Washington, D.C., December 16, 2019 – A US Navy office involved with drone warfare raised a series of concerns in 2017 about Defense Department use of drones sold commercially by the Chinese firm Dajiang Innovation (DJI), according to a document released to the National Security Archive under the Freedom of Information Act.
The memorandum, from the Navy’s Program Executive Officer for Unmanned Aviation and Strike Weapons, is titled “Operational Risks with Regards to DJI Family of Products” and is dated May 24, 2017. It cites several risks and notes that a “thorough study of the cyber vulnerabilities of these systems” had not been completed. The memo drew attention to public research which suggested that the data link from the drone to the ground station was vulnerable and that the system could upload images, videos, or telemetry to servers without operator knowledge. It also expressed uncertainty over vulnerability to electromagnetic interference resulting in loss of control.
In August 2017, sUAS News obtained a US Army memorandum banning use of unmanned aircraft systems (UAS) made by DJI. That memorandum cited two documents: an Army Research Laboratory report titled “DJI UAS Technology Threat and User Vulnerabilities” and the above-mentioned Navy memorandum. The National Security Archive received the latter through FOIA with minimal redactions and is publishing it today.
The released Navy memo also reveals that DJI drones were being used as “threat representative” UAS systems for training and development of tactics, techniques, and procedures (TTPs) for the use of counter-UAS systems. This is an entirely logical use given the proliferation of DJI drones on battlefields around the world.
While concerns over supply chain vulnerabilities to US weapons systems and platforms have received significant attention, concerns over DJI raise a new angle to supply chain concerns. In this case the supply chain vulnerability is to systems brought in by the US military to mimic opposition forces rather than to critical weapons systems and platforms deployed to the battlefield. If the worst-case concerns of the US Navy are true, then it is possible that foreign military or intelligence agencies were receiving data on US military counter-UAS training exercises through compromised training targets.