Late last week, news broke that the US Army had issued a memo asking units to discontinue the use of DJI drones while the military investigated potential cyber vulnerabilities. There wasn’t much detail on what the exact concerns were or where they stemmed from, but it turns out that another federal agency recently looked into the issue.
The National Oceanic and Atmospheric Administration, which collects a lot of data on weather, did a study in October 2016 with the DJI S-1000 drone to “better understand if any data collected by the aircraft would be transmitted to the Internet during flight or during the subsequent transfer of the data to computers for post-processing.”
The study used Wireshark software on a Windows computer to “capture all packets moving to and from the computer on any port and provide diagnostic information for those packets. Care was taken to set up the computer to minimize extraneous network traffic prior to initiating the test.” The drone was being controlled with a third-party remote and independent ground station.
NOAA’s tests found that the S-1000 presented no threat for data leakage. “The majority of transactions to the DJI servers were to login to DJI servers hosted at both Amazon Web Services and Linode to check for software updates. These transactions are quite common for software of this type, and nothing unusual was detected during the experiment,” the report states.
“There was no evidence whatsoever of any attempt by any software to transfer any data from the aircraft.”
Despite NOAA’s finding, there are lots of variables that could keep the US Army from using DJI drones: the military might be using different units that treat data differently, or they could be concerned about the ability of third parties to hack the drone while it’s in flight, potentially taking over control from the pilot or siphoning off data that is being transmitted wirelessly back to the operator.