UAS COE Mitigations

Download as pdf or txt
Download as pdf or txt
You are on page 1of 5

Mitigating Potential Threat Vectors Found In UAS COE Audit of DJI Commercial Drone Products

Cybersecurity firm Booz Allen Hamilton, on behalf of PrecisionHawk s Unmanned Aerial Intelligence
Technology Center of Excellence (UAS COE), conducted risk assessment testing and analysis of three DJI
commercial drone products: The Government Edition Mavic Pro, Government Edition Matrice 600 Pro,
and the Mavic 2 Enterprise. The UAS COE released an executive summary of the audit
[https://www.precisionhawk.com/blog/unmanned-aerial-intelligence-technology-center-of-excellence-
conducts-risk-assessment-of-drone-technology] which we encourage all customers to read fully.

Below, we address each threat vector outlined in the audit along with specific mitigations that are being
undertaken by DJI, and where applicable, those that can be taken now by you, when operating the
relevant products.

1. Lack of passcode/authentication features on the Matrice 600 Pro GE or DJI Mavic Pro GE.
DJI Mitigation: During the development of our Government Edition (GE) solution, a passcode
feature was not requested by our customers so we did not build it. Because the Matrice 600 Pro
GE and Mavic Pro GE are older hardware nearing their end of life, DJI does not have plans to
build passcode features into these products. However, DJI’s Mavic 2 Enterprise does have a
passcode feature for protecting onboard storage and we will take this advice from the Center of
Excellence into consideration for future enterprise products.

User Mitigation: This vulnerability requires physical access to the drone. Secure the Matrice 600
Pro GE or DJI Mavic Pro GE in a location where only authorized personnel have access to it, and
when possible, use the passcode features on the mobile device that runs the DJI Pilot command
and control app.

2. Passcode feature on the Mavic 2 Enterprise does not prevent someone in physical possession of
the drone from accessing flight log data.
DJI Mitigation: In situations where an unauthorized party gains physical access to the Mavic 2
Enterprise (such as after a crash), direct access to flight log files has been mitigated by
encrypting the flight data logs as they are exported from the drone. In such a scenario, access to
the flight data logs is attempted through the DJI Pilot mobile app or the DJI Assistant 2 desktop
software. The passcode feature mitigates this risk by protecting flight data from being
immediately accessed using a remote controller and the DJI mobile app. Risk while using the DJI
Assistant 2 software is mitigated by encrypting of the exported flight data logs.

User Mitigation: This vulnerability requires an adverse party to have physical access to the
drone. Although DJI has already mitigated this risk, you may also ensure the Mavic 2 Enterprise
is stored in a secure location where only authorized personnel have access to it. You may
mitigate risk during operation by flying in locations where you can retrieve the drone following
an emergency landing or crash.

3. Lack of a remote data sanitization feature.


DJI Mitigation: Unlike smartphones, DJI drones do not need to be connected to the internet to
perform their main functions. DJI’s products enterprise products are operated with the DJI Pilot
command and control app that has features that eliminate internet connectivity and data
transmission. Therefore, this feature would not ensure that a drone could always be remotely
sanitized. Moreover, the Matrice 600 Pro GE and Mavic Pro GE were designed not to not
connect to the internet and therefore cannot be equipped with a remote data sanitization
feature.

User Mitigation: This vulnerability requires an adverse party to have physical access to the
drone. Secure the drone in a location where only authorized personnel have access to it. You
may mitigate risk during operation by flying in locations where you can retrieve the drone
following an emergency landing or crash.

4. Absence of data-at-rest encryption for an SD card (requires physical access to the SD card inside
the drone).

DJI Mitigation: Our Government Edition customers did not request this type of feature, and to
DJI's knowledge, no major digital camera or commercial drone manufacturer has incorporated
encrypted SD card data into their products. At this time, because of the large file sizes that our
products generate when capturing professional quality photos and videos, it is our assessment
that the process associated with decrypting these files every time a user wants to view or access
them would result in an unsatisfactory user experience that far outweighs the marginal security
benefit. We will consider implementing this feature into future products should we receive
requests from our customers that they desire this functionality.

User Mitigation: This vulnerability requires an adverse party to have physical access to the
drone. Secure the drone in a location where only authorized personnel have access to it. You
can mitigate risk during operation by flying in locations where you can retrieve the drone
following an emergency landing or crash. You may also institute a best practice procedure of
formatting your SD card after downloading the image or video data that you wish to protect.

5. Possible attack vectors associated with physical access to solid state or flash internal storage
modules.
DJI Mitigation: The DJI security team is currently researching encryption methods for data
stored in internal storage modules. While not feasible to make changes to products tested by
the Center of Excellence, it is expected that security enhancements will be added to new
enterprise products, assuming acceptable impacts on performance.

User Mitigation: This vulnerability requires an adverse party to have physical access to the
drone. Secure the drone in a location where only authorized personnel have access to it. You
can mitigate risk during operation by flying in locations where you can retrieve the drone
following an emergency landing or crash.

6. No AES-256 encryption of the video link on the Matrice 600 Pro GE or Mavic Pro GE, and AES-256
recommended.
DJI Mitigation: During the development of these Government Edition products, our
development partner customers did not request AES-256 encryption of the video link. At this
stage, because the Matrice 600 Pro GE and Mavic Pro GE are older hardware nearing their end
of life, DJI does not have plans to update these products. However, DJI utilizes AES-256
encryption via our Ocusync 2.0 transmission protocol which is available on the Mavic 2
Enterprise, Matrice 200 v2, and Matrice 300 RTK enterprise drones. Our security team will work
to ensure AES-256 encryption is applied to appropriate products in the future.

