Aardvark DailyNew Zealand's longest-running online daily news and commentary publication, now in its 24th year. The opinion pieces presented here are not purported to be fact but reasonable effort is made to ensure accuracy.
Content copyright © 1995 - 2018 to Bruce Simpson (aka Aardvark), the logo was kindly created for Aardvark Daily by the folks at aardvark.co.uk
Please visit the sponsor!
Drones are big and in the world of drone manufacturing, China is the clear global leader.
And the biggest of the big is DJI, a Chinese company which makes the world's most popular and instantly recognisable family of consumer and prosumer drones: the Phantom, Mavic and now the tiny Spark.
Of course DJI is raking in huge amounts of money from the boom in recreational drone sales but the real value to China may go far beyond the export earnings these craft create.
In fact, there is now significant concern within certain circles that these drones constitute a huge security hole in the USA's defense of its critical infrastructure and key military assets.
The concern is so great in fact, that the USA Army has now placed significant restrictions on the use of DJI products within its ranks./
But wait... there's more, much more...
A number of informed experts have voiced their concern over the fact that DJI's products regularly send telemetry and other data to "the cloud" and that some of the servers from which that cloud is created are in China. In fact I've blogged about this before -- but recently, even more worrying possibilities have arisen.
It may not just be DJI who are spying on the data that these drones return to the cloud.
This Register story hints at the other vulnerabilities within the DJI Go app which may provide back-door access to this data by third parties, who may have nefarious intent.
Because these vulnerabilities allow for undetected "hot patching" of code by those who control third-party libraries being used, the potential for mischief is enormous.
Yes, the same vulnerabilities apply to any app which has been baked with these libraries but in the case of drone apps the potential for critical infrastructure information to be relayed to unrelated third parties is huge.
Imagine that a certain malevolent party is interested in what's going on at a specific location within the USA and they have access to what is effectively a back-door to the DJI app which runs on your phone...
All they have to do is "push" out a bit of code that monitors the GPS coordinates of every drone being flown with this app in the USA. When this code detects that you are flying a drone within the prescribed region it becomes a simple matter to have it send the video and other data related to that flight to the bad-actor's servers via the phone's data or wifi connection.
Far more effective, simpler and quicker than relying on spy satellite imagery and also incredibly covert. If the app sends every 100th frame to the cloud then most folk wouldn't even notice the hit on their data -- yet those frames could provide incredibly valuable information to a foreign nation or player.
If you look at the code running already as part of the DJI Go app you can see some worrying field names and a rather concerning database schema in effect. Clearly this app already has the *potential* to send everything your drone and your phone sees and hears to the cloud if/when it is deemed important to do so.
Wow... imagine the strategic and economic value of having millions of "eyes in the sky" from which you could covertly pluck images, video and audio (even conversations taking place between the drone operators as picked up by the phone's microphone).
It's now easy to see why the US Army are so worried -- but that's the least of the problem.
In theory, every person with a DJI drone could unknowingly be acting as a spy for China or some other third party who has taken control of the app used when flying these craft.
Perhaps we can now see why so many countries are enacting such draconian regulations as to where these things can be flown. If you can't stop the "leakage" of the data they collect then perhaps the only solution is to restrict where they can be flown so as to make that data less relevant and valuable.
Of course this is largely speculation at this stage -- but let's face it, in today's world all the important decisions are driven by paranoia so you can expect to see even more lunatic restrictions being enacted.
And of course, let's not forget, that *everybody's* phones are also a potential spying tool for the "enemy". That selfie you took in front of an important (strategic) location might also be of great value to someone with evil intent. So what are we going to do about that?
Please visit the sponsor!
Have your say in the Aardvark Forums.