Cybersecurity firm FTI Consulting analyzes DJI’s data sharing or lack thereof

DroneXL already covered the main part of this News yesterday, but I think it is important to highlight the findings from FTI. The cybersecurity firm FTI Consulting analyzed DJI's data sharing, or more accurately the lack thereof, and concluded that not only does the Chinese drone maker employs security best practices, but that ‘when DJI's Local Data Mode (LDM) is enabled, no data that was generated by the application was sent externally to infrastructure operated by any third party, including DJI.

Cybersecurity firm FTI Consulting analyzes DJI's data sharing

DJI has hired FTI Consulting to investigate the dronemaker's data-sharing practices. FTI bought independently a number of DJI drones through different channels and the dronemaker provided the Data Security research firm with access to more than 20 million lines of code.

FTI Consulting reviewed the following DJI drones, apps, and websites:

DJI drones

• DJI Matrice 210 RTK V2 v01.00.0590
• DJI Phantom 4 RTK v02.02.0401
• DJI Mavic 2 Pro v01.00.0510
• DJI Mavic Mini v01.00.0300

DJI applications

• DJI Go 4 App v4.3.32 (Android; iOS)
• DJI Pilot app v1.7.2 (Android; Crystal Sky controller [Android])
• DJI Pilot Private Edition (PE) v1.6.1 (Crystal Sky controller [Android])
• DJI FlightHub Enterprise v1.3.1 (Ubuntu server 18.04)
• DJI GS RTK v2.1.1-GSP (Phantom Cendence controller)
• DJI Fly v1.0.6 (Android; iOS)
• DJI GS Pro1 v2.0.10 (iOS [iPad only])

DJI websites

• active.dji.com
• mydjiflight.dji.com
• factory.fffsky.net
• us.djiservice.org
• djigo-hk.djiservice.org
• valueadded.djiservice.org
• cnblog.SkyPixel.com

Summary of FTI Consulting's key findings:

1. FTI observed a number of instances where DJI employed security best practices.
2. FTI found that when DJI's Local Data Mode (LDM) is enabled, no data that was generated by the application was sent externally to infrastructure operated by any third party, including DJI.
3. FTI found that Pilot PE used with FlightHub Enterprise provides an alternative method for operation that provides consumers additional control over the data they generate, as it requires installation on a local or cloud-based server. With this configuration, FTI observed no evidence of data being requested or transmitted externally.
4. FTI found some instances of low-risk vulnerabilities in its application source code and website review; FTI assessed that these findings posed minimal risks to consumers.

Politico mentioned in their daily PoliticoPro email newsletter that:

“Another heavy-hitter consulting firm has backed up Chinese dronemaker DJI's assertion that it doesn't send data to anyone else when an unmanned aerial vehicle's “local data mode” is in effect. There's been a push from some on the Hill and in the administration to ban DJI, which controls a major share of the drone market, out of fears that the company would be beholden to Chinese government data demands.

In its report, FTI Consulting found that when LDM is enabled, “no data that was generated by the application was sent externally to infrastructure operated by any third party, including DJI.” (MT readers may recall a recent Booz Allen Hamilton assessment backing up DJI, too.) DJI hired FTI to conduct the analysis, but FTI said it purchased the equipment independently and reviewed millions of lines of source code that DJI made available.

Not only did Booz Allen Hamilton back up DJI as well. So did studies by the U.S. National Oceanic and Atmospheric Administration, U.S. cybersecurity firm Kivu Consulting, U.S. Department of Interior, U.S. Department of Homeland Security.

The only security research firm that came to a different conclusion is the French company Synacktiv that had previously worked with a DJI competitor, which we believe is the French dronemaker Parrot. Parrot made a big deal about not trusting Chinese-made and more specifically DJI drones in the weeks leading up to their Parrot ANAFI USA drone. We had reached out to Parrot and SkyActiv and have not heard back from either company confirming or denying their relationship. I think that tells us enough.