This morning, the NY Times featured an article on their home page that is titled, “Popular Chinese-made drone is found to have security weakness. Of course, the article is specifically about DJI drones that are found to have data security issues.
Security weakness found in DJI drones
The data security concerns around DJI drones started in 2017 and over the last three years, these concerns have been expressed by various government departments and lawmakers. DJI has vigorously defended itself against these claims, however, this morning the NY Times reports on a new security weakness specifically related to the use of smartphones that run Google’s Android operating system. The concerns have been reported by two security firms and have been confirmed by the newspaper. Here are some of the highlights of the article.
In two reports, the researchers contended that an app on Google’s Android operating system that powers drones made by China-based Da Jiang Innovations, or DJI, collects large amounts of personal information that could be exploited by the Beijing government. Hundreds of thousands of customers across the world use the app to pilot their rotor-powered, camera-mounted aircraft.
“Every Chinese technology company is required by Chinese law to provide information they obtain, or information stored on their networks, to Chinese authorities if requested to do so,” said William R. Evanina, director of the National Counterintelligence and Security Center. “All Americans should be concerned that their images, biometrics, locational and other data stored on Chinese apps must be turned over to China’s state security apparatus.”
The newfound security weakness in DJI drones has been reported by the French company Synacktiv and Washington-based GRIMM.
DJI can also update it without Google reviewing the changes before they are passed on to consumers. That could violate Google’s Android developer terms of service.
“The phone has access to everything the drone is doing, but the information we are talking about is phone information,” said Tiphaine Romand-Latapie, a Synacktiv engineer. “We don’t see why DJI would need that data.”
Synacktiv did not find the same vulnerability in the drone maker’s iPhone application.
According to DJI, it is necessary for the drone maker to be able to update the app to prevent drone pilots from ‘hacking’ their DJI drones. Brendan Schulman, DJI’s Vice President of Policy and Legal Affairs said in a statement:
“This safety feature in the Android version of one of our recreational flight control apps blocks anyone from trying to use a hacked version to override our safety features, such as altitude limits and geofencing. If a hacked version is detected, users are prompted to download the official version from our website.”
Schulman added that this feature was not present in the software version that is used by governments and enterprise companies.
… even when the app appears to be closed, it awaits instructions from afar, they [the researchers] found.
For instance, DJI’s direct link to the Android app was most likely designed as a workaround for Chinese policies that block Google in China, forcing companies to send Android app updates themselves.
The security researchers from French Synacktiv, a company that has also worked for DJI’s competitors (Parrot?) points out that there’s a worrying pattern to DJI software updates. The company said:
…the pattern of problems in DJI’s code and its quickly implemented fixes, which suggested that the company was already aware of some of the problems but had not fixed them, were also reason for concern.
The research company does not say that DJI is implementing ‘malicious uploads’ but it points out that DJI could be using the app for that purpose.
The security concerns around DJI drones do not seem to go away. You can argue about whether these concerns, including this latest ‘security weakness’, are valid or if they are politically driven. However, but the fact that they keep reappearing in the news, and this time on the front page of a major newspaper is not a good thing for DJI and even the drone industry as a whole. Already parts of the U.S. Government, such as the Department of the Interior have stopped using DJI drone altogether. My concern is that a next step might include a complete Federal ban on the use of Chinese-made drones, including DJI drones, and prohibiting the use of Federal funds to purchase Chinese-made drones. This would prevent many first responders from using Federal grant money to purchase DJI drones. All in all a worrying situation, that DJI has not sufficiently addressed in my opinion. A worst-case scenario would be for the Trump administration to issue a flat out ban on Chinese-made drones, including DJI drones. We will watch this space closely.
Let us know what you think about the security concerns, and this security weakness in particular, around DJI drones in the comments below.
Flying drones as a career?
If you want to turn your hobby into your career, practice how to fly your drone safely, and learn what it takes to get your Part 107, be sure to check out the excellent training modules from The Drone U.
Stay in touch!
Subscribe to our Daily Drone News email.*
Submit tips If you have information or tips that you would like to share with us, feel free to submit them here. Support DroneXL.co: You can support DroneXL.co by using these links when you make your next drone purchase: Adorama, Amazon, B&H, BestBuy, eBay, DJI, Parrot, and Yuneec. We make a small commission when you do so at no additional expense to you. Thank you for helping DroneXL grow! FTC: DroneXL.co uses affiliate links that generate income.
* We do not sell, share, rent out or spam your email, ever. Our email goes out on weekdays around 5:30 p.m.