DJI – Insights Blog

This is What 300,000 Hours of Work on Data Security Looks Like

Written by DJI Enterprise | October 13, 2021

Whatever reason you use your drone — from surveying to search and rescue, to filmmaking or farming — keeping your data secure is important. You want the autonomy to control who does and, perhaps more importantly, who doesn’t have access to your account information, survey data, or photos and videos. At DJI, we understand the importance of privacy. While we’ve always been at the forefront of drone data security, we’ve worked hard to get even better — and the results speak for themselves. 

We work on providing tools that help people see from new perspectives and increase efficiency in their work. We want to save you time and money, no matter what application you’re using our products for. The data you create and store on our products just isn’t any of our business. 

DJI designs and builds our hardware and software so you never have to share your data — not with us, and not with anyone else. We’re not a data company — we just make drones. And with the M300 V3 firmware update, we have made features enjoyed by our government users more easily accessible than ever before on our flagship commercial drone. From Local Data Mode to U.S.-based cloud storage and up-to-date encryption, the M300 is now even more data privacy-focused.

Bolstering cybersecurity for 15 years

Over the last 15 years, DJI has continually improved our data security protections to reflect the increasingly important tasks that our customers tackle with our products. From our earliest days building systems for tinkerers and hobbyists, DJI has bolstered our systems with robust encryption, data controls, and privacy settings to meet the expectations of our most demanding customers. Now, with M300 V3, we have completely redesigned our security framework with privacy at the forefront.

As a technology company with a global clientele, DJI understands that our data security will come under scrutiny from our users and others. That’s why we’re pleased to see so many independent evaluations from U.S. government agencies, as well as respected private cybersecurity firms, that have validated the security protections in our drones, payloads, software and apps. These repeated validations have disproven the unfounded claims about some of our systems, and show that our customers have control over the flight logs, photos and videos they generate with our products.

In 2020, two major independent audits validated the security of DJI’s drone platforms. One study from the global consulting firm Booz Allen Hamilton found no evidence of data transmission connections with DJI or any other unexpected party. The report also found no evidence of security leaks. Later that year, FTI Consulting analyzed DJI hardware and software, including a source code review of DJI applications and a hardware cybersecurity review of devices. The FTI audit found that when Local Data Mode was enabled, no data generated by the drone or application was sent externally to infrastructure operated by any third party, including DJI, validating DJI’s assertions about the utility and function of the feature. FTI’s assessment also confirmed that DJI employs various security best practices.

These reports followed earlier successful reviews of the security features on DJI products which we have discussed before.

In addition to helping prove our data security bona fides, years of independent review have helped DJI to correct problems where they existed and find areas for improvement. For example, Booz Allen Hamilton’s review found that an older form of encryption used in some drones made local radio signals susceptible to interception. While the drone still met the Department of Defense’s standards, our team went ahead and made adjustments on all new and future enterprise products. The result of all of this hard work comes to you in the form of the newest version of the M300.

Continuing the commitment to data security

While DJI products have always been secure, we never stop strengthening our protocols. The updated M300 takes security features that were previously only available in DJI’s high-security Government Edition drones and makes them accessible to the public. Now you can enjoy the same kind of drone data security setup that just passed multiple rounds of independent testing.

Key features of the M300 V3 firmware update

This firmware version addresses data security concerns at every step, from capture to storage to deletion. It provides options for you to choose enhanced data security options for sensitive missions, or to allow some beneficial connections on missions with no security restrictions. For example, the V3 update allows you to fly the M300 without logging into your DJI account. You can also update firmware for the M300 drone, remote control and payload with a microSD card, so you can stay offline during updates. The M300 V3 firmware lets you choose to opt out of all anonymized performance data collection, or to opt in only partially to help improve future products. Other network security modes and 256-bit encryption mean you can feel safe knowing that all of your personal data and imagery will only be viewed by those you choose to transmit it to. 

Local Data Mode

The M300 V3 update offers DJI’s rigorously tested Local Data Mode, an easy-to-use option that disconnects your equipment from the internet entirely, ensuring that data stays exactly where it started. If your organization chooses to use cloud-based data storage, the M300 V3 update allows encrypted flight log storage on a U.S-based AWS Server. (Organizations with higher-level security needs can continue to use a private cloud option to keep their data completely separate from DJI infrastructure.) To learn more about Local Data Mode, click here

SD card AES encryption

Our emphasis on data security goes beyond the cloud. When you store your photos, videos and flight logs on a microSD card, the M300 V3 firmware update ensures each card is protected by a security code as well as AES encryption. 

Clear All Device Data

Once your data is securely transferred from the drone to your preferred storage method, the update makes it possible to delete internal logs of your activity from the drone, the remote controller and even the H20 payload, as well as to completely revert your drone back to factory settings. If you have hosted your company’s data on DJI servers in the past, we will delete it upon request at any time. Each step in the process is designed to give you the most autonomy possible over your data.

300,000 hours of work spent on data security

Where did we get this number, three hundred thousand hours? For over 5 years we've had a team of 30 devoted entirely to work on the privacy and data security features of our products, across our apps, our servers, our chipsets, and firmware. With 30 people working for 5 years, assuming a year has ~250 work days, and one work day is 9-6, 300,000 hours is a conservative estimate. 

Overall, whether you’re flying the M300 or another of our drones, it’s important to know:

  • Your location data is never collected
  • You can choose not to sync your flight logs, photos, or videos with DJI services
  • Drone GPS log data is never collected
  • DJI does not collect mobile data
  • User experience information can be kept private by simply opting out of data collection

The M300 V3 Firmware update is our strongest effort yet to offer the most transparency and flexibility possible to our users. We’re always looking to improve our products and are constantly working to mitigate any security concerns and any risk to your data. 

Click here to learn more about the V3 firmware update, and here for the patch notes. 

For more information on how DJI protects privacy or to report an issue to our DJI Bug Bounty Program, go to https://enterprise.dji.com/data-security