"Popular Chinese-Made Drone Is Found to Have Security Weakness"

[PointG]

"n two reports, the researchers contended that an app on Google’s Android operating system that powers drones made by China-based Da Jiang Innovations, or DJI, collects large amounts of personal information that could be exploited by the Beijing government. Hundreds of thousands of customers across the world use the app to pilot their rotor-powered, camera-mounted aircraft."
"
The security research firms that documented it, Synacktiv, based in France, and GRIMM, located outside Washington, found that the app not only collected information from phones but that DJI can also update it without Google reviewing the changes before they are passed on to consumers. That could violate Google’s Android developer terms of service.

The changes are also difficult for users to review, the researchers said, and even when the app appears to be closed, it awaits instructions from afar, they found.

“The phone has access to everything the drone is doing, but the information we are talking about is phone information,” said Tiphaine Romand-Latapie, a Synacktiv engineer. “We don’t see why DJI would need that data.”"

NY Times Article

 

[Mavic Mac]

Scary, but not surprising, if true.

 

[sar104]

It's definitely worth reading the entire article, which goes on to put a lot of the observations in perspective.

 

[THE CYBORG]

Lets face it who knows what any app is collecting, the info on my phone isn't even interesting to me but they are welcome to my calendar app, dentist, physio, hospital appointments

 

[pross]

Synacktiv did not identify any malicious uploads but simply raised the prospect that the drone app could be used that way.

A lot of could be maybes.

 

[Flycaster]

And we are "acting surprised"??
Still on the "factory burn" of firmare from 3 years ago, never updated/or "hobbled".
Dedicated tablet, Andryroids OS, Go4 app and Go4 app by NLD is the only thing my drone tabby has on it, krap gmail account, and it only "sees" the interwebs when I need to update a google map...
Period...

 

[Scott]

Ms. Romand-Latapie acknowledged that the security vulnerability did not amount to a backdoor, or a flaw that allowed hackers into a phone.

So a whole lot of nothing to see here.

 

[jtus]

Another reason to use a smart controller. It has none of your information.

 

[itsneedtokno]

My cell phone stores my credit card, debit card, and all my passwords.

I'm not worried about my flying camera

 

[xunhui]

If it's on your phone, computer or anything that collects data and is connected to a server. Unfortunally it is best to assume it can be accessed. There are many ways in which to minimize this risk but it's just now part of our daily life. I personally have much greater things to worry about.

 

[kme]

Is Litchi subject to the same vulnerabilities?

 

[Deleted member 114292]

While Apple is not perfect, they are certainly more diligent than google. The good news is the only Android devices I use are for flight only like the SC, which I don't even have email on.
As for DJI gathering information I'm sure they are no worse that other Android apps. And hey the article cracked the AES key for log file (no doubt this has already been done).
Google's business model is gathering information on you. It's the price of a more open and robust ecosystem.

I'm not at all bashing Android as an OS, but from a security standpoint would never use an Android phone as my EDC.

 

[Gttaylor]

Scary, but not surprising, if true.

But it is from the NYT, so the story is questionable.

 

[Deleted member 114292]

But it is from the NYT, so the story is questionable.

As per usual the NYT has back up.

DJI Android GO 4 application security analysis

Drones are currently one of the most dynamic products, with multiple use cases across sectors such as personal and commercial videography, farming and land surveying, law enforcement and national secu

www.synacktiv.com

 

[GB1Yorkshire1]

NYT or not, the fact is, that apparently 2 agencies have found security issues!
You may only fly in your “boring “ area but multiply this over all users you end up with a very detailed map and possibly areas of greater interest, bridges, motorways, industry etc. The technology that makes great drones also is capable of “other” technologies!

 

[Meta4]

NYT or not, the fact is, that apparently 2 agencies have found security issues!
You may only fly in your “boring “ area but multiply this over all users and you end up with a very detailed map and possibly areas of greater interest, bridges, motorways, industry etc.

You didn't read the article, did you?
There was no mention of the ridiculous idea that your drone is spying and China wants to see your photos.

 

[sar104]

But it is from the NYT, so the story is questionable.

Then you should have questioned and verified it by following up the references, rather than blindly trying to play the fake news card because you don't like the news outlet that reported it.

 

[HumbearKS]

This is only slightly related to the topic but would the same security concern exist with running DJI' s Mimo app for their Osmo Action cam? Any thoughts?

 

[Vic Moss]

Everyone needs to read the actual NYT article before they start spreading fear and panic. Not only is there no actual report or test proving their fears (which would be incredibly easy to do given all the hackers out there), the NYT article even goes as far as saying it's not really that big of a deal towards the end of the article.

And DJI has already addressed this: DJI Statement On Recent Reports From Security Researchers

This is yet another attempt by the media to create an issue with China where it really doesn't exist. Your iPhones and Alexas give more into to diffente servers (some of which are in China) that any of my DJI drones ever would.

 

[Vic Moss]

This is only slightly related to the topic but would the same security concern exist with running DJI' s Mimo app for their Osmo Action cam? Any thoughts?

No, there aren't any true security concerns anyway.