User Mitigation: This vulnerability is limited to data being transmitted live via the radio system
during an operation in progress, and therefore requires an adverse party to be located within
range of the drone’s radio signal during its operation. This range is typically a maximum distance
of a few miles depending on the radio frequency environment, terrain, obstacles, and the
altitude of the drone. To mitigate this vulnerability, do not operate the drone for sensitive
missions where you are within radio distance of potentially adverse parties. You may also
mitigate this attack vector by using one of DJI’s newer enterprise products.

7. The Matrice 600 Pro GE and Mavic Pro GE models are momentarily detected on commercial (non-
Government Edition) applications on tablet devices.
DJI Mitigation: DJI’s interface protocol works by opening parallel connections for the drone
interface and a handshake protocol. This causes drones to momentarily connect to different
applications while the handshake is completed. GE versions are designed not to complete the
handshake with the commercial (non-GE) DJI Pilot app, at which point the connection will close.
DJI is taking action to further mitigate this issue and eliminate the handshake between our
commercial applications and GE drones around by August 2020.

User Mitigation: This vulnerability requires an adverse party to have physical access to the
drone. Secure the drone in a location where only authorized personnel have access to it.
Instruct personnel to install and use only the Government Edition versions of DJI applications.

8. One model tested, the Matrice 600 Pro GE, could be connected to commercial servers for
firmware updates.
DJI Mitigation: DJI has released a patch to eliminate this vulnerability. Users who operate the
Matrice 600 Pro GE can obtain the patch by contacting [email protected] .

User Mitigation: None required.

9. Enabling “Allow Map Services” in the DJI Pilot mobile app can allow the communication of
location and IP address to outside network sources.
DJI Mitigation: DJI has updated DJI Pilot, and this latest version has disabled connections to
outside sources, other than servers based in the U.S. This eliminates the pings the Center of
Excellence observed that were sent to map-related support services in Germany.

User Mitigation: Obtain the latest versions of DJI Pilot. Also note that “Enable Map Services” is
an optional feature of these products and can remain disabled to mitigate this vulnerability
regardless of which version is used.

10. When the drone is connected to a computer by cable via USB, it is “potentially possible” for an
adverse party to send a signal over that cable to trigger “debugging mode” which may allow them
to access and control the device.
Mitigation: DJI has implemented extra protections to the USB debugging mode to help ensure
that system-level permissions cannot be obtained via debugging mode. DJI has restricted
Android Debug Bridge by default on drones, to help ensure that system-level permissions
cannot be obtained via debugging mode.
User Mitigation: This potentially possible vulnerability requires an adverse party to have
physical access to the drone. Secure the drone in a location where only authorized personnel
have access to it. You can mitigate risk during operation by flying in locations where you can
retrieve the drone following an emergency landing or crash.

11. Connecting the drone to a computer by USB cable causes the drone to initiate multiple types of
connections to the computer, which could expose new attack vectors such as serial, mass storage
device, and ethernet over USB.
Mitigation: DJI is studying ways to mitigate this vulnerability in future versions of its products
including: evaluating which communication channels are necessary when communicating with
the drone when utilizing USB connections, monitoring how those connections are in place and
what applications and what services are using these features, making sure devices presented to
computer are required and as minimal as possible, and by removing any unnecessary
connections and alerting users to the configuration of these devices.

User Mitigation: This potentially possible vulnerability requires an adverse party to have
physical access to the drone. Secure the drone in a location where only authorized personnel
have access to it. Do not use a physical USB connection between the drone and a PC, or use a PC
that is trusted, secure and isolated from network traffic.

12. File Transfer Protocol (FTP) service was found when a USB cable from a computer was connected
to the Mavic Pro GE and Mavic 2 Enterprise drones
DJI Mitigation: DJI recognizes that FTP is an imperfect protocol and its use carries certain risks.
We take these risks seriously, and we have put protection measures in place in our current
generation of drones to mitigate them, such as limiting the FTP path by performing the Chroot
operation on FTP and encrypting all data read by the FTP. While we agree with the Center of
Excellence’s assessment, we believe that continued use of FTP in current generation drones in
conjunction with appropriate mitigation strategies will lead to an acceptable level of security for
our customers.

Going forward, we will take COE’s feedback into account as we consider options for mitigating
FTP-related risks in future products. Measures we are already considering include using a valid
firewall rules table with ICMP replies turned off and developing iptables scripts to only allow a
signed VPN to traverse the network that is created. Our intention is to move towards an
alternative protocol and away from FTP in future products.

User Mitigation: This potentially possible vulnerability requires an adverse party to have
physical access to the drone. Secure the drone in a location where only authorized personnel
have access to it. Do not use a physical USB connection between the drone and a PC. Update
your firmware using connections on secure networks. You may also use the Matrice 600 Pro GE,
for which this issue was not observed.

13. A local network access exists without a clear function.


DJI Mitigation: As this vulnerability also relates to FTP and discoveries described by COE in item
number 12, please see the response for item 12 above.
User Mitigation: Please see the recommendation in response to 12 above.

Our security team is available to address any question or concern you might have. They can be
contacted at [email protected].

As an industry leader in the commercial drone market, we will always remain committed to working
with customers, partners, industry, customers, and security experts around the globe to address any
security concerns. We encourage continued participation in the DJI bug bounty program, details of
which can be found on our Security Response Center website [https://security.dji.com/]. Taken together,
these efforts will ensure our industry-leading products remain secure and trusted for all parties.

You might also like