back to article US agencies warn made-in-China drones might help Beijing snoop on the world

Two US government agencies, the Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI), warned on Wednesday that drones made in China could be used to gather information on critical infrastructure. “The People’s Republic of China (PRC) has enacted laws that provide the government with …

  1. chuckufarley Silver badge

    Back in my day...

    ...we had balsa wood models powered by rubber bands. Just saying.

  2. Anonymous Coward
    Anonymous Coward

    Hands off my toy!

    They can have my Air 2S when they pry it from my cold dead fingers.

  3. An_Old_Dog Silver badge
    Black Helicopters

    Were I an Evil Overlord ...

    ... in the PRC government, I'd push that threat down a level. Instead of via-government-rule pre-compromising made-in-China drones and drone accessories, I'd via-government-rule pre-compromise the SOCs (or ASICs) used by multiple drone manufacturers, both within and without the PRC.

    "Proudly assembled in the USA, using internationally-sourced components."

    (Icon for potential conspiracy, and "drones")

    1. DS999 Silver badge

      Re: Were I an Evil Overlord ...

      How are you going to compromise an SoC? Build in a security flaw that's let you elevate to root/kernel level? You still have to get it to run some code (even if it is just a couple of instructions required to make that happen) which doesn't make it any easier than it already was. Because all software of any complexity is riddled with holes, that's why we see exploits in pretty much everything from phones to routers to industrial control gear reported so frequently it is only newsworthy when it is both a major exploit and a major company. The rest are so minor the Reg writes about them in a weekly roundup and they are still only listing a few percent of the actual total.

      The requirement that they report vulnerabilities they learn about to the government immediately is all they need. How often are people really going to update the firmware on their drone? If a company learns about a vulnerability and creates a patch the next day, 95% of drones will probably still be vulnerable a year later so the government would still be able to leverage that to access drones out in the field.

      Though probably what they really want is not to p0wn the drones, but to get access to what they are uploading to the dronemaker's cloud. Video footage and GPS coordinates would be great. China can do a query "show us all the footage inside this GPS box that's near critical infrastructure" and bingo they have footage from some third party company hired to inspect power lines and in doing so happened to overly a substation next to a military base or water treatment plan for a major city. That will give them better views/different angles than their spy satellites.

      1. Zolko Silver badge

        Re: Were I an Evil Overlord ...

        How are you going to compromise an SoC ?

        you don't even need that, the FUD that the US government is spreading is more effective: costs nothing (to PRC) but has the same effect (USA unable to use that tech). What I find passionate is that the USA has defeated the USSR in the cold war with the fake Star-Wars space race (allegedly, reality is more subtle) and now China is defeating the USA by fake cyber-spionage allegations.

  4. Will Godfrey Silver badge
    Facepalm

    What terrible people!

    Upstanding citizens in the US would never dream of doing such a thing with any of their kit. Next thing they might do even worse... maybe create a search engine that scrapes, stores and sell everything they can find out about people.

    1. Phil O'Sophical Silver badge

      Re: What terrible people!

      Yes, at least China puts a legal face on it, with expanded legal grounds for accessing and controlling data held by firms in China. The US 3-letter agencies just help themselves.

    2. Anonymous Coward
      Anonymous Coward

      @Will Godfrey - Re: What terrible people!

      Or simply start tapping all the inter-continental communication cables. Oh, that's already been done ? OK then.

  5. fpx
    Holmes

    In Other News ...

    Using made-in-USA technology might help Washington snoop on the world.

    Like using Microsoft, Facebook, Google, Amazon, Tesla. Washington reserves the right to gain access to data collected by American companies worldwide or businesses operating in the greatestest nation in the inner solar system.

    Sure, the difference is what you are doing with the data. I don't mind the data being used to solve crimes, but I'd prefer them to go in with a warrant based on probable cause, not to blame guilt based on association, rumor or what US citizens would refer to as free speech.

  6. anonanonanonanonanon

    I used to work with the DJI SDK some years ago, mostly on iOS, it used to ask for every permission it could get (Uhmmm, why do you need microphone access?). They did improve it as the heat turned up on them, but now I think they have discontinued the iOS SDK in favour of android, mostly because I think they're building their own controllers, so who knows what goes on in those.

