The Security Ledger

Update: White House Drone Debacle Raises IoT Governance Questions

The Chinese maker of the Phantom “drone” said it will use a mandatory firmware update to enforce a no-fly zone over Washington D.C. But not all DJI customers are happy.

In-brief: Unmanned aerial vehicles manufactured by the Chinese firm DJI will be blocked from flying over the U.S. Capitol according to a statement by the company. The move raises important questions about the role that connected device makers will play in determining how, when and where customers use their products. (Update adds commentary from Justin Davis of Dronecamps.com – PFR Jan 29, 2015 17:30)

DJI, the Chinese maker of an unmanned aerial vehicle (UAV) “drone” that crashed on the lawn of the White House, may be winning the approval of U.S. officials with its decision to block their use within the U.S. Capitol, but not all of its customers are happy.

On Wednesday, DJI announced that it would release a “mandatory” firmware update for its Phantom drones that would use GPS coordinates to enforce a 15.5 mile no fly zone around the U.S. Capitol, in keeping with FAA rules, a DJI spokesman told the British newspaper The Guardian. The move raises important questions about the role that connected device makers will play in determining how, when and where customers use their products.

The decision follows a high-profile incident in which a DJI Phantom drone crash landed on the White House lawn on January 26. That incident was quickly traced back to a Federal employee who had some drinks and then took a friend’s drone for a late night spin from an apartment near the White House.

Phantom drones are equipped with GPS, which owners can use to navigate the devices in the air. The company can use software controls built into the drone firmware to disable the devices when it detects the drone has entered a no-fly zone, such as the controlled airspace around airports, a spokesman told The Guardian.

However, that announcement doesn’t sit well with owners of DJI drones, which sell for hundreds of dollars. Some took to support forums on the company’s website to voice frustration over the company’s decision and to weigh whether there were ways to slip out of the software shackles imposed by DJI.

[Read more Security Ledger coverage of security issues with firmware.]

Support forums on DJI.com featured discussion of the planned firmware update, Version 3.10, including ways to circumvent it.

“How do they plan to stop a NON GPS flight?” wondered a user with the handle “SavannahQuad.” A user with the handle “Mad in NC” worried that expanded no-fly zones embedded in firmware could encompass his home. “According to the current ‘No Fly Zone’ which in my city is a 5 mile radius I’m good today as I am less than 1/2 mile or .8Km away from the “border” today. If DJI expands beyond governmental defined and agreed areas of their own accord …myself and I assume thousands of DJI customers that no longer will have access to a device that was operational up to the new software push.”

It is unclear whether or not DJI can force Phantom owners to apply the firmware update. But Justin Davis of Dronecamps.com in Rodanthe, North Carolina, a DJI reseller,  said in an interview that Phantom quadcopter customers need to connect their device to a laptop or tablet to monitor the charge on the copter’s battery. In the process, they will have the update pushed to the device.

In a video statement published on YouTube, Davis backed the company’s decision.

“Its been common knowledge in the RC (radio controlled device) industry for a long time that you don’t fly your RC stuff in Washington D.C.,” he said. The message of the White House incident was simple: “If you’re gonna drink, don’t fly,” Davis said.

The decision by DJI accomplishes by fiat what the U.S. Government has been slow to do through policy: creating no-go zones for small, unmanned aerial vehicles.

The Federal Aviation Administration has been working on updated rules for civilian use of UAVs, but has yet to release them. In the meantime, civilian and commercial adoption of the small but powerful “drones” has exploded, leading to conflicts with authorities and public safety officials. News organizations and public interest groups have chaffed at FAA guidelines that ban commercial use of drones, saying that the small flying devices, equipped with cameras, are a valuable news gathering tool.  Drone video like this has also been used by activists to expose problems like the waste produced by industrial farming.

Davis of Dronecamps.com said that he does not know of other drone makers who have used firmware to implement no-fly zones as DJI does. But he said that he expects other vendors will soon follow suit, as more consumers begin experimenting with the radio-controlled copters. “I think you’ll see the top companies in the world that produce these copters be proactive. And I think its a good thing for them to be proactive,” Davis said.

Consumers might look on the quad copters as “toys,” Davis said that they are powerful flying and surveillance tools. As a result it is reasonable to expect their use to be limited in and around government buildings, national landmarks, prisons and other high security facilities.

Firmware is more often mentioned as a source of insecurity or other failings with connected devices. But it is also an avenue by which companies can gain powerful (and possibly lucrative) insights into customer behavior. The move by DJI could presage similar moves by connected device makers, which may see customers’ need for access to centralized management platforms and software updates to impose restrictions that could run counter to local laws and liberties.

Spread the word!