Story image

Police drone data risks ending up on servers Chinese government can access - reports

By Phil Pennington, RNZ, Thu 13 May 2021

Police drones are at risk of the data they gather ending up in cloud servers the Chinese government can access, but this can be managed, and the benefits outweigh the risks.

That is the conclusion in reports on police trials of drones released under the Official Information Act (OIA).

"An internet-connected [drone] could send data to a server located in China, and firmware updates could compromise the integrity of the [drone] and any police systems to which it is connected," said the main 96-page report on the trial.

An internet-connect drone of the type police use would, by default stores information on a server hosted by Chinese web giant Alibaba, the consultant who advised police, Dr. Andrew Shelley, told RNZ.

Read Security Concerns with DJI Products by Andrew Shelley (PDF, 198KB)

  • Police triple their fleet of Chinese-made drones from 26 to 72
  • Buy a couple of much more expensive - and much more data-secure - drones approved by the US military
  • Consider putting a small, cheap drone "in every [patrol] car"

A West Coast policeman with a drone in his car took high-resolution photos of a big slip on a state highway in major floods in late 2019.

Getting a handle on emergencies like this, and on crime scenes and road crashes, are among the drone pluses the reports outline.

A significant hurdle is that there are a "wide range of circumstances" where police could be guilty of "trespass surveillance" in the air above private property (although fewer than one in 10 flights in the six-month trial in 2019-20 was for surveillance, and this was targeted, not general surveillance).

The main report also highlighted the hotchpotch nature of police digital systems, that it said must improve to store drone data that might be used in court.

How drones were used in the 2019-20 trial.

How police drones were used in the 2019-20 trial. Graphic: Screenshot / Police Proof of Concept report

'Obvious risks'

The police districts already had a small fleet of drones before the alarm went up in the US in 2017 about a technical backdoor that might allow Da-Jiang Innovations (DJI) drone data to be hijacked.

After that the Australian and New Zealand militaries, which also use DJI drones, forbade connecting their drones to the internet or their own networks.

But police were not aware of this.

They had already approved the trial, when drone expert Dr Andrew Shelley told them by email in August 2019 there were "obvious risks".

It "arguably could be the case" the Chinese government could access the drone data, he told RNZ.

"It's hard to tell whether this is intentional, or whether it's just an unintentional by-product of how the software has been developed."

Police pilots had been loading apps to help fly the drones on their personal devices because the apps were not allowed on police devices.

"So it might be appropriate to provide stand-alone police devices specifically for using these apps," Shelley told police.

Overseas, security sleuths had found backdoor access to unencrypted flight logs, photos and live video, and user profile information including drivers licenses and passports, the reports say.

They found when DJI's GO 4 application was launched, a file was sent from the user's phone to an Alibaba server.

DJI rejected the criticisms and patched problems.

Shelley recommended police at very least only use drones with one of these patches - Local Data Mode. But he warned in an August 2019 report even then "there is some risk that a future firmware update could re-enable data sharing".

It had to be assumed "the craft are not secure if connected to the internet"; not being connected at all was "foolproof", Shelley said.

Police were not naive, and took notice of his warnings, he said.

Limits - but useful

Police say they do not connect the drones, even though this limits how useful they can be.

Limited, too, for surveillance: Police have some leeway under the Civil Aviation Authority rule 102 but flights would still need a warrant to observe private activity on private premises, the reports say.

A graph showing the numbers of flights in the 2019-20 trial.

A graph showing the numbers of flights in the 2019-20 trial. Graphic: Screenshot / Police Proof of Concept report

So-called "trespass surveillance" by drone was only allowed when investigating serious offences or some arms or drug offences.

A fifth of the 120 flights during the trial needed a warrant. It appeared warrant requirements "are being considered".

Despite the limitations, the main report said it was worth the time and money for each of the 12 districts to get hold of six DJI drones.

They should use $3500 Mavic 2 Enterprise drones that have better security (and can track a target automatically) [rather] than $900 Mavic Minis, it said.

Small micro-drones could be deployed by Armed Offenders Squads, and police should consider buying one or two much more expensive - and secure - Aeryon SkyRangers or fixed-wing Aerovironment Pumas. The Defence Force has several SkyRangers.

These did not connect to the Internet at all, Shelley said.

"If the risks are controlled, certainly those benefits outweigh the risks."

 

This story was originally published on RNZ.co.nz and is republished with permission.

Recent stories
More stories