大疆无人机安全白皮书

Version 3.1 DJI DJI is a global technology company known as the world’s leading civilian drone manufacturer.Webeganoperationsin2006asaresourceforremotecontrolledmodelaircrafthobbyistsandpioneered the widespread adoption of ready-to-fly recreational drones. Today our solutionsserve professionals, enterprises, and government agencies around the world. DJI’s innovative technology has become the preferred platform in a wide range of industries,including agriculture, construction, energy, media, and public safety. DJI’s open architecturehas created a marketplace for third parties to provide additional hardware payloads, softwaresystems, and mobile apps, which enable the world’s innovators to develop solutions for avariety of pursuits. DJI Drone Security White Paper This paper outlines key systems in our drones and the security measures DJI has implementedto bolster security, enhance privacy controls, and protect the integrity of user data. It has beenupdated to reflect additional security improvements and new product developments, in linewith our longstanding commitment to drone safety and security. CONTENTS INTRODUCTION 6 DJI DRONES: CLASS LEADING PROTECTION10 DEVICE SECURITY12 CHIPS AND HARDWARE SECURITY12 •TRUSTEDEXECUTIONENVIRONMENT(TEE)12•RPMB-BASED SECURE STORAGE14 FIRMWARE SECURITY15 •SECURE BOOT15•SECUREUPDATE16•SYSTEMSECURITYHARDENING16•LOG SECURITY17•MEDIA DATA ENCRYPTION17•RESET ALL19 APPLICATION SECURITY21 APPLICATION HARDENING21DJI SDK SECURITY24 TYPES OF DRONE DATA29DATA WALKTHROUGH & USER PRIVACY CONTROLS31 COMMUNICATION SECURITY44 CLOUD SECURITY50 USER ACCOUNT SECURITY50SERVER SECURITY50CLOUD SERVICES AND DATA SECURITY52 GEOFENCE SECURITY PROGRAM61FLIGHT RESTRICTION SYSTEM PROTECTION61UNLOCKING SYSTEM PROTECTION62 SECURITY AUDITS & CERTIFICATIONS64 DJI BUG BOUNTY PROGRAM68 GLOSSARY77 INTRODUCTION DJI technologies enabled the widespread adoption of ready-to-fly recreational drones, whichtoday serve professionals, enterprises, and government agencies around the world. Peoplechoose DJI because our drones have an unparalleled mix of ease-of-use, reliability, andaccessibility – and we have demonstrated a commitment to safety and security long beforerules or regulations required us to do so. Our approach to drone and data security is guided by the following core principles: Transparency & Education We remain open and transparent about our security and data practices and will continueto make it easier for our users to understand our data management and system securityprotocols through informational materials such as this security white paper, the DJI TrustCenter and ongoing dialogue with our partners and dealers. Give Users Control We believe that users should have control over their data, and as such continue to expand theprivacy controls built into our drones. •No flight logs, images or videos are synced with DJI servers unless the user chooses to do so. AsofJune2024,consumerandenterprisedroneoperatorsintheUnitedStatesnolongerhavetheoption to sync their flight records to DJI’s servers. •Consumer drone users can easily manage their privacy preferences via their flight app’s settings,and they can activate “Local Data Mode” to sever the connection between their flight app andthe internet (akin to flying offline). In doing so, the app will close all data services and preventsharing of data, even inadvertently.•Enterprise drone operators have additional security modes and controls including the abilityto add a non-decryptable security code, wipe data at an instant, fly and update their dronecompletely offline or choose to use a third-party software alternative. [See Chapter:DataSecurity & Privacy Controls] Wewillsoonalsoexpandprivacycontrolswithinourenterprisesoftware,DJIFlightHub2.TheOn-Premises version will offer enterprise operators with a private cloud solution for self-manageddata control, allowing independent deployment within their own networks while preserving allcore functionalities. Independent Validation We perform third-party audits regularly to validate our drone security and data privacy practices.Since2017,internationalcybersecurityfirmsandexperts,includingBoozAllenHamilton,FTIConsulting, KIVU, and more, have conducted thorough independent assessments of our productsprocured off-the-shelf. Since the last edition of this white paper, DJI has undergone two additional notable assessments: a2024securityauditconductedbyFTIConsultingandanISO27701certificationforDJIFlightHub2in2025.Thefindingsconsistentlyvalidateouralignmentwithindustrybestpracticesandabilitytoeffectively protect user data. [See Chapter:Security Audits & Certifications] Community Collaboration We engage with experts, enthusiasts, and other members of the drone community to hear theirsuggestions on how to further strengthen our systems. We were the first drone maker to introduceaBugBountyProgramin2017andtheprogramcontinuestoencouragesecurityresearcherstoresponsibly detect and report potential v