Cyberwarfare / Nation-State Attacks , Endpoint Security , Fraud Management & Cybercrime

DHS Reportedly Warns of Chinese-Made Drones Stealing Data

Drones May Be Sending Data Back to China, According to News Reports
DHS Reportedly Warns of Chinese-Made Drones Stealing Data

The U.S. Department of Homeland Security is warning that Chinese-made drones could be sending sensitive data back to their manufacturers in China, where it can be accessed by the government, according to news reports from CNN and others.

See Also: 2024 Threat Hunting Report: Insights to Outsmart Modern Adversaries

The Cybersecurity and Infrastructure Security Agency, a new department within DHS created to help secure the nation's critical infrastructure from physical as well as cyber threats, issued the warning Monday, according to CNN (see: DHS: Federal Agencies Need to Patch Vulnerabilities Faster).

The devices could "contain components that can compromise your data and share your information on a server accessed beyond the company itself," the report states, according to CNN, which says it obtained a copy.

As of Tuesday morning, the alert had not been posted to the DHS website.

Although the warning didn't single out a specific drone manufacturer, the Chinese company DJI is the biggest provider of drones to the U.S. market, CNN reports.

Agencies from local police departments to the Interior Department have used drones for sensitive work, CNN reports. According to a 2017 government memo, contractors in Kansas building a DHS bio-defense facility used a DJI drone "to assist with construction layout and provide security during construction," according to the news network.

Tensions Rise

The news comes as tensions between China and the U.S. are on the uptick as both companies engage in a trade dispute that has increased tariffs in both countries.

Last week, U.S. President Donald Trump signed an executive order that bans the purchase of telecommunication equipment from nations deemed to pose a spying risk, which most believe is specifically aimed at China-based Huawei (see: Trump Signs Executive Order That Could Ban Huawei). But the administration now plans to offer a 90-day reprieve.

"The overall theme is that third-party manufacturers could be using personal data for malicious intent," Chris Morales, the head of security analytics at Vectra, a San Jose, California-based threat detection and response firm, tells Information Security Media Group. "This is a theme that should expand beyond just a specific nation-state actor. This is a real concern for any device that is collecting data on a user, regardless of where they are based."

The Trouble With Drones

This week's DHS announcement concerning Chinese-made drones is not the first time a U.S. agency has raised concerns about these increasingly popular devices.

In 2017, the U.S. Army stopped using drones made by DJI. Its order also required that batteries and storage media be removed and applications uninstalled from these devices (see: US Army Nixes Use of DJI Drones Over Cybersecurity Concerns).

When it issued the order, the Army did not specify a specific threat or vulnerability associated with these drones, and DJI issued a statement denying any wrongdoing, according to media reports.

This week's DHS alert also did not contain a specific warning about what, if any data, was being stolen or transferred from a drone to manufacturers in China, according to CNN.

The U.S. and its intelligence agencies, however, have raised more concerns about security threats from China and the country's growing cyber capabilities. At this year's RSA conference in San Francisco, FBI Director Christopher Wray told the audience that he was "shocked" by the counterintelligence prowess of China after returning to government service (see: FBI's Wray on China's Counterintelligence Capabilities).

Growing Markets and Growing Concerns

While drones have increased in popularity with commercial businesses as well as hobbyists, these devices are also increasingly seen as a significant security vulnerability.

In 2018, researchers with Recorded Future issued a report that a hacker accessed sensitive data from several U.S. spy drones and then attempted to sell this information on dark net sites for as little as $150, according to Wired.

By the end of 2020, Gartner estimates, the market for personal and commercial drones will exceed $11.2 billion worldwide.

Within the U.S., the most popular maker of drones in DJI, according to the CNN report, which cited a study from Skylogic Research. Thanks to the success of its Phantom series of drones, DJI controls nearly 80 percent of the market in the U.S. and Canada, the report notes.

The DHS alert did not specify any particular companies, and in a statement to CNN, DIJ denied any wrongdoing.

"We provide drones that do not transfer data to DJI or via the internet, and our customers can enable all the precautions DHS recommends," according to the DJI statement.


About the Author

Scott Ferguson

Scott Ferguson

Former Managing Editor, GovInfoSecurity, ISMG

Ferguson was the managing editor for the GovInfoSecurity.com media website at Information Security Media Group. Before joining ISMG, he was editor-in-chief at eWEEK and director of audience development for InformationWeek. He's also written and edited for Light Reading, Security Now, Enterprise Cloud News, TU-Automotive, Dice Insights and DevOps.com.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.