Two US government agencies, the Cybersecurity and Infrastructure Security Agency and Federal Bureau of Investigation, warned on Wednesday that drones made in China could be used to gather information on critical infrastructure.
Those expanded legal grounds include regulations that require companies to send data to Beijing, such as China's 2017 National Intelligence Law, 2021's Data Security Law and the 2021 Cyber Vulnerability Reporting Law.
Beijing also requires orgs with presence on Chinese soil to share any system or software vulnerabilities discovered with PRC authorities.
It also gives Beijing access to IP, security controls and information that could help in the design of future cyberattacks.
CISA and the FBI point out that drones can receive and transmit data, but the avenues of potential compromise go beyond just data transfer and collection - they also include firmware updates and connected peripheral devices like docking stations.
The related CISA and FBI guidance offers many recommendations to secure drones, including considering UAS as IoT devices, using a standalone terminal for the download and security verification of firmware patches and updates, and adopting secure by design policies.
How Wi-Fi spy drones snooped on financial firm FCC suggests licensing 5GHz spectrum to drone operators Wing, Alphabet's drone delivery unit, designs bigger bird to deliver pasta, faster US lawmakers have Chinese LiDAR on their threat-detection radar.
Reports of drones used for hacking appeared at Black Hat in 2016.
Modified drones have also been used in the past to intercept credentials and Wi-Fi that was later hard coded into tools deployed to attack other devices.
The Department of Homeland Security sounded the alarm on concerns over Chinese-made drones in May of 2019, a quainter time when the government was still giving Huawei reprieves on sourcing American technology.
The US government grounded its own fleet of around 800 drones over fears of Chinese espionage back in January of 2020 while it revised its procurement laws.
Dronemakers like DJI have sworn via security audits their tech poses no risk when it comes to sending data back to China.
DJI was added to the US export control list in 2020 on grounds of national security.
In 2021, the dronemaker even received a ban on American investment, this time for its participation in repression of the Muslim Uyghur minority in Xinjiang province.
This Cyber News was published on www.theregister.com. Publication date: Sun, 21 Jan 2024 17:44:05 +0000