Security weakness found in DJI drones, according to the NY Times

This morning, the NY Times featured an article on their home page that is titled, “Popular Chinese-made drone is found to have security weakness. Of course, the article is specifically about DJI drones that are found to have data security issues.

Security weakness found in DJI drones

Les Sécurité des données concerns around DJI drones started in 2017 and over the last three years, these concerns have been expressed by various government departments and lawmakers. DJI has vigorously defended itself against these claims, however, this morning the NY Times reports on a new security weakness specifically related to the use of smartphones that run Google’s Android operating system. The concerns have been reported by two security firms and have been confirmed by the newspaper. Here are some of the highlights of the article.

In two reports, the researchers contended that an app on Google’s Android operating system that powers drones made by Chine-based Da Jiang Innovations, or DJI, collects large amounts of personal information that could be exploited by the Beijing government. Hundreds of thousands of customers across the world use the app to pilot their rotor-powered, camera-mounted aircraft.

“Every Chinese technology company is required by Chinese law to provide information they obtain, or information stored on their networks, to Chinese authorities if requested to do so,” said William R. Evanina, director of the National Counterintelligence and Security Center. “All Americans should be concerned that their images, biometrics, locational and other data stored on Chinese apps must be turned over to China’s state security apparatus.”

The newfound security weakness in DJI drones has been reported by the French company Synacktiv and Washington-based GRIMM.

DJI can also update it without Google reviewing the changes before they are passed on to consumers. That could violate Google’s Android developer terms of service.

“The phone has access to everything the drone is doing, but the information we are talking about is phone information,” said Tiphaine Romand-Latapie, a Synacktiv engineer. “We don’t see why DJI would need that data.”

Synacktiv did not find the same vulnerability in the drone maker’s iPhone application.

According to DJI, it is necessary for the drone maker to be able to update the app to prevent pilotes de drones from ‘hacking’ their DJI drones. Brendan Schulman, DJI’s Vice President of Policy and Juridique Affairs said in a statement:

“This safety feature in the Android version of one of our recreational flight control apps blocks anyone from trying to use a hacked version to override our safety features, such as altitude limits and geofencing. If a hacked version is detected, users are prompted to download the official version from our website.”

Schulman added that this feature was not present in the software version that is used by governments and enterprise companies.

… even when the app appears to be closed, it awaits instructions from afar, they [the researchers] found.

For instance, DJI’s direct link to the Android app was most likely designed as a workaround for Chinese policies that block Google in China, forcing companies to send Android app updates themselves.

The security researchers from French Synacktiv, a company that has also worked for DJI’s competitors (Perroquet?) points out that there’s a worrying pattern to DJI software updates. The company said:

…the pattern of problems in DJI’s code and its quickly implemented fixes, which suggested that the company was already aware of some of the problems but had not fixed them, were also reason for concern.

The research company does not say that DJI is implementing ‘malicious uploads’ but it points out that DJI could be using the app for that purpose.

DroneXL’s take

The security concerns around DJI drones do not seem to go away. You can argue about whether these concerns, including this latest ‘security weakness’, are valid or if they are politically driven. However, but the fact that they keep reappearing in the news, and this time on the front page of a major newspaper is not a good thing for DJI and even the Industrie des drones as a whole. Already parts of the Gouvernement des États-Unis, such as the Department of the Interior have stopped using DJI drone altogether. My concern is that a next step might include a complete Federal ban on the use of Chinese-made drones, including DJI drones, and prohibiting the use of Federal funds to purchase Chinese-made drones. This would prevent many Premiers intervenants from using Federal grant money to purchase DJI drones. All in all a worrying situation, that DJI has not sufficiently addressed in my opinion. A worst-case scenario would be for the Trump administration to issue a flat out ban on Chinese-made drones, including DJI drones. We will watch this space closely.

Let us know what you think about the security concerns, and this security weakness in particular, around DJI drones in the comments below.

Restez en contact !

If you’d like to stay up to date with all the latest drone news, scoops, rumors, and reviews, then follow us on Twitter, Facebook, YouTube, Instagram or…

S'abonner à notre bulletin d'information quotidien sur les drones.*

Soumettre des conseils Si vous avez des informations ou des conseils que vous souhaitez partager avec nous, n'hésitez pas à nous les communiquer. ici. Soutenez DroneXL.co : Vous pouvez soutenir DroneXL.co en utilisant ces liens lors de votre prochain achat de drone : Adorama, Amazon, B&H, BestBuy, eBay, DJI, Perroquetet Yuneec. Nous percevons une petite commission lorsque vous le faites, sans frais supplémentaires pour vous. Merci d'aider DroneXL à se développer ! FTC : DroneXL.co utilise des liens d'affiliation qui génèrent des revenus.

* Nous ne vendons pas, ne partageons pas, ne louons pas et ne spammons pas votre email, jamais. Nos courriels sont envoyés en semaine vers 17 h 30.

Photo: Moment