    To be fair, it was prob asking for microphone access for it's broadcast streaming stuff, but it should not have been the default, makes any app built on the SDK look extremely suspicious

    1. Dinanziame Silver badge
      Devil

      It seems that the DJI Fly Android app is not in the Google Play store anymore, and can only be downloaded from their website... There's been a scare before on DJI apps:

      Chinese-made drone app in Google Play spooks security researchers

      Then again, the iPhone app is still on the Apple Store. I'm sure everything is fine.

  7. An_Old_Dog Silver badge
    Headmaster

    Compromising the Drone-Controlling SoC

    How are you going to compromise an SoC?

    Via system firmware, executed every time the SoC boots up. "When you receive this key, broadcast where you are (GPS coordinates)." "When you receive this key, follow all instructions prefixed by this key, and ignore all other instructions (the legitimate owner's instructions), until I tell you otherwise." What that gets you is the ability to locate and take over a drone which happens to be somewhere you deem "interesting" (if there is a drone there) and it gets you realtime video. It does require another drone, or person nearby with a radio, to fly the compromised drone, and to record and/or relay the video, and it requires that a compromised drone be near the place you deem "interesting."

    What compromising the SoCs / ASICs used in drone manufacture does for you is greatly-increase the number of vulnerable devices, vs compromising only "made in PRC" drones, which might be banned-and-interdicted by various governments.

    Yes, the PRC government could view the cloud-stored data, but it won't be as easy as you think. As to government requests/orders for "all data near these GPS coordinates between the dates/times of A and B", presuming each frame has a set of GPS coordinates stored with it, and a date/time stamp ... even if all those frames were stored with a date/time/GPS-coordinates combo combined into an integer, which is indexed, a query will still have to go, SEQUENTIALLY, through the metric crap-tonnes of images which will be stored on those servers. That processing won't be finished in any usable-to-the-government timeframe.

    (Me being picky:) Because all software of any complexity is riddled with holes...

    No, it is not. Much (most?) modern software is that way, but not all software is that way. You can read about some large, complex software projects which contained extraordinarily-few bugs in Frederic P. Brooks' The Mythical Man-Month. You can also read about Chrysler's huge-yet-successful "C3" project in various Agile-related books. (I'm not pushing Agile techniques here, I'm just giving the reference.)

    1. doublelayer Silver badge

      Re: Compromising the Drone-Controlling SoC

      Querying that much video wouldn't be too hard if you just through lots of computers at the problem. It's very parallelizable and China has some large cloud providers that people don't much use. Send a notice to one of them that you'll be taking all of their spot instances for the next two days and if they forget to send you the bill, their CEO won't be arrested this year, and you can run even quite inefficient searches.

      That doesn't mean they're actually doing this, but just that if they were going to, they could.

  8. Anonymous Coward
    Anonymous Coward

    It’s a bird, it’s a plane…

    a nano-missile, anybody?

  9. Tron Silver badge

    Reds under the bed etc.

    Complete BS.

  10. Zibob Silver badge

    At this stage...

    I'm wondering when basic thing like wheat, or steel will be fears for being spying equipment.

    Its to the point of crying wolf, none of these headlines ever have hard evidence, just fear, uncertainty and doubt.

    "But... But... China could be..."

    Who cares anymore when our own countries are just using china as a distraction for their own BS.

  11. Anonymous Coward
    Anonymous Coward

    Human "drones" at US agencies....dumb and xenophobic......

    Quote: "...drones made in China could be used to gather information on critical infrastructure..."

    Link: https://www.bbc.co.uk/news/business-65643064

    Link: https://www.fastmarkets.com/insights/china-ev-sales-exceed-one-million-units-brm-prices-under-pressure/

    Link: https://www.reuters.com/technology/apple-supplier-foxconn-says-december-revenue-fell-123-yy-2023-01-05/

    ......and the blinkered folk at various "US agencies" are worried about drones being a "national security" menace?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like