Australia’s Department of Defence has established “revised operating procedures” for small unmanned aircraft, an action that follows a U.S. Army directive to its units in August to stop using drones manufactured by China’s DJI because of “cyber vulnerabilities.”
On August 9, “after Defence became aware of the U.S. Army’s actions, the use of all commercial off-the-shelf UAS [unmanned aerial systems] was suspended until a formal assessment into the cyber risk presented by these systems could be conducted,” said a spokesperson with the Australian department, in a statement provided to AIN. “Flight operations recommenced on 21 August 2017 following the completion of the risk assessment that led to the development of revised operating procedures for commercial off-the-shelf unmanned aerial systems.”
Australia’s military “operates a number commercial off-the-shelf UAS, including the DJI Phantom,” according to the statement, which did not describe the revised operating procedures. The Australian newspaper first reported the revised procedures.
Citing “increased awareness over cyber vulnerabilities associated with DJI products,” the U.S. Army in an August 2 memorandum ordered units to “cease all use, uninstall all DJI applications, remove all batteries/storage media from devices, and secure equipment for follow-on direction.” The memorandum, which was leaked to the news service sUAS News, cited as references a classified Army Research Laboratory report on DJI technology and a U.S. Navy memorandum regarding operational risks of using DJI products.
The Army later confirmed that it had issued such guidance, but declined further comment. Responding to the news, DJI said the Army did not notify the company in advance of the restriction, nor explain what cyber vulnerabilities concern the service.
Responding to an AIN inquiry, the U.S. Naval Air Systems Command (Navair) said the Navy document the Army cited in the August memorandum was written by the Navy and Marine Corps Small Tactical Unmanned Aircraft Systems program office “to address operational risks” in support of a nano/vertical takeoff and landing (aircraft) urgent universal needs statement.
“The May 25 memo identifies operational risks associated with the DJI family of products. Due to the sensitive nature of the information in this document, the memo is for official use only and is therefore not releasable in the public domain,” Navair said in a statement attributed to Rear Adm. Mark Darrah, program executive officer for unmanned aviation and strike weapons.
Cyber security concerns over DJI drones previously have caused U.S. federal agencies including the Departments of the Interior and Energy to avoid using them, industry analysts have reported. In a LinkedIn blog post in early August, David Walters, software development manager with the UK-based firm Consortiq, offered an explanation of what could be of concern to government users of DJI drones. According to Walters, flight-log information, GPS positioning and some payload data are synched to DJI servers when an operator logs into the “DJI Go” Internet application.
On August 14, Shenzhen, China-based DJI said it is developing a new “local data mode” that blocks Internet data transfers to and from its flight-control applications. In that mode, however, DJI applications will not update maps or “geofencing” software that restricts flights around certain areas, nor will they notify pilots of newly issued flight restrictions or software updates.
“DJI’s flight control apps routinely communicate over the Internet to ensure a drone has the most relevant local maps and geofencing data, latest app versions, correct radio frequency and power requirements, and other information that enhances flight safety and functionality,” the company said. “When a pilot enables local data mode, DJI apps will stop sending or receiving any data over the Internet, giving customers enhanced assurances about the privacy of data generated during their flights.”
Responding to reports of Australia’s revised drone operating procedures, DJI said: “As you may have seen, the Australian Defence Force reportedly stopped using all commercial off-the-shelf drones for two weeks while they evaluated drone security. They have since resumed flying drones from DJI and other manufacturers, and further media reports indicate the Australian government is confident DJI drones do not pose a security threat.”