sUAS News: DJI Security Assessment

[mavic3usa]

A little light reading to help get you through the weekend:

DJI Security Assessment: An Analysis of Vulnerabilities, Data Practices, and Operational Security​

DJI Security Assessment: An Analysis of Vulnerabilities, Data Practices, and Operational Security

Disclosure Statement This disclosure is provided to ensure transparency regarding the author’s professional background and potential biases. The author has maintained both collaborative and c…

www.suasnews.com

 

[Chip]

This article is very interesting. I believe Robi Sen started Department 13 and developed counter drone technology with Kevin Finisterre several years ago. DJI used to have a bounty program for hackers--anyone who could prove that DJI drones were insecure or leaked information were promised $100,000 or something similar. So Kevin claimed he proved DJI drones were insecure and DJI refused to pay him the reward igniting a firestorm. Department 13 published a White Paper summarizing some of the issues and confirmed that our Mavics began broadcasting the functional equivalent of unencrypted Remote ID with no consumer warning or consent via an update.



This may be why Robi Sen says this:

The company maintains a documented history of adversarial relationships with independent security researchers and third-party auditors, which itself represents a significant security concern. Organizations committed to robust security typically welcome external scrutiny and engage constructively with the security research community. DJI’s pattern of legal threats and researcher intimidation undermines confidence in the company’s security claims and suggests a priority on reputation management over genuine security improvement.

And this:

Independent security researchers, including Kevin Finisterre, Synacktiv, GRIMM, River Loop Security, Nozomi Networks, and academic teams from the NDSS symposium, have repeatedly demonstrated that while DJI’s offline operational modes can prevent automatic data exfiltration, the broader Android and iOS application ecosystem and firmware update mechanisms remain heavily obfuscated.

 

[hank970]

I'm no doubt naive when it comes to the motives and methods of the world's bad actors. But, as a practical matter, of what conceivable value are my (or anyone else's) flight data to them? I'd imagine they have bigger fish to fry.

 

[anotherlab]

I'm no doubt naive when it comes to the motives and methods of the world's bad actors. But, as a practical matter, of what conceivable value are my (or anyone else's) flight data to them? I'd imagine they have bigger fish to fry.

When you install a Go or Fly app on Android, in order to use that app, you are granting that app wide access to your phone. It requests access to the microphone, camera, location, storage, network settings, etc. None of that is unexpected for what the app needs to do.

When you couple that with the ability of DJI to update the code in the app without permission or review from Google, that opens the door to your phone being accessible to bad actors. This is how malware operates on Android; it's not the usual behavior for a legitimate app.

DJI gave its Android apps the ability to update themselves without going through the Google Play review process. This is probably the prime reason why they removed their drone control apps from the Google Play Store, and you now have to sideload their apps on Android.

It doesn't take DJI doing something bad to make this very sketchy. If they are hacked and a malicious party gains access to a phone with the DJI, the potential exists for that device to be used for illicit surveillance.

This is less of an issue on iOS, because Apple doesn't allow dynamic code updates or sideloading and has tight restrictions on 3rd party app stores.

This is a similar rationale for the current US investigation into TP-Link routers. It's not that TP-Link is inherently evil; it's that their security is so horrible that it's an easy target for bad people using TP-Link products to run botnets.

DJI could resolve some of this by making its control apps open source. Allow people to take the code and make their own versions that could be installed.

1. Security issues could be addressed and patched without DJI shooting the messenger.
2. Organizations that need tighter security could make versions that were completely locked down. These apps wouldn't be publicly listed in the app stores.
3. Other features could be added.

 

[Chip]

I'm no doubt naive when it comes to the motives and methods of the world's bad actors. But, as a practical matter, of what conceivable value are my (or anyone else's) flight data to them? I'd imagine they have bigger fish to fry.

My flight data and your flight data probably have no value. But embedding thousands and thousands of drones into America's law enforcement, fire, search and rescue, agriculture, utilities, power line inspections, etc. could create a serious vulnerability and has huge potential value. Especially if there is a kill switch.

