5/5
Privacy and security concerns in the U.S.U.S. Department of the Interior Office of Aviation Services said in their analysis in July 2017 that DJI's software they did not meet requirement to be to decline and lock out any device information sharing including telemetry through aircraft, software or applications preventing any automated uploads or downloads. As response DJI published the offline mode that allows its drones to fly without transferring data over the internet. The Register reported in August 2017 that the DJI's Go app contained JSPatch framework which allowed DJI to hot-patch the app without triggering a review by Apple or without first seeking user consent. This was against Apple's rules and 45000 apps was blocked from App Store because of use of JSPatch at the time. In August United States Army also changed its internal guidance on disallowing the use of DJI products expecially in battlefield. Guidance was based on Army Research Laboratory report from May 2017 which found cyber vulnerabilities. US Army's decision launched public research where it was speculated that the decision was because that data link between the controller and the drone was vulnerable. As result in DJI released bug bounty program for finding flaws. Security researcher Kevin Finisterre reported a security breach of private customer data at DJI to bug bounty program. In the breach which he found developers has pushed the private keys for SSL and cloud storage and firmware AES keys to GitHub repository. As Finisterre's description in Ars Technica he was able to access with the keys to flight log data and images uploaded by DJI customers, including photos of government IDs, drivers licenses, and passports. Some of the data included flight logs from accounts associated with government and military domains. However, the after the long discussion with DJI's legal team he decided to turn down the 30000$ bug bounty and publish the information. In 2018, to response to the allegations of mishandling the user data DJI comissioned Kivu Consulting to make larger analysis. Kivu found that only DJI GO 4 app was connected to the internet, it worked without internet connection and only uploaded data after user confirmation. It also used to servers which located in US except the crash reporting app called Bugly which uploaded crash reports to the server located in china. In January 2020, the United States Department of the Interior announced that it would be grounding around 800 DJI drones over security concerns, which it had been using for wildlife conservation and infrastructure monitoring purposes. In a May 2020 report analyzing the data use of DJI's Mimo app, which is used to control the Osmo gimbles from a smartphone, security research company River Loop Security made several discoveries "of concern" for users and policy-makers. According to the researchers, the social media app sends a variety of data, including sensitive personal information, through insecure means to servers located in China without user consent, raising suspicions that personal user data could be freely accessible to the Chinese authorities. User information was also sent to third-party servers, "where the Terms of Use Agreement supports cooperation with the Chinese Government." In July 2020, the reports by Synacktiv and GRIMM on the security of the DJI GO 4 mobile app found that it collected user information (IMSI, IMEI, the serial number of the SIM card) from phones and was able to force the installation of updates. The app also prompted the user to grant permission to "Install Unknown Apps" for installing update from DJI site. The app also integrated to social media site Weibo's SDK similar way and allowed to install Weibo related third party apps also. Synacktiv wrote "Given the wide permissions required by DJI GO 4 — contacts, microphone, camera, location, storage, change network connectivity — the DJI or Weibo Chinese servers have almost full control over the user's phone." DJI responded that "system detects if a DJI app is not the official version – for example, if it has been modified to remove critical flight safety features like geofencing or altitude restrictions – we notify the user and require them to download the most recent official version of the app from our website. In future versions, users will also be able to download the official version from Google Play if it is available in their country" In the statement release DJI said that to use Weibo SDK user's need proactively turn it on. DJI also responded that “DJI GO 4 is not able to restart itself without input from the user, and we are investigating why these researchers claim (that it will stay running after it is closed) ” . In August 2020, Synacktiv alleged that DJI's Pilot app shares many of the same issues present in DJI GO 4, which DJI denied. In analysis by Booz Allen Hamilton reported that he didn't find evidence unauthorized data transfers to China. The apps used the backend servers located in US. Only exception was the crash analytics which contacted to Chinese servers. In November 2020, senators Chris Coons, Rick Scott, and others criticized a decision by the United States Air Force to purchase DJI drones on security grounds.
U.S. sanctionsIn December 2020, the United States Department of Commerce added DJI to the Bureau of Industry and Security's Entity List. In January 2021, Trump signed an executive order mandating the removal of Chinese-made drones from U.S. government fleets. In December 2021, the United States Department of the Treasury prohibited investment in DJI by U.S. individuals and entities, accusing the company of assisting the People's Liberation Army and complicity in aiding the Uyghur genocide.
Pentagon analysisIn May 2021, United States Department of Defense issued an analysis on DJI products. The unclassified portion of the report concluded that two types of drone in the DJI "Government Edition" line-up shows "no malicious code or intent and are recommended for use by government entities and forces working with US services." This is according to a summary obtained by The Hill though the Defense Department did not respond to an inquiry asking for elaboration.
Incidents involving DJI productsIn January 2015, a Phantom 3 crashed into the White House's south lawn, in Washington, D.C., US. DJI later set up a no-fly Geo-system according to prohibited airspace, and forced all drones to update the firmware. The new system will forbid flights getting closer or take off in restricted zones based on its GPS location. In the 2015 Tokyo drone incident, a DJI Phantom 2 drone carrying radioactive material was landed on the Prime Minister's Official Residence. Subsequently, the National Diet passed a law restricting drone flights near government buildings and nuclear sites. In 2016, ISIS used DJI drones as exploding devices in Iraq. DJI later created a broad no-fly zone over nearly all of Iraq and Syria. That year, a DJI drone was nearly involved in a midair collision with a Chinese fighter jet. The Chinese government subsequently insisted that DJI develop an air traffic registry to track its drones within China. On 30 March 2018, Israel Defense Forces used DJI's Matrice 600 drone to drop tear gas from above, causing injuries, panic and death during Gaza and West Bank protests. On 4 August 2018, two Matrice 600 drones detonated explosives near Avenida Bolívar, Caracas in an apparent attempt to assassinate Venezuelan president Nicolás Maduro.
| 
lvl.4
Captain
New