Blog entry by Bruce McPherson
Drones have become an increasingly popular tool for industry and government.
Electric utilities use them to inspect transmission lines. Oil companies fly them over pipelines. The Interior Department even deployed them to track lava flows at Hawaii's Kilauea volcano.
But the Department of Homeland Security is warning that drones manufactured by Chinese companies could pose security risks, including that the data they gather could be stolen.
The department sent out an alert on the subject on May 20, and a video on its websitenotes that drones in general pose multiple threats, including "their potential use for terrorism, mass casualty incidents, interference with air traffic, as well as corporate espionage and invasions of privacy."
We could pull information down and upload information on a flying drone. You could also hijack the drone."
Lanier Watkins, cyber-research scientist at Johns Hopkins University
"We're not being paranoid," the video's narrator adds.
Most drones bought in the U.S. are manufactured in China, with most of those drones made by one company, DJI Technology. Lanier Watkins, a cyber-research scientist at Johns Hopkins University's Information Security Institute, said his team discovered vulnerabilities in DJI's drones.
"We could pull information down and upload information on a flying drone," Watkins said. "You could also hijack the drone."
The vulnerabilities meant that "someone who was interested in, you know, where a certain pipeline network was or maybe the vulnerabilities in a power utilities' wiring might be able to access that information," he noted.
DJI offered a bounty for researchers to uncover bugs in its drones, although Walker said Johns Hopkins didn't accept any money.
In a statement, DJI said:
"At DJI, safety is at the core of everything we do, and the security of our technology has been independently verified by the U.S. government and leading U.S. businesses. DJI is leading the industry on this topic and our technology platform has enabled businesses and government agencies to establish best practices for managing their drone data. We give all customers full and complete control over how their data is collected, stored, and transmitted.
"For government and critical infrastructure customers that require additional assurances, we provide drones that do not transfer data to DJI or via the Internet, and our customers can enable all the precautions DHS recommends. Every day, American businesses, first responders, and U.S. government agencies trust DJI drones to help save lives, promote worker safety, and support vital operations, and we take that responsibility very seriously. We are committed to continuously working with our customers and industry and government stakeholders to ensure our technology adheres to all of their requirements."
There are other, more covert, ways that foreign governments could obtain the type of information gathered by drones, said John Villasenor, a fellow at the Brookings Institution who teaches at the University of California, Los Angeles.
"[If] you fly a drone above a pipeline, there's a pretty good chance someone is gonna see it up there," he said, but "a spy satellite just takes a picture from 120 miles up or whatever. Then, of course, no one's going to know what happened."
This is not the first time the U.S. government has expressed concern over the use of Chinese-made drones. In 2017, the U.S. Army barred use of DJI's drones.
Villasenor said the government's concern over Chinese drones "is not new, although the fact that it has surfaced now may or may not be tied to these broader trade tensions which have flared up in recent months."
The Department of Homeland Security's warning about Chinese drones coincides with the Trump administration's campaign against tech manufacturer Huawei, which also coincides with the ongoing trade war between the two countries.
t also comes as officials are warning transit agencies in New York and Washington, D.C., against buying new subway cars made by a Chinese manufacturer.
Sen. Mark Warner, D-Va., along with the region's other Democratic senators, has introduced legislation prohibiting the Washington Metropolitan Area Transit Authority from buying the Chinese-made cars because of security concerns.
"A rail car might have a whole host of sensors [and] communication tools, and when that equipment is manufactured in China," Warner said, "and when that equipment sometimes can be upgraded on a remote basis in terms of a software upgrade, there are national security implications."
Underlying the tech concerns is the Chinese government's control over all Chinese companies.
"The Communist Party of China now has in their law the ability to interfere and take information from virtually every Chinese company," Warner warned. "And as long as that exists, that provides a whole set of vulnerabilities I think American business has to consider on a going-forward basis."
The bottom line, the Department of Homeland Security said, is that customers should be cautious when buying Chinese technology.By Brian Naylor NPR