The CEO of an Australian company that supplies the ADF with US-made drones has warned the Chinese government likely has access to a secret key to break DJI’s encryption.
Philippe Odouard’s company Xtek has a $101-million contract to supply the ADF with Wasp surveillance drones. The company loads the US-made drones with Australian software before handing them over to the military.
“The likelihood is any of their [DJI’s] encryption algorithms would be available to the Chinese government,” Mr Odouard told SBS World News.
“Most algorithms for encryption in particular, depending on who designed them, would have backdoors. And a lot of those, if it’s done by a private enterprise, may be provided to the government.”
The warning comes after a report in The Australian revealed the Australian Defence Force (ADF) suspended its use of DJI drones on August 9, after the US military banned their use on August 2 citing cybersecurity concerns.
But the ADF then resumed DJI flights on August 21 under “revised operating procedures”, a Defence spokesperson told SBS World News.
The spokesperson also confirmed the ADF made use of DJI Phantom drones.
It remains unclear what those revised procedures entail, but defence minister Marise Payne said Defence was “comfortable” using the drones in “unclassified situations”.
Mr Odouard suggested the drones might still be appropriate for training purposes, but cautioned against using them in more sensitive environments.
He compared the situation with the dispute between the US Government and Apple over the FBI’s attempts to force Apple to break the encryption of the iPhone used by the San Bernardino terrorist in 2015.
By contrast, the Chinese government would have a much easier time getting decryption help from Chinese drone manufacturer DJI, he said.
DJI says drones are for ‘peaceful purposes’
A DJI spokesperson told SBS World News it made “civilian drones for peaceful purposes” that were not designed for military use.
But the spokesperson said the company was “happy to hear” the drones were back in operation at the ADF.
Asked about a potential backdoor in the software, the spokesperson said images were only stored on the drone’s SD card unless the user chose to upload them to the ‘SkyPixel community’ or social media.
“Despite what country we operate in, user information may only be disclosed when required to do so by law, in response to a court order, judicial or other government subpoena, warrant or request, or to otherwise cooperate with law enforcement agencies,” the spokesperson said.
The company said its ‘DJI Bug Bounty’ program encouraged third-party experts and reserachers to help find and patch security flaws in DJI products.
Company invites ADF to contact company over ‘concerns’
DJI has repeatedly denied allegations it provides information to the Chinese government.
The drone-maker said it was happy to talk to the ADF over its concerns.
“DJI stands ready to support the ADF’s assessment and welcomes the ADF to contact us directly if they have any inquiries into our technology,” a company spokesman told The Australian.
A US Pentagon memo on August 2 directed the US Army to “halt use of all DJI products” and “uninstall all DJI applications”.
It referred to a classified US Army report titled “DJI UAS Technology Threat and User Vulnerabilities”.
Mr Odouard said DJI employees who insisted there was no backdoor could be acting in “good faith”, and that many in the company would be unaware if such a backdoor existed.
“They basically say ‘there’s no risk, there’s no risk’ but they probably don’t even know what the risk might be,” he said.