This security white paper is part of DJI's commitment to ongoing transparency and education. It outlines the key systems in a drone and identifies the security measures DJI has implemented to bolster security and protect the integrity of user data. It has been updated since the original April 2020 paper to reflect additional security improvements and new product developments. For instance, It includes new products such as the M300 RTK and Mavic 3 drones, as well as the additional security features offered with new systems, such as secure transmission using 4G LTE, one-click deletion of flight logs, and encryption of SD card media data.
We hope the discussion provides helpful information about the details of how DJI systems handle data, and illuminates the care and scrutiny DJI applies to its stewardship of customer data.
Thank you for your submission!
We have just emailed you a copy of the DJI Security White Paper.
Your request has already been sumbitted.
User privacy is one of DJI's top priorities and when we say your data is none of our business, we mean it.
We want you – our valued users – to know that we do not sell user data to advertisers. It is simply not our intention nor our business model.
As the industry leader, we believe we have a responsibility to inform our customers exactly what data we have, how we use it and how we keep it safe. As a tech company, it’s equally important to be absolutely clear about what data we don’t have access to.
We believe that our customers should have control of their data which is why we have prepared these guidelines to help you better understand and manage the data you generate with your DJI drone.
Regardless of whether you’re a consumer or enterprise user, all of our products have privacy settings that enable you to check and adjust your product’s privacy settings wherever and whenever you choose.
Please check out our guidelines below and drop us an email at firstname.lastname@example.org if you have any questions or comments.
Mitigating Potential Threat Vectors Found In UAS COE Audit of DJI Commercial Drone Products
As referenced in our ViewPoints blog post, cybersecurity firm Booz Allen Hamilton, on behalf of PrecisionHawk's Unmanned Aerial Intelligence Technology Center of Excellence (UAS COE), recently conducted risk assessment testing and analysis of three DJI commercial drone products: The Government Edition Mavic Pro, Government Edition Matrice 600 Pro, and the Mavic 2 Enterprise. Today, the UAS COE released an executive summary of the audit which we encourage all customers to read fully.
DJI works closely with customers, security experts and government authorities to address safety, security and privacy concerns, and we welcome the findings of this independent audit. In summary, the audit discovered several low or moderate severity threat vectors that pose generally low risk to DJI users but directly found no evidence that the data or information you collect when using this DJI technology is being transmitted to DJI or China. As Booz Allen wrote, all but two of these threat vectors "require either physical access to the drone, or (in the case of #6) for the attacker to be located within radio range of the drone's radio signal during its operation" and this threat vector can be significantly reduced with additional security measures and best practices.
When conducting cybersecurity testing, it is generally assumed that some vulnerabilities will exist. Peer reviewable security is the gold standard in getting these vulnerabilities patched in a controlled and managed process. We make it a priority to address every single vulnerability in an open and transparent manner as part of our mission is to strengthen trust, data security, your privacy and airspace safety. We have already implemented measures to address many of the threat vectors identified in the report including numbers 8 and 9, and we are actively working on the others like numbers 5 and 7.
Below, we address each threat vector outlined in the audit along with specific mitigations that are being undertaken by DJI, and where applicable, those that can be taken now by you, when operating the relevant products.
Our security team is available to address any question or concern you might have. They can be contacted at email@example.com.