I read the DOI drone verification report and extracted some highlights.

After trying and failing to buy domestic, and turning down military drones that are expensive and less flexible, the US Dept of the Interior finally caved and bought chinese drones.

But they did a bunch of due diligence and asked for software changes. As someone who reads privacy policies until I barf, I usually feel powerless and nauseous about privacy news. I’m fascinated and happy by how this one turned out. I’m glad that someone is putting a (big) price tag on verifiable privacy in software.

What if superman had been raised in china

The DOI’s drone mission mix (page 18 of the report) is fascinating and worth a read. It includes fire starting, search and rescue, archaeology, volcano sniffing, and checking up on baby birds. In superhero terms it’s a mix of superman, carrie, and indiana jones.

It makes sense that they care about the security of the drones. Did you ever read that comic about superman’s bassinet landing in the USSR instead of Kansas? Compromised drones sound kind of like that.

The purpose of this evaluation was to determine if the systems leak data to DJI servers under certain operational conditions, and to determine the degree the systems can be operated without connecting to the internet, including the use of the IGNIS payload. (page 15)

DOI uses these to drop ‘IGNIS spheres’ (some sort of fire starting bomb) for fire management. If a foreign actor or a script kiddie got access, this could be dangerous beyond mere ‘data leak’ dimensions.

But data leaks matter too:

Public experience with significant government and private sector data breaches and privacy concerns related to drones reinforce the importance of having a data management and risk mitigation strategy for all UAS programs. (page 6)

Phone home risk

Every time ET saw a telephone he’d growl ‘hoooooome’.

M&M’s passed up on the product placement in ET because they thought the alien was frightening to kids. (Terry Pratchett called him a “friendly turd”).

Here’s what frightens me: the report found that stock-configured DJI drones behave more or less like ET, phoning home whenever you connect them to something.

Even the special government edition pinged dji.com. (Ping is a 2-way protocol that shares information about the source network). The stock software was much, much worse:

unlike manned aircraft conducting similar missions, some UAS automatically collect flight and payload data, which is often shared with the manufacturer through flight control and/or data acquisition/processing applications (page 6)

Drones Amplified had previously provided Interior with a similar assessment of DJI’s “Local Data” mode, identifying data management assurance issues which were critical to OAS’s decision to not authorize the use of DJI products with Local Data mode and to continue working with DJI on a solution that would meet Interior’s requirements (page 15)

With respect to DJI, their applications are heavily integrated on the back end with DJI servers. This makes it very easy for a user to intentionally and possibly unintentionally share data with the manufacturer (page 20)

I’m shocked consumers aren’t more upset about this kind of thing, and happy that the DOI put their foot down here. I hope we legislate phone home, at least requiring disclosure and preferably requiring opt-in.

Updates considered harmful

Finally someone’s making the flip side of the ‘updates make you safe’ argument. The report, recognizing that their vendor is an untrusted third party, thinks that software updates are (1) a security risk and (2) an ongoing maintenance headache.

“over the air” software/firmware updates did not meet our requirements related to data management assurance. In response, DJI worked with DOI to build a custom “Government Edition” (GE) version of their Assistant 2 software. This version runs offline of the DJI servers … GE firmware is … side loaded into the aircraft … preventing data leakage during this process. (page 20)

Observed test results cannot be extended to future DJI GE software, firmware, or hardware updates. (page 21)

This necessary V&V testing of future updates will result in added program costs and delays, dependent on the number and complexity of proposed changes. Accordingly, the GE solution by itself does not represent a long term, sustainable solution for Interior. Future solutions must provide consistent levels of data management assurance without the need to conduct costly and time-consuming V&V of subsequent updates. (page 21)

I was going to title this article ‘Will DJI be DOI’s dieselgate?’ but thought better of it. But they’re thinking about that:

This kind of test cannot prove that the systems won’t contact DJI servers, as the software might only transmit data during conditions that are infeasible to test. (page 39)

DOI is basically saying give me your hardware, yearning to be free, not your poor software. The natural outcome here is some kind of OSS OS that they can cheaply verify, then run it on top of the cheap & effective DJI hardware they like.

DOI’s commercial testing firm did ‘reversing of candidate system binaries’, which I assume means reverse engineering. I love the idea of safety linting built binaries, yes please, but would much rather spend my energy validating source code given the option.

Other observations

There is a market for privacy! Hurrah! I hope this becomes true in the consumer space as well.

Not that I’m advocating anything, but this model of risk assessment is one way out of the Huawei 5G mess.

DOI claims that their entire drone buy cost less than a single manned aircraft. They did a lot of their program evaluation on hand-me-downs from the defense dept. They claim all of their drone pilots are people who were already working at interior and were retrained.

This is cool because it shows how organizational slack can lead to innovation. Having a few extra resources on hand allows you to take advantage of change and have massive efficiency jumps, vs focusing on bottom line until you get out-competed.

Their verification team included multiple government agencies and touched 300 domain experts. I don’t know about you but this is more than 10x the reach of my company. If private sector (or gasp, consumer) is going to get serious about security, we have to form communities that can get together and do this testing.

One of their requirements from their requirements doc is ‘selectable LOL’. Not sure what that is but count me in.