DJI Mavic, Air and Mini Drones
Friendly, Helpful & Knowledgeable Community
Join Us Now

sUAS News: DJI Security Assessment

M

mavic3usa

Well-Known Member
Premium Pilot
Joined
Apr 1, 2022
Messages
6,565
Reactions
4,961
Location
USA
  • Like
Reactions: Nanny Ogg and GadgetGuy
This article is very interesting. I believe Robi Sen started Department 13 and developed counter drone technology with Kevin Finisterre several years ago. DJI used to have a bounty program for hackers--anyone who could prove that DJI drones were insecure or leaked information were promised $100,000 or something similar. So Kevin claimed he proved DJI drones were insecure and DJI refused to pay him the reward igniting a firestorm. Department 13 published a White Paper summarizing some of the issues and confirmed that our Mavics began broadcasting the functional equivalent of unencrypted Remote ID with no consumer warning or consent via an update.

1763313995231.png

This may be why Robi Sen says this:

The company maintains a documented history of adversarial relationships with independent security researchers and third-party auditors, which itself represents a significant security concern. Organizations committed to robust security typically welcome external scrutiny and engage constructively with the security research community. DJI’s pattern of legal threats and researcher intimidation undermines confidence in the company’s security claims and suggests a priority on reputation management over genuine security improvement.

And this:

Independent security researchers, including Kevin Finisterre, Synacktiv, GRIMM, River Loop Security, Nozomi Networks, and academic teams from the NDSS symposium, have repeatedly demonstrated that while DJI’s offline operational modes can prevent automatic data exfiltration, the broader Android and iOS application ecosystem and firmware update mechanisms remain heavily obfuscated.
 

Attachments

  • 1763313964921.png
    1763313964921.png
    6.2 KB · Views: 4
Last edited:
  • Like
Reactions: mavic3usa
I'm no doubt naive when it comes to the motives and methods of the world's bad actors. But, as a practical matter, of what conceivable value are my (or anyone else's) flight data to them? I'd imagine they have bigger fish to fry.
 
hank970 said:
I'm no doubt naive when it comes to the motives and methods of the world's bad actors. But, as a practical matter, of what conceivable value are my (or anyone else's) flight data to them? I'd imagine they have bigger fish to fry.
Click to expand...

When you install a Go or Fly app on Android, in order to use that app, you are granting that app wide access to your phone. It requests access to the microphone, camera, location, storage, network settings, etc. None of that is unexpected for what the app needs to do.

When you couple that with the ability of DJI to update the code in the app without permission or review from Google, that opens the door to your phone being accessible to bad actors. This is how malware operates on Android; it's not the usual behavior for a legitimate app.

DJI gave its Android apps the ability to update themselves without going through the Google Play review process. This is probably the prime reason why they removed their drone control apps from the Google Play Store, and you now have to sideload their apps on Android.

It doesn't take DJI doing something bad to make this very sketchy. If they are hacked and a malicious party gains access to a phone with the DJI, the potential exists for that device to be used for illicit surveillance.

This is less of an issue on iOS, because Apple doesn't allow dynamic code updates or sideloading and has tight restrictions on 3rd party app stores.

This is a similar rationale for the current US investigation into TP-Link routers. It's not that TP-Link is inherently evil; it's that their security is so horrible that it's an easy target for bad people using TP-Link products to run botnets.

DJI could resolve some of this by making its control apps open source. Allow people to take the code and make their own versions that could be installed.
  1. Security issues could be addressed and patched without DJI shooting the messenger.
  2. Organizations that need tighter security could make versions that were completely locked down. These apps wouldn't be publicly listed in the app stores.
  3. Other features could be added.
 
  • Like
Reactions: mavic3usa
hank970 said:
I'm no doubt naive when it comes to the motives and methods of the world's bad actors. But, as a practical matter, of what conceivable value are my (or anyone else's) flight data to them? I'd imagine they have bigger fish to fry.
Click to expand...
My flight data and your flight data probably have no value. But embedding thousands and thousands of drones into America's law enforcement, fire, search and rescue, agriculture, utilities, power line inspections, etc. could create a serious vulnerability and has huge potential value. Especially if there is a kill switch.
 
  • Like
Reactions: GadgetGuy and mavic3usa
It should be noted that DJI agreed to cooperate with a formal U.S. Government audit of its systems. The govt. has ignored this completely, because this isn't about any relatively higher security risk from DJI than that posed by uncountable other technology suppliers, but about xenophobia and the desire of some American actors to gain a business advantage through protectionism. The current administration would prefer a "fortress America" like that which was practiced in the early 20th century. Even if such a country was possible, and I don't think it is, it would only mean the further decline of the U.S. standing in global scientific, economic and humanitarian circles.
 
  • Like
Reactions: Moozer, groggysbird, Meta4 and 1 other person

I refreshed my memory. DJI had a bug bounty program in 2017. Kevin Finisterre hacked into DJI and requested bounty. DJI said you hacked us without permission. DJI offered $30,000 to settle but only if Kevin signed a Non Disclosure Agreement. He said no. The same month this article came out, the Verge put a video on Youtube showing how DJI drones broadcast not just DJI drone flight telemetry but also the registered owner's email address.