 

[Oceanlines]

It should be noted that DJI agreed to cooperate with a formal U.S. Government audit of its systems. The govt. has ignored this completely, because this isn't about any relatively higher security risk from DJI than that posed by uncountable other technology suppliers, but about xenophobia and the desire of some American actors to gain a business advantage through protectionism. The current administration would prefer a "fortress America" like that which was practiced in the early 20th century. Even if such a country was possible, and I don't think it is, it would only mean the further decline of the U.S. standing in global scientific, economic and humanitarian circles.

 

[Chip]

I refreshed my memory. DJI had a bug bounty program in 2017. Kevin Finisterre hacked into DJI and requested bounty. DJI said you hacked us without permission. DJI offered $30,000 to settle but only if Kevin signed a Non Disclosure Agreement. He said no. The same month this article came out, the Verge put a video on Youtube showing how DJI drones broadcast not just DJI drone flight telemetry but also the registered owner's email address. ​

How DJI fumbled its bug bounty program and created a PR nightmare​

How DJI fumbled its bug bounty program and created a PR nightmare

Popular drone maker DJI has bungled its bug bounty program — and a very public spat could have repercussions for the growing freelance industry.

cyberscoop.com

 

[mavic3usa]

I refreshed my memory. DJI had a bug bounty program in 2017. Kevin Finisterre hacked into DJI and requested bounty. DJI said you hacked us without permission. DJI offered $30,000 to settle but only if Kevin signed a Non Disclosure Agreement. He said no. The same month this article came out, the Verge put a video on Youtube showing how DJI drones broadcast not just DJI drone flight telemetry but also the registered owner's email address. ​

How DJI fumbled its bug bounty program and created a PR nightmare​

How DJI fumbled its bug bounty program and created a PR nightmare

Popular drone maker DJI has bungled its bug bounty program — and a very public spat could have repercussions for the growing freelance industry.

cyberscoop.com

"....DJI’s bug bounty program, which launched this summer, was poorly conceived from the start."

I see not a lot has changed over the years.

 

[anotherlab]

My flight data and your flight data probably have no value. But embedding thousands and thousands of drones into America's law enforcement, fire, search and rescue, agriculture, utilities, power line inspections, etc. could create a serious vulnerability and has huge potential value. Especially if there is a kill switch.

They can get all of that information from spy satellites or their idiot balloons.

There is a bigger risk with their software on your phone.

 

[KAOS Imagery]

When you install a Go or Fly app on Android, in order to use that app, you are granting that app wide access to your phone. It requests access to the microphone, camera, location, storage, network settings, etc. None of that is unexpected for what the app needs to do.

When you couple that with the ability of DJI to update the code in the app without permission or review from Google, that opens the door to your phone being accessible to bad actors. This is how malware operates on Android; it's not the usual behavior for a legitimate app.

DJI gave its Android apps the ability to update themselves without going through the Google Play review process. This is probably the prime reason why they removed their drone control apps from the Google Play Store, and you now have to sideload their apps on Android.

It doesn't take DJI doing something bad to make this very sketchy. If they are hacked and a malicious party gains access to a phone with the DJI, the potential exists for that device to be used for illicit surveillance.

This is less of an issue on iOS, because Apple doesn't allow dynamic code updates or sideloading and has tight restrictions on 3rd party app stores.

This is a similar rationale for the current US investigation into TP-Link routers. It's not that TP-Link is inherently evil; it's that their security is so horrible that it's an easy target for bad people using TP-Link products to run botnets.

DJI could resolve some of this by making its control apps open source. Allow people to take the code and make their own versions that could be installed.

1. Security issues could be addressed and patched without DJI shooting the messenger.
2. Organizations that need tighter security could make versions that were completely locked down. These apps wouldn't be publicly listed in the app stores.
3. Other features could be added.

Very interesting.

Lucky for me my old eyes prefer a larger screen. I have two dedicated older iPads for my M2P and M3. The only other thing I use one of those two iPads for is watching YouTube videos when I stay overnight on my sailboat. So even if someone was spying on me through the Fly / Go apps, there's not much of interest for them.