The memo, which also confirms that the Army has issued over 300 Airworthiness Releases for DJI products, instructed members to, “cease all use, uninstall all DJI applications, remove all batteries/storage media from devices, and secure equipment for follow on direction.”
DJI told IT in Canada, “We are surprised and disappointed to read reports of the U.S. Army’s unprompted restriction on DJI drones as we were not consulted during their decision. We are happy to work directly with any organization, including the U.S. Army, that has concerns about our management of cyber issues. We’ll be reaching out to the U.S. Army to confirm the memo and to understand what is specifically meant by ‘cyber vulnerabilities’. Until then, we ask everyone to refrain from undue speculation.”
The company spokesperson also added, “DJI makes civilian drones for peaceful purposes. They are built for personal and professional use, and are not designed for military uses or constructed to military specifications. We do not market our products for military customers, and if military members choose to buy and use our products as the best way to accomplish their tasks, we have no way of knowing who they are or what they do with them. The US Army has not explained why it suddenly banned the use of DJI drones and components, what ‘cyber vulnerabilities’ it is concerned about, or whether it has also excluded drones made by other manufacturers.”
DJI UAVs range from small 300g consumer-oriented quadcopters to larger drones marketed to the agriculture, construction, energy, media, and public safety sectors. Headquartered in Shenzhen, China, the company has offices in Germany, Netherlands, Japan, and South Korea. In the United States, DJI has sales, marketing, and policy offices in New York, Washington D.C., Burbank, and San Mateo. They also have a repair and service center in Cerritos and an SDK engineering office in Palo Alto.
UAVs use radio links for control, telemetry, and real-time video. Many also leverage a mobile phone or tablet as part of the control system, making them essentially flying IoT devices. If breached, an adversary could potentially obtain information on where and when the UAV was flown, download video of the flight, or even take remote control.
Given DJI’s market share (estimates range from 70 to 85 per cent), security issues could have widespread repercussions. If the U.S. Government has actually discovered vulnerabilities, hopefully they will responsibly communicate them to DJI so that they can be addressed in a timely manner.
A significant issue facing DJI, and IoT vendors in general, is the absence of effective third-party security standards and testing. More traditional IT products, such as firewalls and switches, are routinely subject to Common Criteria (CC) evaluations using independent laboratories. Certificates are issued by participating national governments and recognized by signatories worldwide.
The CC allows product developers to document their product’s Security Functional Requirements (SFRs) in a Security Target (ST). An independent laboratory can then conduct a CC evaluation to assess the product against the SFRs. The robustness of the evaluation depends on the desired Evaluation Assurance Level (EAL). In theory, this approach would allow an IoT product developer to demonstrate that their product meets specific security functional requirements. But, as is often the case, the devil is in the details.
The flexible nature of EAL-based evaluations allows each developer to choose the SFRs against which their product is evaluated, but this flexibility can make it difficult to compare similar products. For example, two firewall vendors could choose very different SFRs, but both market their products as having achieved Common Criteria certifications.
To address this, collaboratively developed Protection Profiles exist for some types of common IT products. Each Protection Profile (PP) includes a set of SRFs along with specific test and assurance requirements. Products submitted for PP-based CC evaluations must exhibit exact conformance with the PP.
Customers benefit from the PP approach. For example, if a product meets the Network Device Collaborative Protection Profile (NDcPP), it will exhibit good baseline security behaviour on the network. PPs exist for a variety of products such as firewalls, IDS, VPN, software applications, printers, and wireless networks.
The issue facing IoT vendors interested in having their products evaluated is what to do when there is no reasonably applicable PP. The PP process is dominated by the U.S. Government, and while public and private sector representatives are involved in developing each PP, the decision to develop a PP and the SFRs selected primarily address government requirements.
Due to the evolution of PPs to force standardization, and the emphasis on government requirements, PPs are inflexible and often include requirements that are disproportionately onerous. They suffer from a long development cycle, making the process difficult to apply in rapidly evolving areas such as UAVs.
Further complicating the issue is the fact that laboratories operating within the U.S. Common Criteria scheme, overseen by National Information Assurance Partnership (NIAP), a branch of the National Security Agency (NSA), are only allowed to conduct PP-based evaluations. In other words, if there is no applicable PP, a Common Criteria evaluation cannot be conducted within the United States. In addition, only PP-based evaluations can result in the product being placed on the U.S. Product Compliant List (PCL), to which U.S. Government departments look when making purchasing decisions.
One option for IoT vendors is to look outside the United States. Some countries continue to allow EAL-based evaluations; others are seeking balance by preferring PP-based evaluations, but allowing EAL-based evaluations on an exception basis where there is a good reason to evaluate the product and an appropriate PP does not exist.
Hopefully manufacturers and users of IoT products, including UAVs, will pressure NIAP to develop a relevant and rational Protection Profile. But in the interim, IoT developers who seek globally recognized independent security testing continue to look for help outside the United States.
Have a security question you’d like answered in a future column? Eric would love to hear from you.
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…