DJI products and components, do
they pose vulnerabilities and are they a risk to American security? Since 2018 the Department of Defense has
raised concern over drones or UASs built in countries that are not America
allies and pose a threat to American interests. To put it bluntly, in 2018 the
DOD issued a ban on all drones regardless of the country where they were
manufactured. Later that year congress redefined the ban to only those UAS
products manufactured or developed in what they termed a covered foreign
country which really means The Republic of China, The Russian Federation, the
Islamic Republic of Iran, and the peoples republic of Korea. A direct quote from the Department of Defense
reads, “The Department of Defense (DOD) position is that systems produced by Da
Jiang Innovations (DJI) pose potential threats to national security (DOD)”.
I think most drone users in general
just want to keep flying their drones, and in good faith they purchased the
products from reputable US vendors. However, there is a common vulnerability and
exposer (CVE) which is CVE-2022-29945. The vulnerability broadcasts unencrypted
information about the drone operator’s physical location. The common weakness
enumeration CWE-319 which transmits sensitive or security-critical data in
cleartext in a communication channel that can be sniffed by unauthorized
actors. An information packet can traverse many different nodes in their
destination path; a bad actor with privileged access to that network interface
and channel could sniff and see the underlying data. That is not something you want from a covered
foreign country. A possible scenario is a country with bad intent could sniff
certain information gaining access to other networks, personal id information, accounts,
or worse, locations within the United States that are mission critical.
The list of components:
Flight Controllers
Radios
Data transmission device
Camera
Gimbals
Ground Control System
Operating Software
Network Connectivity
Data Storage
The list covers everything that is
needed for a UAS control system, so it would mean your drone would be useless
if you are using DJI products. Just on a personal note, I know someone who
works for the DOD, and I do not see those people wanting to limit Americans
from using a product if they did not think there are some vulnerabilities or
possibly have some attack surfaces. If America finally bans products from these
countries listed, as an American do you really want to support these
countries. I think this will open the
door for American Companies to develop UAS technology.
References
CWE. (2024). CWE-319: Cleartext
Transmission of Sensitive Information. https://cwe.mitre.org/data/definitions/319.html
Defense Innovation Unit. (2024).
UAS Policy Guidance. https://www.diu.mil/blue-uas-policy
Department of Defense. (July 23,
2021). Department Statement on DJI Systems. https://www.defense.gov/News/Releases/Release/Article/2706082/department-statement-on-dji-systems/#:~:text=The%20Department%20of%20Defense%20%28DOD%29%20position,pose%20potential%20threats%20to%20national%20security.&text=The%20Department%20of%20Defense,threats%20to%20national%20security.&text=of%20Defense%20%28DOD%29%20position,pose%20potential%20threats%20to
NIST. (2024). CVE-2022-29945 Detail.
https://nvd.nist.gov/vuln/detail/CVE-2022-29945
No comments:
Post a Comment