Eyes in the Sky: Chinese-Manufactured Drones and the Risks to National Security

The Challenge of Chinese-Origin Drones

The Chinese firm DJI commands a significant share of the civilian UAV market worldwide. Its products are widely used for inspection of pipelines, powerlines, rail and even security tasks. Yet the use of Chinese-manufactured drones at critical UK infrastructure sites has triggered alarm. For example, UK officials report that Chinese-made drones are being used to survey sensitive locations, raising questions about data flows and national sovereignty.

From a national-security perspective, the concern is that drone telemetry, imagery or metadata could be exfiltrated—or that firmware or comms modules could provide covert intelligence pathways.

Data Security & Legal Back-Doors

China’s national laws include obligations for companies to assist state intelligence and to hand over data on request. Many analysts therefore highlight that any hardware or software supply chain that flows through China may inherit that risk.

In one well-cited case, cybersecurity researchers found that the DJI GO 4 Android app contained auto-update features, deep permissions (IMSI, IMEI, SIM serial number) and mechanisms similar to malware command-and-control.

Moreover, independent reports assert that drones made by DJI can upload imagery, video, telemetry and flight-logs to servers potentially accessible to Chinese jurisdiction. For instance, one study argued:

“Even without user consent, the DJI Mimo app sends sensitive information via unsecured means to servers behind the Great Firewall of China.”

Supply Chain Risk & Mission Impact

From the perspective of an aerospace / defence integrator (such as AIC’s organisation), the supply-chain risk is not just about the drone hardware itself, but the embedded electronics, sensors, firmware, connectivity modules and cloud integrations. A drone used to inspect a power plant may record high-resolution visual/thermal imagery, GPS tracks, access logs, and transmit that to remote storage. If that data or connectivity route is compromised, then what appears to be “maintenance data” becomes actionable intelligence.

When the manufacturer is in a jurisdiction that can compel state access to data, the risk is magnified.

Mitigations & Best Practices

• Procurement due diligence: For any drone system you deploy, insist on full supply-chain visibility, firmware version assurance, connectivity module origin and clear data-flow statements.

• Local Data Mode / air-gapping: Many drone apps (including DJI) offer a “Local Data Mode” which disables cloud uploads and forces the pilot to store logs locally.

• Segmenting network access: Drones should be treated as networked sensors; connect them to isolated networks, not general-purpose LANs or Internet-facing infrastructure.

• Firmware & software audits: Review firmware update mechanisms, auto-update features, verify that no unencrypted telemetry or back-door path remains.

• Cloud audit & data-flow control: Know where your flight-logs, imagery and telemetry are stored, who has access, whether they cross foreign borders and whether control lies with you or the vendor.

Conclusion

In the domain of defence, intelligence and critical infrastructure, a drone is not just a flying camera — it is a node in a data-collection, transmission and storage ecosystem. When that ecosystem links back to a foreign adversary state, the risk is strategic. For organisations like yours, specialising in aerospace, cyber and intelligence, integrating drone systems demands far more than flight-planning—it demands full lifecycle data-security assurance.