DJI products and components, do they pose vulnerabilities and are they a risk to American security?  Since 2018 the Department of Defense has raised concern over drones or UASs built in countries that are not America allies and pose a threat to American interests. To put it bluntly, in 2018 the DOD issued a ban on all drones regardless of the country where they were manufactured. Later that year congress redefined the ban to only those UAS products manufactured or developed in what they termed a covered foreign country which really means The Republic of China, The Russian Federation, the Islamic Republic of Iran, and the peoples republic of Korea.  A direct quote from the Department of Defense reads, “The Department of Defense (DOD) position is that systems produced by Da Jiang Innovations (DJI) pose potential threats to national security (DOD)”.

I think most drone users in general just want to keep flying their drones, and in good faith they purchased the products from reputable US vendors. However, there is a common vulnerability and exposer (CVE) which is CVE-2022-29945. The vulnerability broadcasts unencrypted information about the drone operator’s physical location. The common weakness enumeration CWE-319 which transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. An information packet can traverse many different nodes in their destination path; a bad actor with privileged access to that network interface and channel could sniff and see the underlying data.  That is not something you want from a covered foreign country. A possible scenario is a country with bad intent could sniff certain information gaining access to other networks, personal id information, accounts, or worse, locations within the United States that are mission critical.   

The list of components:

Flight Controllers

Radios

Data transmission device

Camera

Gimbals

Ground Control System

Operating Software

Network Connectivity

Data Storage

 

The list covers everything that is needed for a UAS control system, so it would mean your drone would be useless if you are using DJI products. Just on a personal note, I know someone who works for the DOD, and I do not see those people wanting to limit Americans from using a product if they did not think there are some vulnerabilities or possibly have some attack surfaces. If America finally bans products from these countries listed, as an American do you really want to support these countries.  I think this will open the door for American Companies to develop UAS technology.

 

References

CWE. (2024). CWE-319: Cleartext Transmission of Sensitive Information. https://cwe.mitre.org/data/definitions/319.html

Defense Innovation Unit. (2024). UAS Policy Guidance. https://www.diu.mil/blue-uas-policy

Department of Defense. (July 23, 2021). Department Statement on DJI Systems. https://www.defense.gov/News/Releases/Release/Article/2706082/department-statement-on-dji-systems/#:~:text=The%20Department%20of%20Defense%20%28DOD%29%20position,pose%20potential%20threats%20to%20national%20security.&text=The%20Department%20of%20Defense,threats%20to%20national%20security.&text=of%20Defense%20%28DOD%29%20position,pose%20potential%20threats%20to

NIST. (2024). CVE-2022-29945 Detail. https://nvd.nist.gov/vuln/detail/CVE-2022-29945