China has enacted laws that provide Beijing with legal grounds to access and control data stored in China. The FBI and CISA fear drone-makers could collect details on critical US infrastructure.
The joint advisory from two US agencies warns of a change in China‘s legislation that requires companies to send data to Beijing.
That could mean the data that China-made drones collect could be easily accessed and analyzed by authorities in China. Moreover, Beijing requires local companies to share any software vulnerabilities they find anywhere globally, not only in China.
“The use of Chinese-manufactured UAS in critical infrastructure operations risks exposing sensitive information to PRC authorities, jeopardizing US national security, economic security, and public health and safety,” reads the joint advisory.
American authorities point out that unmanned aircraft systems (UAS) are information and communications technology (ICT) devices capable of receiving and transmitting data, which means they can serve as a means to collect data.
“UAS devices controlled by smartphones and other internet-connected devices provide a path for UAS data egress and storage, allowing for intelligence gathering on US critical infrastructure,” the advisory said.
Another potential risk lies with patching and firmware updates. Updates to drone software or software used to monitor them via smartphones could introduce “unknown data collection and transmission capabilities without the user’s awareness.”
Since drones collect and transmit broad data, including sensitive imagery, surveying data, and facility layouts, foreign adversaries could access information they previously could not.
“Acquisition of such data or network access has the potential to advance the PRC’s strategic objectives and negatively affect US economic and national security,” the advisory said.
The FBI and CISA guidance offers users several recommendations to secure drones from outside snooping, such as using standalone terminals to download firmware and updates, and employing secure-by-design policies.
More from Cybernews:
Subscribe to our newsletter