Digital security experts from the United States and Europe have investigated and found a vulnerability in the application that controls flying drones of the Chinese company Da Jiang Innovations (DJI). The latter, by the way, is the world’s largest manufacturer of such equipment.
Experts from the French firm Synacktiv and the American GRIMM have prepared reports that the DJI Go app for the Android mobile operating system, which is used to control DJI drones, collects personal information from owners. Subsequently, this data can be used by the Chinese government.
Experts note that the problem is not only in the collection of information. It is indicated that DJI can update its application bypassing Google, which usually checks all changes before they go to the Play Store. Thus, DJI may violate Google’s agreement for app developers, the researchers note. It is difficult for the user to determine the changes made to the software. However, even if the application is not active, it is waiting for commands from a remote server, experts say.
“The phone has access to everything a drone does, but the information we’re talking about is information about the phone itself. We don’t understand why DJI needs access to this data. “, – comments the engineer of the company Synacktiv Tiffani Romand-Latapie (Tiphaine Romand-Latapie).
At the same time, the specialist adds that he cannot call this security vulnerability a real backdoor for hackers, allowing them to gain access to the drone owner’s phone. DJI representatives, in turn, said that they are using this method of updating the application so that enthusiasts cannot hack, alter and use it bypassing government regulations that limit the range and altitude of drone flights.
“This is a security measure in one of our Android drone control apps that prevents a jailbroken version of the app from being used to bypass our security features like max altitude and geofencing.”– said the representative of the DJI company Brendan Schulman (Brendan Schulman).
According to him, if the system detects a hacked application, the user is immediately directed to the official website of the company, where he can download the official version of the software. The company representative also added that this feature is absent in software products used by corporate clients and government agencies.
Google is going to study the reports provided by digital security experts. Experts from Synacktiv, in turn, note that they did not find similar features of updating the application in the Chinese App Store for devices running on Apple’s iOS operating system.
Experts speculate that the method of updating an Android application, where the user is directed to the drone manufacturer’s website, is most likely due to the fact that the Chinese government is blocking Google and its services in the country. Thus, application developers literally force independently resolve the issue with their updates.
According to the publication The New York Times, the investigation of specialists was carried out by order of third parties. Security experts do not name their clients, but indicate that in the past they have collaborated with various aerospace companies, as well as other drone manufacturers that may be potential competitors to DJI.
Chinese drone maker DJI, like many other successful Chinese manufacturers, amid the ongoing trade war between the US and China, has long attracted increased attention from the US government. For example, the Pentagon imposed a ban on the use of DJI drones by its employees. In January of this year, the US Department of the Interior (DOI) abandoned the use of products from the Chinese manufacturer due to concerns about their safety. For months, US officials have been making statements about the possible use of technical flaws in the Chinese manufacturer’s radio-controlled flying devices by the Beijing government. At the federal level, their use was indeed banned, but local authorities did not make such amendments to their regulatory documents.
“Every Chinese technology company, according to Chinese law, is obliged, at the request of the government, to provide any information it receives from users and stores it.”– says the head of the National Center for Counterintelligence and Security (National Counterintelligence Executive, NCIX).
DJI, in turn, said that the decisions made by the American side were motivated by politics, and not by the possible vulnerability of their software.
If you notice an error, select it with the mouse and press CTRL + ENTER.