Chinese Drones – A Big Risk for U.S. Army
By Stephen Bryen*
Monday, August 7th, 2017 @ 7:49PM
Left: An ISIS drone with RPG-7 warhead seen at the top left
The U.S. Army has shut down drones made in China and used by the Pentagon. What took them so long?
As we now have it, the U.S. Army has issued a Memorandum For Record of August 2nd essentially ordering the discontinuation of the use of DJI (Dajiang Innovation Products) drones. DJI is a Chinese company; its products are commercial UAVs. The Army, Navy other services, and other government agencies use these products extensively.
The Army’s Memorandum directed the Army to cease all use of DJI items, uninstall all DJI applications and software from Army computers, remove all batteries and storage media from DJI equipment and secure the equipment awaiting further directions from the Army.
The Army Memorandum looks legitimate and, although somewhat taken by surprise on the Army’s action, no one has said that the Memorandum was not the real thing. And, according to the Memorandum itself, it referenced two papers, one by the Army and the other by the Navy. Both are classified. The Army paper is “DJI UAS Technology Threat and User Vulnerability” of 25 May, prepared by the Army Research Laboratory; the Navy paper is “Operational Risks with Regards to DJI Family of Products,” dated 24 May. No Navy office is referenced for the Navy paper, which is in the form of a Memorandum.
The Army’s Memorandum of August 2nd appears to have caught DJI completely by surprise. DJI has responded by proposing it work with the Defense Department to sort out whatever problems there may be with its products. DJI commercial UAVs are the market leader for small quadcopter UAVs. These UAVs typically carry high-resolution video cameras but can also carry other sensors or even weapons. DJI features two models that are popular worldwide: these are the DJI Phantom (the top of the line version costs around $1,500) and the DJI Mavic (top of the line sells for around $1,295). These and other DJI models can be easily bought online at various outlets including Amazon and eBay in the United States and elsewhere globally.
Other foreign military units use the DJI quad-copter, even Israel and that even though the data links for the quadcopter are not encrypted, and the DJI quadcopter is hackable.
The Phantom model is the top model used by ISIS. Either ISIS flies it with a camera, or they modify the drone to carry a grenade or other explosive. Some coalition troops have been killed including two Kurdish fighters in Iraq back in October in what might have been a booby-trapped quadcopter. Similar drones were repeatedly used in Mosul against coalition troops but fitted with PG-7 HEAT warheads that are used on RPG-7 rockets. On one day in Mosul alone there were some ten explosions, and quadcopter drones were in the air virtually every day during the fighting. Hezbollah also used these modified quadcopters in Aleppo, and the Syrian Army encountered them at Deir ez Zour.
The Phantom model and others have been hacked, and modifications to their software have been offered for sale on the Internet. This is important because DJI controls its products requiring them to be authorized and in some places geofences out certain locations, preventing the drones from flying over them (such as airports). On the other hand, one of DJI’s drones crash landed on the White House lawn. The area around the White House is placarded by the FAA meaning that no aircraft can fly over the area. Even so, an allegedly drunk U.S. government employee was operating the Phantom quad-copter at around 3 AM when he lost control of it. It seemed to get around the geofencing, probably meaning that the Phantom quadcopter had its software modified. A Russian company sells modification software that can remove geofencing from the Phantom. DJI claimed its software had not been modified to take into account the White House. “DJI said it would publish a firmware update in the ‘coming days’ that would prevent its kit flying inside Washington DC’s restricted airspace, ” but of course such fixes don’t mean much if the software is easily modified. No charges were filed against the perpetrator.
There are two sound reasons why the U.S. Army would be concerned and banned the use of such drones. The first is that the drones are easily hacked and the software modified. On any battlefield that could mean that the Army could not tell the difference between one of its drones and one sent by the enemy. Consider the possibility that U.S. or friendly forces launch a reconnaissance drone and when it is expected to return what shows up is an ISIS drone with a live grenade or warhead on it. Since ISIS could have intercepted all the commands controlling the friendly drone, what comes back may, in fact, be the one with the bomb. For sure it is no longer pie in the sky that our drones can be hacked. The U.S. suffered a major loss when the Iranians got control of the super sensitive RQ-170. The same thing happened to the Israelis when their drones were hacked by terrorists. In both cases the control systems for these drones were not encrypted, meaning that any enemy could gain control over them.
Along with the threat outside the United States, there is a looming drone threat in the United States, since there is nothing to stand in the way of purchasing quadcopters and other commercial drones, and they are easily modified to carry explosives and to either crash with the explosives attached or release the explosives over a target.
It is not just our problem. Two years ago a Phantom II drone landed on the roof of Japan’s Prime Minister, and it carried radioactive sand, probably cesium. The perpetrator was Yasuo Yamamoto who in 2015 was forty years old and an opponent of restarting Japan’s nuclear reactors. While the amount of radioactivity in the drone-delivered sand was of no particular consequence, Yamamoto demonstrated how a drone could be used to threaten a Prime Minister.
Finally, in the Ukraine, a drone struck an ammunition stockpile on March 23rd, 2017. The drone had on board a one pound thermite grenade known as type ZMG-1. It hit a munitions stockpile in the Eastern Ukraine at Balakleya, killing one and wounded another five and causing $1 billion in damages.
The second reason the Army acted has to do with the origin of the Army’s drones which is China. The Chinese company operates a large database where it authorizes the use of its drones and where it sends out geofencing information. While it is not sure, it is more of less likely that the Chinese company has flight information on all its drones. That would mean that they would have in their database vitally important military information that could be passed on to our enemies even if the company itself would never do anything of the sort. That’s because its computers, sitting in China and elsewhere around the world, are ideal hacking targets.
On top of the threat of data being stolen that tracks UAVs, there is little doubt that the operating system of these drones and their command and control system has been knocked off by commercial rivals, whether through theft, reverse engineering or by figuring out how the system works. There would be no Russian company selling modifications to turn off geofencing unless they were able to understand the software and control system.
This raises a profound question: why would the U.S. Army, the U.S. Navy and other military departments and other agencies (including the Energy Department that has responsibility for nuclear power plants and nuclear weapons) be using Chinese drones? The short answer is that these drones are cheap and available. The real answer is we do not have any security whatever for sensitive products of this kind. Drones are not regulated; they can fly just about anywhere. You can buy them anywhere. Terrorists can get them without even trying.
For a long while, the Pentagon has been a big consumer of Chinese-made products, even if they are sold under U.S. labels. It is a nutty thing (to say the least) to use computers, routers, security cameras and other electronics made in China for national security tasks. The latest drone debacle is just another example of this foolishness and lack of responsibility in our government.
*This commentary has been posted on Bryen’s Blog, on August 7, 2017