US Should Sanction Chinese Drone Maker DJI for Sending Data to China, Report Says

US Should Sanction Chinese Drone Maker DJI for Sending Data to China, Report Says
An employee shows the new Mavic Pro 2 drone in a DJI store in Shanghai on May 22, 2019. (Hector Retamal/AFP/Getty Images)
Frank Fang

U.S. think tank Heritage Foundation is calling on the Trump administration to impose sanctions on Chinese drone maker DJI because the data it collects could fall into the hands of the Chinese regime.

The report published on Aug. 19 said the data collected by Chinese drones flown in the country would include precise location of critical infrastructure and sensitive information, including locations of civic leaders, their movements, and interactions.

“Due to Chinese laws, Chinese corporations are unable to deny data requests from the Chinese government. Given the … data that is collected, the risk is that such information is going back to Beijing,” report co-author Lora Ries told The Epoch Times. She is a senior research fellow at the think tank.

The Heritage Foundation called on DJI to be placed on the “Entity List,” a U.S. trade blacklist that bars American companies from doing business with them, unless they obtain special licenses, due to security vulnerabilities in its products that harvest user data, as well as DJI’s involvement in the persecution of Uyghur Muslims in Xinjiang.

Drones made by DJI, a private company headquartered in the southern Chinese city of Shenzhen and the world’s biggest maker of commercial drones, are extremely popular in the United States.

According to data by market researcher Drone Industry Insights, DJI had a U.S. market share of close to 77 percent as of October last year, followed by U.S. tech giant Intel with 3.7 percent. Another Chinese drone maker Yuneec came in third with 3.1 percent.
There are now more than 385,000 commercial drones in operation in the United States, according to the report. This is compared to 2016, when there were only 50,000 commercial drones, according to data from the U.S. Federation Aviation Administration, which requires drone operators to register their drones.
Many of these drones are used by U.S. government agencies. According to a March report by the Center for the Study of the Drone at Bard College, 1,578 state and local police, sheriff, fire, and emergency services agencies in the United States “are believed to have acquired drones.”

More than 970 U.S. public safety agencies used drones made by either DJI or Yuneec, according to the report.

The U.S. Army, Pentagon, and Department of Interior have banned or grounded Chinese-made drones over spy risks.

In August 2017, the U.S. Department of Homeland Security (DHS) issued a warning in an unclassified bulletin, saying that DJI was “providing U.S. critical infrastructure and law enforcement data to the Chinese government.” DHS issued a similar warning again in May 2019.

Security Concerns

The Heritage Foundation highlighted DJI drones’ security flaws, as detailed in two recent studies by Paris-based IT security firm Synacktiv and Washington-based cybersecurity company River Loop Security.
Synacktiv, in a report issued in July, reverse-engineered the Android version of a mobile app called DJI Go 4, which allows users to control DJI drones through their electronic devices. It found that the app was collecting a vast amount of personal user data, including the serial number of the phone’s SIM card, the phone’s identity number IMEI, and the phone’s IMSI, a unique number that telecoms companies use to identify a SIM.

“This data is not relevant or necessary for drone flights and go beyond DJI privacy policy,” stated Synacktiv. It then warned that these data “can be used by intelligence agencies or malicious people to later track individuals or eavesdrop communications.”

Synacktiv also found that the DJI software could order a user’s phone to install a “forced update” and then execute whatever commands it wishes. Given that operating the DJI app requires granting it access to a device’s camera, geolocation, contacts, and other data, “the DJI...Chinese servers have almost full control over the user’s phone,” the firm concluded.

Moreover, Synacktiv found that even after users closed the app, it continued to run in the background, making network requests.

River Loop reviewed another DJI app called DJI Mimo, which allows users to edit their photos and videos captured on cameras attached to DJI drones. In a report issued in May, River Loop found that the app sent data via insecure means to servers located in China, without user consent.

What’s more, River Loop found that the app’s terms of use agreement allowed DJI to share user data with the Chinese regime.

When installed, the DJI Mimo app requests users to give access to much of the phone’s data, such as location, SMS messages, and WiFi state.

“Those findings should worry any company or government agency using DJI technology, as well as policymakers working to secure critical infrastructure,” the Heritage Foundation concluded, referring to the two reports by Synacktiv and River Loop.

DJI did not respond to a request for comment as of press time.

State and Local Governments

The Heritage Foundation said that though the U.S. federal government has recognized DJI’s threats, regional authorities are not prepared.

“State and local agencies have smaller budgets,” Ries said, noting that DJI “has slashed its prices to basically elbow out any other competition.”

The company has also donated drones to law enforcement and first responder agencies. This April, DJI said it distributed 100 drones to 45 police, fire, and public safety organizations in 22 states, in an effort to help the United States battle against the spread of the CCP (Chinese Communist Party) virus, commonly known as the novel coronavirus.

“This sensitive data collected by the Chinese-donated drones can be accessed by the drone manufacturer—and, thereby, the Chinese government,” according to the report.

The think tank said there could be a more nefarious motive behind DJI’s gesture: “Beijing has a history of imbedding surreptitious endeavors into seemingly good-natured or even charitable transactions by its government and/or Chinese corporations.”

Heritage also recommended that the U.S. Department of Justice and DHS inform state, city, and county agencies of the “threat and the potential repercussions from employing Chinese drones.”

The American Security Drone Act of 2019, a bill introduced in both chambers of Congress last year, would ban federal departments and agencies from buying any commercial off-the-shelf drone or small unmanned aircraft systems (UAS), either manufactured or assembled in countries deemed a national security threat to the United States, such as China and Iran.

The Senate introduced the bill (S.2502) in September 2019 and the bill passed the Senate Homeland Security and Governmental Affairs Committee in March. The House version (H.R.5125) was introduced in November last year.

The House in July passed a measure to ban federal agencies from buying and using Chinese-made drones as part of the annual defense spending bill, the National Defense Authorization Act (NDAA). Both chambers will reconcile any differences and finalize the NDAA in a conference later this year.

The think tank urged quick actions to address the threat since technologies now available on large drones used by the U.S. military, such as more advanced surveillance capability, could soon be found on smaller drones.

“The technology is advancing rapidly, and the capabilities currently found in large drones is now being miniaturized and will likely migrate to smaller drones in the near term, which will significantly broaden the threat,” Heritage concluded.

Cathy He contributed to this report.
Frank Fang is a Taiwan-based journalist. He covers U.S., China, and Taiwan news. He holds a master's degree in materials science from Tsinghua University in Taiwan.