US Army Shuts Down Use of Off-the-Shelf Due to Cybersecurity Concerns

FrgMstr

Just Plain Mean
Staff member
Joined
May 18, 1997
Messages
55,534
Mass produced consumer drones have been used by the Army for quite some time now, but that has come to a screeching halt as of two days ago. DJI drones mass produced in China, not secure? Whodathunkit?

Document here.

According to a U.S. Army memo obtained by sUAS News, the U.S. Army Research Lab and U.S. Navy have concluded that there are operational risks associated with DJI equipment, a move that was run up the flag pole last month but kept under wraps.

If you are into drones and security, this hour long video will tell you all sorts of things about how these devices are penetrable.

Check out the video.
 
Last edited:
I work in this particular area and heard this about a year ago. I believe there was/is also suspicion of phantom "3rd shift" producing compromised drones without DJI knowledge (which has happened in China before...)

All I really can say about that. . . .
 
Cue a 'US' company getting an army contract... meanwhile they order all the parts from china, and put it together here.

I will have to ask some people over here about that. Although there has been a lot of scrutiny for awhile over the use of "off the shelf" products in general. Mostly in the area I have been working we aren't subject to this ruling anyway.



There are some strict requirements for this, and they don't go by the company, they go by the product itself being certified. So there are companies that have some products that are certified and others that are not. Even if your product contains 100% American parts, that does not guarantee they Army or anyone in DoD will buy it.

To echo NoOther, there is quite a certification process in place. Where I work we have flight qualified equipment and some equipment not approved for certain flights or on certain platforms, etc.

The truth is that there are basically ZERO domestic drone companies (class 1 and class 2 sized at least). In this area DJI, Yuneec and Autel absolutely own the market with some estimates putting DJI at ~70% of the market. Further, many of the companies who claim the make these products in the USA are instead sourcing parts from China and then doing basically final assembly here. I've seen the PCBs with made in China all over them.

Anyways, This is more an ongoing issue as commercially available equipment prices/schedules out domestic equipment... you can see this happening in radio chipsets as well as rather than using military foundries for some MMIC designs you can see pure cost and existing R&D driving military programs to analog/qualcomm/etc. Even DARPA has gone away from doing silicon level investment mostly because the military just can't compete with commercial investment that is more focused on efficiency and miniaturization than program requirements could ever dream of being.

So yeah, commercial is driving the car and everyone is along for the ride. The problem is that without some serious backseat driving the military will find itself in a car with windows down for everyone to listen in.
 
Wonder if this memo has any relation to the proposed legislation to impose security requirements on IOT devices purchase by the government?

Of course, one would think that by now the bright bulbs in DOD would understand that most things that connect to the Internet send stuff back to the mother ship. Not like there has been a lack of reports of undeclared data transmissions from gizmos and software.
 
Cue a 'US' company getting an army contract... meanwhile they order all the parts from china, and put it together here.
Anything that has an operational risk normally the contract is stipulated that they have to source all parts from the US. If a part isn't made in the US, you have to apply for a wavier. I've never seen a case where they let you use something made from another country because it was cheaper.
 
Wonder if this memo has any relation to the proposed legislation to impose security requirements on IOT devices purchase by the government?

Of course, one would think that by now the bright bulbs in DOD would understand that most things that connect to the Internet send stuff back to the mother ship. Not like there has been a lack of reports of undeclared data transmissions from gizmos and software.


Sometimes, some half clueless Government type who sits far up your food-chain sees a news article or report and get''s a wild idea that there might be some sort of related risk. Then they start asking questions, sometimes they don't even understand that their questions are phrased badly or inaccurately, but then they get answers and go running off half-cocked trying to plug the dike with their little toe.

By the time the people who actually know answers, get the right question asked, it's already been time for memos and CYA directives to be drafted and sent to prevent a problem that never existed.

For instance, I saw a mention that some of these DJI products were being used by Special Forces in combat zones. Anyone want to figure out how a drone that's operating in a combat zone, and if it's connected to a network, it's a network that has no physical connection to the internet, is going to successfully "phone home"?

It's not enough that there is no common hardware in the loop between classified and unclassified networks, nore that the classified communications links are heavily encrypted. These bureaucratic types run off drafting memos and shit while not having any clue what they are even talking about.

Now I'm not saying that there is 0 risk. What I am saying is not every whiff of smoke is a fire, and it would seem that ignorance is an epidemic with no cure because it often runs hand in hand with stupid (y)
 
Last edited:
....
For instance, I saw a mention that some of these DJI products were being used by Special Forces in combat zones. Anyone want to figure out how a drone that's operating in a combat zone, and if it's connected to a network, it's a network that has no physical connection to the internet, is going to successfully "phone home"?
...

Just because it is a combat zone does not mean that the 'bad guys' don't have Internet access or even an unsecured WiFi network. Wouldn't take much for one of these drones to detect the unsecured network and try to connect and phone home. Since the drone by default has to be able to decrypt some aspects of the secure military data network in order to process commands, it could serve as a router of sorts and send secure data back to mother ship. Even if the operators have turned off any 'Automatically connect' settings, we all know that many devices don't honor those settings where phoning home is involved. Especially if the manufacturer has embedded a secret low level phone home routine.
 
Vet here. The mil should do exactly what they are doing. Step back, regroup. Pick on the US Military all you want, it's your right. They/I don't want anything to do with the Trump oligarchy.
 
It's stunning that our nation's military would use items/parts/equipment partially or completely made/developed in a hostile nation - especially one that is potentially a threat like the PRC.
 
I was wondering who could afford those DJI's after the first few years of early adopters.
 
It's stunning that our nation's military would use items/parts/equipment partially or completely made/developed in a hostile nation - especially one that is potentially a threat like the PRC.

You mean like CPUs, semiconductors, things with rare earth metals, etc? Good luck making it any other way. The bigger worry lately is damn good counterfeits making it into the supply stream.. even from places like Avnet.
 
Last edited:
Using wireless protocols to talk to a drone in a military setting is a dumb idea anyway. Application flaws could ruin you. Could turn the intelligence gathered from your own drone against you.

RF is the way. The light. Spread spectrum frequency hopping has been around since WW2. Longer ranges with RF as well. Much longer.

To be fair technically wireless is RF ;)
 
Back
Top