The Department of Homeland Security is warning U.S. firms that drones made in China may be spying on them and sending sensitive data to the Chinese government.
Are drones China’s latest weapon in its cyberwar against the United States? The Department of Homeland Security (DHS) thinks they might be and are warning U.S.-based organizations not to use them.
The DHS Cybersecurity and Infrastructure Security Agency (CISA) issued an alert recently raising “serious concerns” that unmanned aerial vehicles (UAVs) manufactured in China are sending sensitive data back to the Chinese government, according to a report from CNN, which claims to have seen the document.
The alert warns that unmanned aerial vehicles (UAVs) made in China are a “potential risk to an organization’s information” because they include “components that can compromise your data and share your information on a server accessed beyond the company itself,” according to CNN. It is just the latest warning from DHS about the cyber security risks posed by UAVs from China.
“This risk is real,” said Dan Tuchler, CMO of security firm SecurityFirst, especially given the range of information a drone can collect and then pass on using its internal chip and communications.
“A drone can export video, tagged with position data, to gather intelligence,” he told Security Ledger. “More significantly, a WiFi-equipped drone could be used as a flying hotspot, getting close enough to intercept unprotected WiFi data. Like a hacker in a coffee shop, it could attempt to intercept and relay back sensitive data.”
In this way a drone could even be used for cyber-espionage to help China plan future cyberattacks on the United States, Tuchler said.
“How much government data is being carried by WiFi without the required security in place?” he said. “Could a drone fly close to a power grid or a dam and collect information whose security has been overlooked? That would carry great risk of a cyberattack on U.S. infrastructure.”
Caution advised with popular UAVs
Organizations should “be cautious when purchasing” drones from China, DHS advised. If they do have and use such devices, organizations should turn off the device’s Internet connection and remove secure digital cards, according to CNN.
CISA also cautioned users to “understand how to properly operate and limit your device’s access to networks” to avoid what they deemed as “theft of information,” presumably meaning that China could potentially use drones to access networks and steal data, according to CNN.
“Organizations that conduct operations impacting national security or the Nation’s critical functions must remain especially vigilant as they may be at greater risk of espionage and theft of proprietary information,” the alert stated, according to the CNN report.
While Security Ledger has not seen the alert, the DHS confirmed its existence but said it was meant for official use only.
“CISA recently released an industry alert providing organizations with information related to the inherit risks associated with using UAV technology manufactured in China and measures to reduce such risk,” a spokesperson said in an e-mailed statement.
Though no specific Chinese drone manufacturers are mentioned in the report, almost 80 percent of the drones in the United States and Canada are manufactured by Shenzhen, China-based DJI.
This is not the first time DJI aroused the suspicions of the U.S. government for its close ties to the Chinese state. Drones manufactured by the company already were banned by the U.S. Army in 2017, due to concerns that DJI shares critical infrastructure and law-enforcement data with the Chinese government. Among the other allegations DHS has made in the past are that DJI data is being used to help domestic, Chinese firms in areas like agriculture.
Escalation of current tensions
The warning could serve to exacerbate further the current trade war between the United States and China. That fire already was fueled last week when President Donald Trump signed an executive order to prohibit U.S. firms from using telecommunications equipment made by the Chinese company Huawei. Google subsequently pulled the mobile phone giant’s license for the Android OS and major mobile network carriers began dropping Huawei devices from their smartphone product lines.
Indeed, the U.S. has been wary of telecommunications and other technology made in China for some time. In addition to the DJI ban, about a year ago, the U.S. military also banned the sale of Chinese smartphones from Huawei and ZTE on military base exchanges worldwide due to concerns that China would use them to collect data for cyber espionage.
A government report released last year also raised concerns about China’s cybersecurity threat to the U.S. government supply chain through partnerships between Chinese state-own enterprises and key technology suppliers to government agencies, including companies like Microsoft and VMWare.
Indeed, U.S. government fears that China is using its technology to record information critical to its cyber-offensive activities are certainly not unwarranted. U.S. officials have been tracking how China is using new technologies such as the Internet of Things (IoT) and UAVs as tools in its current information war with the United States.
A report from Washington DC “think tank” The Center for Strategic and International Studies suggested that China’s domination of the drone market is intrinsically tied to its modern warfare interests in a recent report, “Is China at the forefront of drone technology?“
“As its military modernization has progressed and its position as a global arms exporter has expanded, China has carefully factored unmanned systems into its strategic planning,” analysts wrote in the report.
They also cited China’s 2015 Defense White Paper, in which government officials observed that “military affairs [are] proceeding to a new stage” and that “[l]ong-range, precise, smart, stealthy and unmanned weapons and equipment are becoming increasingly sophisticated.”
“President Xi further remarked in March 2016 that ‘UAVs are important operational forces for the modern battlefield,'” researchers noted.
A separate report by the U.S.-China Economic and Security Review Commission also predicted that China will use new connected technologies that are part of the IoT–which include drones due to their connectivity aspect–as a major front in its cyber war with the United States.
China has done substantial research into the security vulnerabilities of the IoT in the last seven years–and then hid that knowledge–not only for its own technology interest, but also as a way to conduct cyber-espionage and exploit other nations’ IoT systems, researchers concluded in the report, “China’s Internet of Things.”