This week, China-based DJI, the drone industry’s leading manufacturer of drones, issued a public statement regarding the recent reports released by cybersecurity researchers (neither Synacktiv nor GRIMM) about the security of its drones’ control app.
In two reports, the researchers claimed that an app on Google’s Android operating system that powers DJI drones collects large amounts of personal information that could be exploited by the Chinese government. In the report, the researchers claim to have discovered typical software concerns, but no specific evidence that those potential vulnerabilities have been exploited. This is not the first time DJI has been accused of lax security safeguards.
DJI responded to these claims, saying that its goal is to help ensure that its comprehensive airspace safety measures are applied consistently across its control apps. However, because recreational pilots often want to share the photos and video they take using the drone with their family and friends over social media, the security of those social media sites must be reviewed by the pilot user. Further, DJI said, “When our systems detect that a DJI app is not the official version – for example, if it has been modified to remove critical flight safety features like geofencing or altitude restrictions – we notify the user and require them to download the most recent official version of the app from our website.”
The report also claimed that one of DJI’s drones could restart itself without any input from the pilot. DJI responded stating,”[Our] DJI GO 4 is not able to restart itself without input from the user, and we are investigating why these researchers claim it did so. We have not been able to replicate this behavior in our tests so far.”
The potential vulnerabilities identified in the report have not been identified by DJI at this point, but DJI says that it has proactively offered security researchers payments of up to $30,000 (through its Bug Bounty Program), to assist in identifying and disclosing security issues with the control apps.
DJI also stated that its drone products designed for government agencies do not transmit data to DJI and are compatible only with a non-commercially available version of the DJI Pilot app. More specifically, “The software for these drones is only updated via an offline process, meaning this report is irrelevant to drones intended for sensitive government use. A recent security report from Booz Allen Hamilton audited these systems and found no evidence that the data or information collected by these drones is being transmitted to DJI, China, or any other unexpected party.”
All in all, DJI has been a part of the ongoing call for a set of industry standards for drone data security. However, until those standards have been set, we are sure to continue to see alleged flaws and risks to data collected and transmitted via drone.