Researchers have analyzed the security of DJI’s Pilot app for Android, but the Chinese drone giant says the claims they’ve made are misleading.
Last month, France-based cybersecurity company Synacktiv reported that it had found some potentially serious security issues in the DJI GO 4 Android app, which allows users to control and manage recreational drones made by DJI.
Synacktiv, whose findings were validated by US-based cybersecurity firm GRIMM, reported discovering a “forced update” mechanism that allowed the vendor to directly install an update or new software on a user’s device without going through the checks required by Google Play. It also found an SDK that collected sensitive device information (e.g. IMEI, IMSI and SIM card serial number).
DJI responded to Synacktiv’s findings and while it confirmed some of the vulnerabilities — the company said it released patches within a week of the report being published — it argued that the forced update mechanism is necessary to prevent users from installing hacked versions of its app in order to “help ensure that our comprehensive airspace safety measures are applied consistently.”
Synacktiv on Tuesday published an analysis of DJI’s Pilot app, which is designed for enterprise drones. The company said it found the same forced upgrade mechanism in this application as well, and warned that enabling the drone’s offline mode is not efficient in preventing external interference.
Its researchers also claim that one of the SDKs present in the GO 4 application, which has been found to collect some device information, is also present in some releases of the Pilot app.
Synacktiv also investigated the Local Data Mode, which isolates the application from the internet. When this setting is enabled, however, users can no longer unlock fly zones, which may be needed for certain missions. This forces the user to disable the Local Data Mode, allowing the vendor to push updates to the app using the aforementioned system.
“Moreover, to unlock flying in restricted airspace, a user has to ask DJI for permission using their process and will be delivered an unlock certificate linked to their aircraft and user account,” Synacktiv said. “Because the certificate registration is linked to the user’s account, it may allow specific targeting of sensitive users.”
DJI has a bug bounty program with rewards of up to $30,000 and it encourages researchers to report the vulnerabilities they find in its products. However, Synacktiv did not inform the vendor before making its findings public.
DJI told SecurityWeek that Synacktiv’s latest claims are “false” and “misleading.” The company claims that no version of its DJI Pilot app uses the SDK that collects device data.
Regarding the auto-update functionality, DJI explained, “The DJI Pilot app for Android that is available on the Google Play store only updates to official versions downloaded from the Google Play store. The user is prompted to update in a pop-up window, and the app will not update unless the user agrees. For customers who operate our products in countries where the Google Play store is not available, the app and app updates are made available on our website.”
As for the issues related to the Local Data Mode, DJI says Synacktiv does not fully understand how its geofencing system works.
“In addition to enhancing data security assurance, [the Local Data Mode] feature blocks the drone’s ability to update flight safety restrictions and blocks the user’s ability to ‘unlock’ some geofenced areas,” DJI said in an emailed statement. “However, Synacktiv appears to misunderstand the function of DJI’s geofencing safety system and the many other available methods for customers to unlock. For example, government agencies can participate in our Qualified Entities Program which unlocks the entire region they request, with no need to connect to the internet after initial activation. Also, our Government Edition drones have no geofencing at all. DJI users understand these limitations and plan ahead for when and how to unlock geofencing flight restrictions, if needed.”
It added, “As with automatic updates, these features are implemented for purposes that benefit the public by enhancing airspace safety during the use of our products. The important safety role of geofencing has been recognized by the U.S. Federal Aviation Administration’s (FAA) Drone Advisory Committee; the Airports International Council-North America and Association for Unmanned Vehicle Systems International joint Blue Ribbon Task Force on Airport Mitigation; and the FAA-industry joint Unmanned Aircraft Safety Team. No other company has done as much as DJI to proactively enhance the safety of drone operations. We are dismayed that safety features have again been misunderstood and misconstrued as hypothetical security threats by researchers who are evidently unfamiliar with the operation of drone technology.”
DJI said that following Synacktiv’s initial report, it removed an SDK that was found to collect data and started directing automatic safety-related updates for its app to the Google Play store rather than its website.
DJI has come under scrutiny over the past years due to its Chinese origins, with some US agencies and officials concerned that the company may be assisting the Chinese government’s spying efforts. The drone giant has denied the accusations and pointed to analysis conducted by the DHS and Booz Allen Hamilton, which found no evidence that DJI’s government and professional drones send user data to the company, China or other third parties.
Related: DJI Drone Vulnerability Exposed Customer Data, Flight Logs, Photos and Videos