(U//FOUO) Special Agent in Charge Intelligence Program (SIP) Los Angeles is generating this product in response to several requests for information received from the intelligence and law enforcement communities. It is based on information derived from open source reporting and a reliable source within the unmanned aerial systems (UAS) industry with first and secondhand access. The date of information is 9 August 2017.
(U//LES) SIP Los Angeles assesses with moderate confidence that Chinese-based company DJI Science and Technology is providing U.S. critical infrastructure and law enforcement data to the Chinese government. SIP Los Angeles further assesses with high confidence the company is selectively targeting government and privately owned entities within these sectors to expand its ability to collect and exploit sensitive U.S. data.
(U) Since 2015, DJI has targeted a number of U.S. companies in the critical infrastructure and law enforcement sectors to market its UAS. As of July 2017, at least ten large companies and organizations operating in the railroad, utility, media, farming, education, and federal law enforcement sectors have already purchased and begun using DJI UAS. The most frequent uses include mapping land, inspecting infrastructure, conducting surveillance, and monitoring hazardous materials.
(U//LES) DJI sells group one category (under five pounds) UAS intended for consumer and professional use. The UAS operate on two Android smartphone applications called DJI GO and Sky Pixels that automatically tag GPS imagery and locations, register facial recognition data even when the system is off, and access users’ phone data. Additionally, the applications capture user identification, e-mail addresses, full names, phone numbers, images, videos, and computer credentials. Much of the information collected includes proprietary and sensitive critical infrastructure data, such as detailed imagery of power control panels, security measures for critical infrastructure sites, or materials used in bridge construction. According to the source of information (SOI), DJI automatically uploads this information into cloud storage systems located in Taiwan, China, and Hong Kong, to which the Chinese government most likely has access. SIP Los Angeles assesses with high confidence a foreign government with access to this information could easily coordinate physical or cyber attacks against critical sites.
— (U//LES) After downloading DJI applications, users are prompted to acknowledge DJI’s terms and conditions, which grant DJI permission to own and exploit user data. The agreement reads, “Please note that if you conduct your flight in certain countries, your flight data might be monitored and provided to the government authorities according to local regulatory laws.”
— (U) In April 2016, a DJI spokesperson announced in a briefing for Chinese and foreign journalists that the company complies with Chinese government requests to hand over data collected in China, according to the New York Times. The same article stated DJI could also give the government data from flights in Hong Kong. The spokesperson revealed for the moment DJI was uncertain what they would decide to do with the data and which government departments they would give it to because it was a continuing discussion.
— (U//FOUO) In August 2017, the U.S. Army issued a memo to its units to immediately discontinue the use of DJI UAS due to an increased awareness of cyber vulnerabilities associated with DJI products. Although the vulnerabilities are not specified in the memo, it could refer to how DJI is using the data collected. The memo also references a May 2017 U.S. Navy memo addressing operational risks related to DJI products.
— (U//LES) The Chinese government is using DJI UAS as an inexpensive, hard-to-trace method to collect on U.S. critical assets, according to the SOI. The Chinese government directorates most likely receiving the data from DJI’s cloud are the offices responsible for defense, critical infrastructure, traffic controlling, and cyber offense, according to the same source.
(U) DJI’s Target Customers
(U//LES) DJI targets key federal, state, and local law enforcement entities through exhibits at trade shows across the United States. These shows are an attractive outlet for DJI to market its UAS since a large number of resellers and product representatives are present at each show. Since 2015, DJI has specifically targeted Sheriff’s Departments and Search and Rescue teams that attended the shows.
…
(U//LES) SIP Los Angeles assesses with high confidence that outside of DJI’s goal to attain law enforcement customers, DJI’s criteria for selecting accounts to target appears to focus on the account holder’s ability to disrupt critical infrastructure. As a result, DJI has amassed customers such as American Water, Union Pacific, and American Electric Power, some of the biggest utility and transportation companies in the United States.
…
(U//LES) Furthermore, the Chinese government is likely using information acquired from DJI systems as a way to target assets they are planning to purchase. For instance, a large family-owned wine producer in California purchased DJI UAS to survey its vineyards and monitor grape production. Soon afterwards, Chinese companies began purchasing vineyards in the same area. According to the SOI, it appeared the companies were able to use DJI data to their own benefit and profit.