DJI Mavic, Air and Mini Drones
Friendly, Helpful & Knowledgeable Community
Join Us Now

Chinese drone maker DJI says it is hunting security flaws in apps

WizDrone

Active Member
Joined
Jul 1, 2017
Messages
25
Reactions
7
Age
60
By Alwyn Scott

NEW YORK, Sept 6 (Reuters) - Chinese manufacturer SZ DJI Technology Co Ltd, the world's largest civilian drone maker, said on Wednesday it was hunting for security flaws in its flight-control software after coders found its apps could be "hot patched" to circumvent scrutiny by Apple Inc and Alphabet Inc.

"We have updated the apps to remove the suspect code," Adam Lisberg, spokesman for DJI, said of the hot-patching problem.

"We are going through all the code now to see if there's anything else we didn't know about."

DJI's camera-equipped drones, which range from palm-sized models that cost as little as $500 to those the size of a small outdoor grill, command about 70 percent of the global commercial and consumer drone market, Goldman Sachs and Oppenheimer estimated in 2016.

Their cameras are increasingly used in sensitive settings, such as making movies or inspecting industrial facilities. AT&T deployed about four dozen drones, including DJI models, to spot cell tower damage after Hurricane Harvey. Lisberg said DJI had sent drones and spare batteries to help with the recovery.

But as their popularity has grown, so have concerns about data privacy. DJI's apps, which run on Apple IOS and Google Android, until recently allowed "hot patching" new code into an app any time a tablet or phone connected to the internet.

Such code can turn a phone into a listening device, or send out sensitive data, computer security experts said.

"App developers are finding ways to circumvent the controls that go into the app stores," said Michael Murray, vice president of security intelligence at cyber firm Lookout, which researched hot patching.

DJI's apps connected with more than two dozen websites while booting up, sending user and location data, said Andreas Makris, a coder in Germany familiar with the apps.

DJI's Lisberg said problems stemmed from third-party plug-ins that help users share images on social media. But at least one was sending data DJI didn't know about, he said. DJI stopped it and is looking for other problems.

DJI is offering a "bug bounty" of up to $30,000 for coders who find flaws. It plans to release this month a feature that lets users disconnect phones or tablets from the internet while flying to ensure data is not sent out.

The company stepped up effort tighten security after the U.S. Army in May ordered service members to stop using DJI drones because of "cyber vulnerabilities." (Reporting by Alwyn Scott; Editing by David Gregorio)
 
Am I missing something? Since DJI was found to be the one involved in adding code that allowed hot patching which btw is not allowed by Apple in the first place why do they need help to find the code / "bugs" that they inserted? Maybe I am just confused!

Rob
 
  • Like
Reactions: L.L.
The US Army may be a big customer that caused some bad press. So they are doing what they can to fix the concerns. Seems simple to me.
 
  • Like
Reactions: L.L.
The paranoia in me thinks DJI already knew about these specific "security issues" and is using the bug bounty and citing ignorance in an attempt to save face and make it seem like it wasn't done intentionally for the Chinese government.

I'm glad other eyes are looking through their code to ensure there is no funny business going on in the background.
 
  • Like
Reactions: Robbyg
Opinion:

DJI knew what they were doing all along. Their costumers told them but they didn't listen. Why listen when they already have our money?

Not until some smart people found a lot of problems and they got bad publicity, did they change their tune! Not until a big entity like the army pulled all DJI products, did they start admitting something might be wrong.

Then they come up with this big publicly stunt and they are acting like they didn't know! Come on DJI!!! Do they think we are all idiots? They would have continued doing what they were doing IMO but it finally blew up in their face.
Sure, lets offer a reward. We make that kind of money off our costumers in 2 hours. (Or however much).

I love my MP but my trust level has dropped and I always wonder if I'm going to have some kind of problem and this thing will drop out of the sky a 1000 foot out over water. Or worse yet, hurt someone in a fly away.

I have insurance and will continue flying and if it happens I will collect my money and will buy something else. Never again to consider purchasing a DJI product.
I hear GDU has a new drone out that looks a little promising. Called the O2.

Come on DJI. Most love your products but lets get real with your costumers and quit playing games!!!
 
Last edited:
  • Like
Reactions: dewster and Robbyg
Yes I think it's just a game but as stated it really does insult ones intelligence.

Rob
 
DJI can create a closed system not dependent on internet service or connected apps. It's simply unnecessary. There's nothing social about broadcasting every tidbit of information from your device. That was a big plus when I bought Yuneec's Typhoon H. Now if only Yuneec would step their game up and create a better drone to compete.
 
  • Like
Reactions: WizDrone
Am I missing something? Since DJI was found to be the one involved in adding code that allowed hot patching which btw is not allowed by Apple in the first place why do they need help to find the code / "bugs" that they inserted? Maybe I am just confused!

Rob

your not?
 
You know...Yuneec is sounding better with every news story I hear about spyware, tracking etc. I sold my Yuneec Typhoon H because it's size was not convenient. I liked that it was a closed system (offline). I still like my Mavic but being social and "sharing" information is too much.
 
  • Like
Reactions: WizDrone

DJI Drone Deals

New Threads

Members online

No members online now.

Forum statistics

Threads
134,578
Messages
1,596,448
Members
163,078
Latest member
dewitt00
Want to Remove this Ad? Simply login or create a free account