DJI Pilot app shares same security flaws as DJI Go 4, says Synacktiv

About ten days ago, this story was published in the NY Times highlighting the security flaws found in the DJI Go 4 App for the Android platform by security researchers from the French company Synacktiv. Today, the company releases a new statement claiming that the DJI Pilot app for commercial and enterprise customers has the same security concerns

DJI Pilot app shares same security flaws as DJI Go 4, according to Synacktiv

Synacktiv, a French security research company that has also worked for DJI’s competitors, released a statement claiming that the DJI Pilot app for commercial and enterprise customers shares many of the same security flaws as the DJI Go 4 app. The issues are related to the apps running on Google’s Android platform, not Apple’s iOS.

Synacktiv’s initial report on the DJI Go 4 app was picked up by the NY Times and July 23, 2020. In a statement, the company says that

“We found similar issues to those listed in our previous blogpost in the application, such as a forced update mechanism.”

The DJI Pilot app is used to control the DJI Matrice, DJI Phantom 4, DJI Mavic Proet DJI Mavic 2 Enterprise drones.

Synacktiv’s key findings on the DJI Pilot app

Here are the key findings from Synacktiv:

• The professional DJI Pilot application is protected using the same packer as the consumer-grade DJI Go 4 application
• The professional DJI Pilot application includes the same forced upgrade mechanism as the one present in its consumer-grade applications
• The “offline” Local Data Mode requires an Internet connection in order to install unlocking certificates

Synacktiv points out that the forced upgrade mechanism is,

“very similar to command and control servers encountered with malwares. Given the wide permissions required by DJI Pilot (access contacts, microphone, camera, location, storage, change network connectivity, etc.), the DJI servers have almost full control over the user’s phone.”

DJI’s Local Data Mode does allow the drone to be disconnected from the internet while being operated, however, Synactiv points out that in order to unlock flying over certain sensitive areas, the user has to deactivate the Local Date Mode temporarily and thus allowing network communications for a limited time. The research firm also points out that the unlock certificate is linked to a specific aircraft and user account and thus may “allow specific targeting of sensitive users.”

DroneXL’s take

We have reached out to DJI for a response on this latest report from Synacktiv and will let you know once we receive that. Furthermore, we do wonder who is behind this research? Are these research projects done by Synacktiv or does another party pay for Synacktiv to look into these DJI apps? We will ask them.

Can you, @Synacktiv, confirm or deny that @parrot is behind your reports on security flaws in the DJI Pilot and DJI Go 4 app? I think we deserve to know. @djiglobal @DJIEnterprise #datasecurity #drone #drones #uas #uav https://t.co/rUy0rR6IPN

— DroneXL (@DroneXL1) August 4, 2020

Restez en contact !

If you’d like to stay up to date with all the latest drone news, scoops, rumors, and reviews, then follow us on Twitter, Facebook, YouTube, Instagram or…

S'abonner à notre bulletin d'information quotidien sur les drones.*

Soumettre des conseils Si vous avez des informations ou des conseils que vous souhaitez partager avec nous, n'hésitez pas à nous les communiquer. ici. Soutenez DroneXL.co : Vous pouvez soutenir DroneXL.co en utilisant ces liens lors de votre prochain achat de drone : Adorama, Amazon, B&H, BestBuy, eBay, DJI, Perroquetet Yuneec. Nous percevons une petite commission lorsque vous le faites, sans frais supplémentaires pour vous. Merci d'aider DroneXL à se développer ! FTC : DroneXL.co utilise des liens d'affiliation qui génèrent des revenus.

* Nous ne vendons pas, ne partageons pas, ne louons pas et ne spammons pas votre email, jamais. Nos courriels sont envoyés en semaine vers 17 h 30.