Report on DJI Data Security Released

Kivu Report on DJI Data

Kivu aimed to ascertain how DJI collected, used and stored the data obtained through drone operation. The report was instructed by DJI, however, all data was obtained and assessed by Kivu to guarantee complete autonomy. The investigation was likely instructed following the various controversial data scandals involving DJI in 2017, where accusations were made without any evidence. The results of the investigation have helped DJI firmly combat these claims and have highlighted their dedication to the security of their customer's data. Keep reading o find out more about the specific details in the report.

What Equipment was Included?

Kivu independently purchased the following:

• DJI Spark

• DJI Mavic

• DJI Phantom 4 Pro

• DJI Inspire 2

• DJI GO 4 app – Apple and Android versions

• Remote Controllers

In addition to the above, Kivu were given access to DJI servers, code repositories and DJI teams to ensure a thorough assessment of all areas of DJI’s operation.

Report Findings on DJI Data

Kivu’s report covers DJI’s data storage, transmission and collection. Additionally, specific details such as facial recognition were addressed; likely due to allegations made in the ICE memo from the Immigration and Customs Enforcement Bureau in 2017 surround the use of facial recognition software. In summary, the report noted that customers have control over the data collected, stored and transmitted from DJI. For data such as media files and flight logs, customers must authorise transmission to a DJI remote server.  For other types of data such as location, diagnostics etc. customers may remove access in DJI GO 4 settings or disable internet connection. Below, we have broken down the findings detailed in Kivu's report:

Storage and Transmission 

DJI cannot automatically collect image and video files. Files must manually be captured by the customer and are not uploaded to DJI’s servers once captured. If using DJI’s SkyPixel, files will be stored securely.

Audio

DJI drones that were tested will not automatically record audio. External microphones can be used to record audio, with data only being uploaded to servers is authorised by customers.

Flight Logs 

Flight logs are stored in a proprietary format on the drone and DJI GO 4 app. Customers can choose to upload or sync logs with DJI’s servers if desired.

Diagnostics and No Fly Zones 

DJI drones will transmit diagnostics and location check data to DJI’s servers. However, data is generalised or randomised to within 10 km of the user's location. Data is transmitted if flying near a No Fly Zone to avoid use in a restricted area. These settings can be stopped by deactivating them in the DJI GO 4 app or disabling connection to the internet.

Identifiable Data 

DJI only use email addresses and phone numbers as identifiable data. Data is not validated meaning details can be made anonymous if desired. Details are stored in parts of the DJI GO 4 app that is not easily accessed by a regular user or the operating system of the device.

Servers

DJI use servers by Amazon Web Services (AWS) and Alibaba Cloud in the United States. They maintain and manage server access and resources internally. The security policies, user accounts and security groups used by AWS servers have been confirmed to be designed to prevent unauthorised access.

Cloud Storage Audit 

For the investigation, Kivu performed an audit on DJI GO 4 and the AWS servers. All vulnerabilities were urgently sent to DJI as is the standard protocol in these types of audits. These areas received immediate action and have now been secured.

Facial Recognition

DJI’s drones are not able to identify an individual’s face and do not use a facial recognition software.   All areas are now considered to be secure by DJI and Kivu with data protected to an adequate level. 

Emergency Services Response

We spoke to Edward Delderfield from Lincolnshire Police about his thoughts on the report. He advised the following:

"I think that it’s a positive and required proactive move by DJI in order to address the concerns that have stemmed from law enforcement and other agencies. In Lincolnshire we exclusively use DJI products and to have reassurance around data integrity means that we will continue to consider their aircraft when we come round to upgrading or renewing our fleet."

Summary

The independent report from Kivu is a welcomed investigation of DJI’s data security. It clearly helps customers have complete peace of mind that DJI are secure and their data is safe. Arranging the investigation was a proactive step from DJI that suggests they have taken media controversies seriously, even without evidence. Overall, the report from Kivu will likely be the final step in restoring faith in DJI, helping them maintain their position at the top of the commercial drone market.

To discuss any information from the above post or any DJI or Freefly product, please give one of our team a call on 0191 296 1024 or email us at info@heliguy.com.

Keep checking back to Heliguy’s Insider Blog for more announcements, insights into drones and, of course, the latest news from the drone industry.