Drone maker DJI's security troubles continue to grow, as a newly leaked U.S. Immigration and Customs Enforcement (ICE) memo claims the company may be spying on the US on behalf of the Chinese government. Per the memo, DJI drones and mobile apps are possibly being used to gather data on critical US infrastructure, law enforcement, and more.
The ICE memo was issued on August 9, 2017, and is unclassified. In it, the memo claims that DJI is "likely" providing the aforementioned data to the Chinese government, an assertion that is "based on information derived from open source reporting and a reliable source within the unmanned aerial systems (UAS) industry with first and secondhand access."
The claims aren't a certainty, according to ICE, which says in the memo that Special Agent in Charge Intelligence Program (SIP) Los Angeles has "moderate confidence" that DJI is providing law enforcement and critical infrastructure data to China. However, the memo claims that SIP LA has "high confidence" that DJI is "selectively targeting government and privately owned entities within these sectors to expand its ability to collect and exploit sensitive U.S. data."
SIP Los Angeles makes some alarming claims about the DJI GO and SkyPixel mobile apps, saying in part that they grab facial recognition data even if the feature is disabled. The collected data, which is said to include sensitive personal info like full names, images and videos, phone numbers, and computer credentials, are automatically uploaded to unspecified "cloud storage systems" in Hong Kong and Taiwan "to which the Chinese government most likely has access."
The memo goes on to state that SIP LA has "high confidence [that] a foreign government with access to this information could easily coordinate physical or cyber attacks against critical sites."
Sources of information (SOI) have informed officials, according to the document, that:
The Chinese government is using DJI UAS as an inexpensive, hard-to-trace method to collect on U.S. critical assets ... directorates most likely receiving the data from DJI's cloud are the offices responsible for defense, critical infrastructure, traffic controlling, and cyber offense...
This isn't the first time DJI has been the source of security concerns. Earlier this year, the U.S. Army issued a memo, as pointed out in this most recently leaked document, that ordered its units to immediately cease use of DJI products over security concerns. Additionally, security researcher Kevin Finisterre recently claimed that DJI threatened him after he submitted a bug bounty report highlighting serious security issues he had discovered with the company's system.
For its part, DJI has released an official statement on the leaked ICE memo, saying:
The bulletin is based on clearly false and misleading claims from an unidentified source. Through the law firm of McDermott Will & Emery, DJI provided ICE a detailed rebuttal of the report, explaining why the data behind its conclusions is deeply flawed.
As DJI explained to ICE, the allegations in the bulletin are so profoundly wrong as a factual matter that ICE should consider withdrawing it, or at least correcting its unsupportable assertions. DJI further urged ICE to consider whether the source of the allegations may have had a competitive or improper motive to interfere with DJI's legitimate business by making false allegations about DJI.
The company states that some of the claims in the ICE memo can be "easily disproven," including with "a simple internet search," while other claims are said to be "unsupported by facts or technical analysis."
That said, the ICE memo claims, "Much of the information collected [by DJI products] includes proprietary and sensitive critical infrastructure data, such as detailed imagery of power control panels, security measures for critical infrastructure sites, or materials used in bridge construction."
DJI is allegedly "focused on targeting" the utility companies that provide drinking water in four big locations: New York, Los Angeles, Chicago, and New Jersey. The memo claims the drone maker is also focused on railway companies located in Los Angeles, Dallas-Fort Worth, and Omaha, the Milan Army Ammunition Plant in Fort Riley, Kansas, and it is allegedly also providing the Chinese government with data to help it determine which assets to acquire in the U.S.
The complete ICE memo can be found here.