The police are increasing drone operations with new commercially purchased devices. The capture of images of citizens by Chinese-made models challenges a senator and raises questions of cybersecurity.
Is there a cybersecurity risk in filming citizens with a commercial drone? The question arises as these devices become the new ally of law enforcement. For 2 months now, each major event now has the right to aerial surveillance. The mobilizations in June 2023 against the pension reform were no exception: in all major cities, the prefect authorized the control of the procession from the air.
Drones are multiplying in the police since a decree published on April 20, authorizing the police to use these remote-controlled vehicles in the context of various security missions. This new way of capturing data by the French police involves Chinese-made devices to film the operations. The Ministry of the Interior purchased a large part of its drones from the DJI brand, market leader in leisure and professional drones, after the adoption of the text of the law by the National Assembly in December 2022 (upstream of the April decree).
On many images spotted by Numerama, the police show off their new law enforcement tools. Most of the devices unveiled are Mavic 2 models from the DJI brand.
A letter to Gérald Darmanin in January
Can we fully trust these drones? For some elected officials, the risk is obvious. From January, Cédric Perrin, senator (LR) of the Territoire de Belfort and vice-president of the Foreign Affairs Committee, sent a letter to the Minister of the Interior Gérald Darmanin, to question him on the questions ” in terms of cybersecurity, mastery of the software and visibility on the protection of personal or confidential data, in particular when there are strong suspicions about the integrity of the company providing the drones “, can we read in the letter provided by the senator.
The elected representative of the Territory of Belfort indicates: Several cybersecurity researchers have shown that Da-Jiang Innovations (DJI) brand products have hidden functions aimed at collecting data from the mobile phone or tablet used to fly the drone. It would seem that a certain number of data inherent to the drone are sent to servers located in China, such as its position, its speed, its serial number, the position of the pilot, etc. “. He asks the ministry for a analysis of the risks involved and clarification of the precautions taken by your department “.
When we ask Cédric Perrin if he has such concerns for American products, he replies: “ The concerns are there too, but the law in the United States does not oblige large groups to integrate single-party cells into their board of directors. In fact, I ask that we take precautions with these products and that we turn to local brands “.
The Chinese government imposes many members of the single party in large companies, especially those listed on the stock exchange. This dubious mix between private and public has earned DJI banishment from the US military and many police forces in various US states.
Police drones are not modified to ensure data security
In France, the Air Force confirmed to us that DJI drones are modified so that the devices do not send any data. What about the police? Contacted by Numerama, the Paris police headquarters replied:
” The prefecture uses drones from the DJI brand, the technical leader in this market. These drones are not modified. The risk of espionage is reduced, because the devices must be connected to the internet to transmit information and we are able to control this connection. In addition, the images captured by the drone have a very local interest in the context of maintaining order and are deleted after 7 days or after 48 hours if building entrances have been filmed. “.
This statement leaves several gray areas. First of all, ” connection control is not explained and does not make it possible to understand how the forces of order would be able to block the transmission of data from the moment the device undergoes no modification.
Then, the storage conditions of the images are not specified. Deleting images after seven days does not prevent upstream capture. Recent experiments conducted by cybersecurity experts have made it possible to capture the exchanges between the operator and his device. The experiment was carried out on drones of the DJI brand. We also confronted the declaration of the prefecture with Baptiste Robert, researcher in cybersecurity and ethical hacker.
” First, a drone contains a modem, components that upload data to the company’s servers. The dangers, at a minimum, are a transfer of conventional information such as geolocation, identifiers, metadata explains the cyber expert.
” If we want to go further, we can imagine that information, tracks can be pirated. Connected objects can be hacked, even connected vacuum cleaners to know the plan of a house. Finally, the catastrophic scenario would be the capture of information for strategic purposes through a back door. It remains hypothetical “, describes Baptiste Robert.
DJI rejects all accusations around the security of its devices. The group had already published a blog post in 2021 in which it details all the technical measures taken to protect customer data. ” DJI designs and manufactures its hardware and software so you never have to share your data – with us or anyone else. We are not a data company, we just make drones can we read in the report. Simple drones that we will have to get used to now. The hum of the propellers is on track to accompany us in the years that follow.
Subscribe for free to Artificials, our AI newsletter, designed by AIs, verified by Numerama!