DJI has released the results of an independent report scrutinizing the company’s data practices. According to DJI, the report has concluded that DJI drone users have control over how their data is collected, stored and transmitted.
The report, conducted by San Francisco-based Kivu Consulting, Inc., was based on a first-of-its-kind detailed examination of DJI drones, mobile apps and servers, as well as the data streams they transmit and receive. Kivu’s engineers comprehensively examined the code repositories for DJI’s mobile apps and tested whether DJI’s drones could transmit sensitive user data without connecting to the DJI app. DJI notes it had no input into Kivu’s findings or conclusions.
The report analyzed drones and iOS and Android devices independently obtained by Kivu in the U.S. late last year. It confirmed DJI does not access photos, video or flight logs generated by the drones unless drone operators voluntarily choose to share them. Specifically, Kivu purchased the DJI Spark, Mavic, Phantom 4 Pro and Inspire 2 models and downloaded the DJI GO 4 mobile app. Kivu set up the systems to capture all data transmitted through the iOS and Android devices running DJI GO 4 and reviewed source code, application data, server addresses, and data generated during the operations.
“This is the first time DJI has allowed outsiders to examine its proprietary computer code, and the result is the first independent verification of what we have said all along: DJI provides robust tools to help our customers keep their data private,” comments Michael Perry, DJI’s managing director for North America. “This comprehensive report clearly debunks unsubstantiated rumors about our products and assures our customers that they can continue flying DJI drones with confidence.”
“Kivu’s analysis of the drones and the flight control system (drone, hardware controller, GO 4 mobile app) concluded that users have control over the types of data DJI drones collect, store and transmit,” writes Douglas Brush, Kivu’s director of cyber security investigations, in a report summary available for download here.
“For some types of data, such as media files and flight logs, the drone user must affirmatively initiate transmission to any remote server,” Brush wrote. “For other types, such as initial location checks or diagnostic data, the user may prevent transmission by deactivating settings in the GO 4 application and/or disabling the Internet connection.”
In recent months, reports have emerged claiming DJI drones can transmit sensitive user data without the user’s knowledge or consent. However, DJI argues that none of those claims have been supported by evidence beyond speculation, and now, Kivu’s report affirmatively shows DJI enables the protection of personal data and that claims to the contrary are demonstrably false, DJI says.
Brush notes in the report, “Kivu is aware that certain information stored on DJI’s [Amazon Web Services (AWS)] cloud servers was recently and inadvertently made publicly available. Kivu has confirmed that DJI corrected this issue with the cloud server access and has complied with all notifications as required by law regarding this incident.”
He concludes, “As part of its analysis, Kivu performed industry-standard data security audits and vulnerability scans on the GO 4 application and the AWS servers to identify any known software vulnerabilities. Kivu routinely performs such audits and scans for its customers, and it is common to find some potential vulnerabilities, particularly the first time the audits and scans are performed for a particular company. In DJI’s case, Kivu identified certain potential vulnerabilities and immediately notified DJI, providing a full report and a prioritized list of potential vulnerabilities for immediate remediation and recommended steps for remediating them. Kivu worked with DJI to complete the recommended steps and then validated the remediation.”
