Two US government agencies, the Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI), warned on Wednesday that drones made in China could be used to gather information on critical infrastructure.
“The People’s Republic of China (PRC) has enacted laws that provide the government with expanded legal grounds for accessing and controlling data held by firms in China. The use of Chinese-manufactured unmanned aircraft systems (UAS) in critical infrastructure operations risks exposing sensitive information to PRC authorities,” according to a a statement on the CISA website. The statement does not name any brands.
Those expanded legal grounds include regulations that require companies to send data to Beijing, such as China’s 2017 National Intelligence Law, 2021’s Data Security Law and the 2021 Cyber Vulnerability Reporting Law.
Between those three measures, Beijing reserves the right to gain access to data collected by Chinese companies worldwide or businesses operating in the Middle Kingdom.
Beijing also requires orgs with presence on Chinese soil to share any system or software vulnerabilities discovered with PRC authorities.
“This may provide PRC authorities the opportunity to exploit system flaws before cyber vulnerabilities are publicly known,” states the guidance [PDF]. It also gives Beijing access to IP, security controls and information that could help in the design of future cyberattacks.
CISA and the FBI point out that drones can receive and transmit data, but the avenues of potential compromise go beyond just data transfer and collection – they also include firmware updates and connected peripheral devices like docking stations.
The related CISA and FBI guidance offers many recommendations to secure drones, including considering UAS as IoT devices, using a standalone terminal for the download and security verification of firmware patches and updates, and adopting secure by design policies.
The concerns are not unfounded. Reports of drones used for hacking appeared at Black Hat in 2016. Modified drones have also been used in the past to intercept credentials and Wi-Fi that was later hard coded into tools deployed to attack other devices.
The Department of Homeland Security (DHS) sounded the alarm on concerns over Chinese-made drones in May of 2019, a quainter time when the government was still giving Huawei reprieves on sourcing American technology.
The US government grounded its own fleet of around 800 drones over fears of Chinese espionage back in January of 2020 while it revised its procurement laws.
Dronemakers like DJI have sworn via security audits their tech poses no risk when it comes to sending data back to China. Nonetheless, DJI was added to the US export control list in 2020 on grounds of national security.
In 2021, the dronemaker even received a ban on American investment, this time for its participation in repression of the Muslim Uyghur minority in Xinjiang province. ®