Late last week, news broke that the US Army had issued a memo asking units to discontinue the use of DJI drones while the military investigated potential cyber vulnerabilities. There wasn’t much detail on what the exact concerns were or where they stemmed from, but it turns out that another federal agency recently looked into the issue.
The National Oceanic and Atmospheric Administration, which collects a lot of data on weather, did a study in October 2016 with the DJI S-1000 drone to “better understand if any data collected by the aircraft would be transmitted to the Internet during flight or during the subsequent transfer of the data to computers for post-processing.”
The study used Wireshark software on a Windows computer to “capture all packets moving to and from the computer on any port and provide diagnostic information for those packets. Care was taken to set up the computer to minimize extraneous network traffic prior to initiating the test.” The drone was being controlled with a third-party remote and independent ground station.
NOAA’s tests found that the S-1000 presented no threat for data leakage. “The majority of transactions to the DJI servers were to login to DJI servers hosted at both Amazon Web Services and Linode to check for software updates. These transactions are quite common for software of this type, and nothing unusual was detected during the experiment,” the report states.
“There was no evidence whatsoever of any attempt by any software to transfer any data from the aircraft.”
Despite NOAA’s finding, there are lots of variables that could keep the US Army from using DJI drones: the military might be using different units that treat data differently, or they could be concerned about the ability of third parties to hack the drone while it’s in flight, potentially taking over control from the pilot or siphoning off data that is being transmitted wirelessly back to the operator.
Ed Dumas, a computer programmer at NOAA and one of the authors of the study, confirmed to The Verge that their tests on the S-1000 found it wasn’t sending any unusual traffic back to DJI. He did say, however, that he ran similar tests on his personal unit, a Phantom 3 professional, during his spare time. His software found that unit was sending encrypted data back to DJI and servers whose location he could not determine.
DJI, for its part, emphasized that it has never marketed its drones for use on the battlefield. “DJI makes civilian drones for peaceful purposes. They are built for personal and professional use, and are not designed for military uses or constructed to military specifications. We do not market our products for military customers, and if military members choose to buy and use our products as the best way to accomplish their tasks, we have no way of knowing who they are or what they do with them. The US Army has not explained why it suddenly banned the use of DJI drones and components, what “cyber vulnerabilities” it is concerned about, or whether it has also excluded drones made by other manufacturers.”
Update August 7th, 3:10PM ET: This article originally stated that NOAA’s study relied on DJI’s native remote and iOS app. In fact, the test used a third-party remote and independent ground station. The story had been updated to reflect these facts.