possible), etc.

    You could mitigate #2 by doing the above in more detail + gov-led analysis, etc. or even just choose a different supplier

    You would most likely ban the tech and choose another supplier for #1 - this is common sense.

    So you see, an all-or-nothing approach is hardly ever the right solution. Which makes me think there's a broader, more complex political agenda in place ;-)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020