Back in my day...
...we had balsa wood models powered by rubber bands. Just saying.
Two US government agencies, the Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI), warned on Wednesday that drones made in China could be used to gather information on critical infrastructure. “The People’s Republic of China (PRC) has enacted laws that provide the government with …
... in the PRC government, I'd push that threat down a level. Instead of via-government-rule pre-compromising made-in-China drones and drone accessories, I'd via-government-rule pre-compromise the SOCs (or ASICs) used by multiple drone manufacturers, both within and without the PRC.
"Proudly assembled in the USA, using internationally-sourced components."
(Icon for potential conspiracy, and "drones")
How are you going to compromise an SoC? Build in a security flaw that's let you elevate to root/kernel level? You still have to get it to run some code (even if it is just a couple of instructions required to make that happen) which doesn't make it any easier than it already was. Because all software of any complexity is riddled with holes, that's why we see exploits in pretty much everything from phones to routers to industrial control gear reported so frequently it is only newsworthy when it is both a major exploit and a major company. The rest are so minor the Reg writes about them in a weekly roundup and they are still only listing a few percent of the actual total.
The requirement that they report vulnerabilities they learn about to the government immediately is all they need. How often are people really going to update the firmware on their drone? If a company learns about a vulnerability and creates a patch the next day, 95% of drones will probably still be vulnerable a year later so the government would still be able to leverage that to access drones out in the field.
Though probably what they really want is not to p0wn the drones, but to get access to what they are uploading to the dronemaker's cloud. Video footage and GPS coordinates would be great. China can do a query "show us all the footage inside this GPS box that's near critical infrastructure" and bingo they have footage from some third party company hired to inspect power lines and in doing so happened to overly a substation next to a military base or water treatment plan for a major city. That will give them better views/different angles than their spy satellites.
How are you going to compromise an SoC ?
you don't even need that, the FUD that the US government is spreading is more effective: costs nothing (to PRC) but has the same effect (USA unable to use that tech). What I find passionate is that the USA has defeated the USSR in the cold war with the fake Star-Wars space race (allegedly, reality is more subtle) and now China is defeating the USA by fake cyber-spionage allegations.
Using made-in-USA technology might help Washington snoop on the world.
Like using Microsoft, Facebook, Google, Amazon, Tesla. Washington reserves the right to gain access to data collected by American companies worldwide or businesses operating in the greatestest nation in the inner solar system.
Sure, the difference is what you are doing with the data. I don't mind the data being used to solve crimes, but I'd prefer them to go in with a warrant based on probable cause, not to blame guilt based on association, rumor or what US citizens would refer to as free speech.
I used to work with the DJI SDK some years ago, mostly on iOS, it used to ask for every permission it could get (Uhmmm, why do you need microphone access?). They did improve it as the heat turned up on them, but now I think they have discontinued the iOS SDK in favour of android, mostly because I think they're building their own controllers, so who knows what goes on in those.
To be fair, it was prob asking for microphone access for it's broadcast streaming stuff, but it should not have been the default, makes any app built on the SDK look extremely suspicious
It seems that the DJI Fly Android app is not in the Google Play store anymore, and can only be downloaded from their website... There's been a scare before on DJI apps:
Chinese-made drone app in Google Play spooks security researchers
Then again, the iPhone app is still on the Apple Store. I'm sure everything is fine.
How are you going to compromise an SoC?
Via system firmware, executed every time the SoC boots up. "When you receive this key, broadcast where you are (GPS coordinates)." "When you receive this key, follow all instructions prefixed by this key, and ignore all other instructions (the legitimate owner's instructions), until I tell you otherwise." What that gets you is the ability to locate and take over a drone which happens to be somewhere you deem "interesting" (if there is a drone there) and it gets you realtime video. It does require another drone, or person nearby with a radio, to fly the compromised drone, and to record and/or relay the video, and it requires that a compromised drone be near the place you deem "interesting."
What compromising the SoCs / ASICs used in drone manufacture does for you is greatly-increase the number of vulnerable devices, vs compromising only "made in PRC" drones, which might be banned-and-interdicted by various governments.
Yes, the PRC government could view the cloud-stored data, but it won't be as easy as you think. As to government requests/orders for "all data near these GPS coordinates between the dates/times of A and B", presuming each frame has a set of GPS coordinates stored with it, and a date/time stamp ... even if all those frames were stored with a date/time/GPS-coordinates combo combined into an integer, which is indexed, a query will still have to go, SEQUENTIALLY, through the metric crap-tonnes of images which will be stored on those servers. That processing won't be finished in any usable-to-the-government timeframe.
(Me being picky:) Because all software of any complexity is riddled with holes...
No, it is not. Much (most?) modern software is that way, but not all software is that way. You can read about some large, complex software projects which contained extraordinarily-few bugs in Frederic P. Brooks' The Mythical Man-Month. You can also read about Chrysler's huge-yet-successful "C3" project in various Agile-related books. (I'm not pushing Agile techniques here, I'm just giving the reference.)
Querying that much video wouldn't be too hard if you just through lots of computers at the problem. It's very parallelizable and China has some large cloud providers that people don't much use. Send a notice to one of them that you'll be taking all of their spot instances for the next two days and if they forget to send you the bill, their CEO won't be arrested this year, and you can run even quite inefficient searches.
That doesn't mean they're actually doing this, but just that if they were going to, they could.
I'm wondering when basic thing like wheat, or steel will be fears for being spying equipment.
Its to the point of crying wolf, none of these headlines ever have hard evidence, just fear, uncertainty and doubt.
"But... But... China could be..."
Who cares anymore when our own countries are just using china as a distraction for their own BS.
Quote: "...drones made in China could be used to gather information on critical infrastructure..."
Link: https://www.bbc.co.uk/news/business-65643064
Link: https://www.fastmarkets.com/insights/china-ev-sales-exceed-one-million-units-brm-prices-under-pressure/
Link: https://www.reuters.com/technology/apple-supplier-foxconn-says-december-revenue-fell-123-yy-2023-01-05/
......and the blinkered folk at various "US agencies" are worried about drones being a "national security" menace?