Drone Security White Paper

The white paper outlines key systems in our drones and the security measures DJI has implemented to bolster security, enhance privacy controls, and protect the integrity of user data. 
 
It has been updated to reflect additional security improvements and new product developments, in line with our longstanding commitment to drone safety and security.

The paper covers the following components of a DJI drone system:

1. Device security:
Employment of Trusted Execution Environment (TEE) and FIPS-certified DJI Core Crypto Engine for strong chip and hardware security

2. Application security:
Introduces DJI’s approach to securing the flight applications that operate the drones, as well as covers SDK and open source information

3. Data security & privacy controls:
Drone data shared with DJI is TLS-protected and any personal data shared by users (i.e. name or email address for account registration) is further secured with AES-256 encryption in storage. Drone data shared with DJI outside of China is housed in U.S.-based cloud servers, with the exception of Agras data which is stored in servers based in the U.S., Japan or Europe (depending on which region the customer is based in)

4. Communication security:
Lists the protocols and security considerations for device interconnection between the drone, its remote controller, cloud infrastructure and mobile device (where applicable)

5. Cloud security:
Outlines DJI’s options for storing and managing data on different types of cloud architecture

6. Security audits & certifications:
Summarizes third-party audits conducted in the U.S. and Europe, and lists key certifications including FIPS 140-2 and ISO 27001

7. Bug Bounty Program:
DJI is the first drone maker to introduce a Bug Bounty Program to encourage security researchers to contribute to our data security efforts by responsibly detecting and reporting potential vulnerabilities. The program has been running since 2017, with rewards for qualifying bugs ranging from $50 USD to $30,000 USD, based on DJI's risk assessment of the potential impact of any discovered vulnerabilities.