DJI Pilot app shares same security flaws as DJI Go 4, says Synacktiv

About ten days ago, this story was published in the NY Times highlighting the security flaws found in the DJI Go 4 App for the Android platform by security researchers from the French company Synacktiv. Today, the company releases a new statement claiming that the DJI Pilot app for commercial and enterprise customers has the same security concerns

DJI Pilot app shares same security flaws as DJI Go 4, according to Synacktiv

Synacktiv, a French security research company that has also worked for DJI’s competitors, released a statement claiming that the DJI Pilot app for commercial and enterprise customers shares many of the same security flaws as the DJI Go 4 app. The issues are related to the apps running on Google’s Android platform, not Apple’s iOS.

Synacktiv’s initial report on the DJI Go 4 app was picked up by the NY Times and July 23, 2020. In a statement, the company says that

“We found similar issues to those listed in our previous blogpost in the application, such as a forced update mechanism.”

The DJI Pilot app is used to control the DJI Matrice, DJI Phantom 4, DJI Mavic Pro和 DJI Mavic 2 Enterprise drones.

Synacktiv’s key findings on the DJI Pilot app

Here are the key findings from Synacktiv:

• The professional DJI Pilot application is protected using the same packer as the consumer-grade DJI Go 4 application
• The professional DJI Pilot application includes the same forced upgrade mechanism as the one present in its consumer-grade applications
• The “offline” Local Data Mode requires an Internet connection in order to install unlocking certificates

Synacktiv points out that the forced upgrade mechanism is,

“very similar to command and control servers encountered with malwares. Given the wide permissions required by DJI Pilot (access contacts, microphone, camera, location, storage, change network connectivity, etc.), the DJI servers have almost full control over the user’s phone.”

DJI’s Local Data Mode does allow the drone to be disconnected from the internet while being operated, however, Synactiv points out that in order to unlock flying over certain sensitive areas, the user has to deactivate the Local Date Mode temporarily and thus allowing network communications for a limited time. The research firm also points out that the unlock certificate is linked to a specific aircraft and user account and thus may “allow specific targeting of sensitive users.”

DroneXL’s take

We have reached out to 大疆创新 for a response on this latest report from Synacktiv and will let you know once we receive that. Furthermore, we do wonder who is behind this research? Are these research projects done by Synacktiv or does another party pay for Synacktiv to look into these DJI apps? We will ask them.

Can you, @Synacktiv, confirm or deny that @parrot is behind your reports on security flaws in the DJI Pilot and DJI Go 4 app? I think we deserve to know. @djiglobal @DJIEnterprise #datasecurity #drone #drones #uas #uav https://t.co/rUy0rR6IPN

— DroneXL (@DroneXL1) August 4, 2020

保持联系！

If you’d like to stay up to date with all the latest drone news, scoops, rumors, and reviews, then follow us on 推特, 在 Facebook 上, YouTube, Instagram 或者

订阅我们的每日无人机新闻电子邮件*。

提交提示 如果您想与我们分享信息或技巧，请随时提交 这里. 支持 DroneXL.co： 您可以在下次购买无人机时使用这些链接来支持 DroneXL.co： Adorama, 亚马逊, B&H, 百思买, 易趣网, 大疆创新, 鹦鹉和 Yuneec.我们会在您不支付额外费用的情况下收取少量佣金。感谢您帮助 DroneXL 发展！ 联邦贸易委员会： DroneXL.co 使用可产生收入的联盟链接。

* 我们绝不出售、共享、出租或发送垃圾邮件。我们的电子邮件在工作日下午 5:30 左右发出。