How DJI fumbled its bug bounty program and created a PR nightmare​

cyberscoop.com

How DJI fumbled its bug bounty program and created a PR nightmare

Popular drone maker DJI has bungled its bug bounty program — and a very public spat could have repercussions for the growing freelance industry.
cyberscoop.com cyberscoop.com
 
  • Like
Reactions: GadgetGuy, qadsan and mavic3usa
Chip said:

I refreshed my memory. DJI had a bug bounty program in 2017. Kevin Finisterre hacked into DJI and requested bounty. DJI said you hacked us without permission. DJI offered $30,000 to settle but only if Kevin signed a Non Disclosure Agreement. He said no. The same month this article came out, the Verge put a video on Youtube showing how DJI drones broadcast not just DJI drone flight telemetry but also the registered owner's email address.

How DJI fumbled its bug bounty program and created a PR nightmare​

cyberscoop.com

How DJI fumbled its bug bounty program and created a PR nightmare

Popular drone maker DJI has bungled its bug bounty program — and a very public spat could have repercussions for the growing freelance industry.
cyberscoop.com cyberscoop.com
Click to expand...
"....DJI’s bug bounty program, which launched this summer, was poorly conceived from the start."

I see not a lot has changed over the years.
 
  • Like
Reactions: GadgetGuy and qadsan
Chip said:
My flight data and your flight data probably have no value. But embedding thousands and thousands of drones into America's law enforcement, fire, search and rescue, agriculture, utilities, power line inspections, etc. could create a serious vulnerability and has huge potential value. Especially if there is a kill switch.
Click to expand...
They can get all of that information from spy satellites or their idiot balloons.

There is a bigger risk with their software on your phone.
 
  • Like
Reactions: qadsan
anotherlab said:
When you install a Go or Fly app on Android, in order to use that app, you are granting that app wide access to your phone. It requests access to the microphone, camera, location, storage, network settings, etc. None of that is unexpected for what the app needs to do.

When you couple that with the ability of DJI to update the code in the app without permission or review from Google, that opens the door to your phone being accessible to bad actors. This is how malware operates on Android; it's not the usual behavior for a legitimate app.

DJI gave its Android apps the ability to update themselves without going through the Google Play review process. This is probably the prime reason why they removed their drone control apps from the Google Play Store, and you now have to sideload their apps on Android.

It doesn't take DJI doing something bad to make this very sketchy. If they are hacked and a malicious party gains access to a phone with the DJI, the potential exists for that device to be used for illicit surveillance.

This is less of an issue on iOS, because Apple doesn't allow dynamic code updates or sideloading and has tight restrictions on 3rd party app stores.

This is a similar rationale for the current US investigation into TP-Link routers. It's not that TP-Link is inherently evil; it's that their security is so horrible that it's an easy target for bad people using TP-Link products to run botnets.

DJI could resolve some of this by making its control apps open source. Allow people to take the code and make their own versions that could be installed.
  1. Security issues could be addressed and patched without DJI shooting the messenger.
  2. Organizations that need tighter security could make versions that were completely locked down. These apps wouldn't be publicly listed in the app stores.
  3. Other features could be added.
Click to expand...
Very interesting.

Lucky for me my old eyes prefer a larger screen. I have two dedicated older iPads for my M2P and M3. The only other thing I use one of those two iPads for is watching YouTube videos when I stay overnight on my sailboat. So even if someone was spying on me through the Fly / Go apps, there's not much of interest for them.
 
anotherlab said:
They can get all of that information from spy satellites or their idiot balloons.

There is a bigger risk with their software on your phone.
Click to expand...
The risk I am talking about is not loss of data. It is about depending on a competitor to supply you with important resources, services, technologies, or products. Whether its oil, gas, uranium, pharmaceuticals, microchips, drones or anything else.
 
Chip said:
The risk I am talking about is not loss of data. It is about depending on a competitor to supply you with important resources, services, technologies, or products. Whether its oil, gas, uranium, pharmaceuticals, microchips, drones or anything else.
Click to expand...
And they would get more intel from the photos on the phone than from outdoor shots.

What pharmaceutical information could you get from a drone that couldn't be collected from a satellite?
 
anotherlab said:
And they would get more intel from the photos on the phone than from outdoor shots.
Click to expand...
Again the issue is depending on a foreign competitor or adversary to supply you with resources. Whether its oil, gas, microchips, rare earth metals, uranium ore, technologies, drones, or any number of other products, goods or services.
anotherlab said:
What pharmaceutical information could you get from a drone that couldn't be collected from a satellite?
Click to expand...
My reference to "pharmaceuticals" may have been confusing. I mentioned it only because my understanding is that China has a far more robust chemical and pharmaceutical manufacturing capability than we do. This has nothing to do with photos or satellites.

Consider the destruction of Russia's undersea gas pipeline to Europe. My hunch is that whoever did it knew there would be massive consequences to cutting off one's own gas. But somehow it was worth it to prevent further dependence on foreign gas. To prevent adversary from gaining leverage.
 
  • Like
Reactions: qadsan
Chip said:
My reference to "pharmaceuticals" may have been confusing. I mentioned it only because my understanding is that China has a far more robust chemical and pharmaceutical manufacturing capability than we do. This has nothing to do with photos or satellites.
Click to expand...
And nothing to do with drones or the DJI security assessment.
 
anotherlab said:
And nothing to do with drones or the DJI security assessment.
Click to expand...
Maybe it depends what you call a security assessment. The thread started with this article:

www.suasnews.com

DJI Security Assessment: An Analysis of Vulnerabilities, Data Practices, and Operational Security

Disclosure Statement This disclosure is provided to ensure transparency regarding the author’s professional background and potential biases. The author has maintained both collaborative and c…
www.suasnews.com

You said to me:

anotherlab said:
They can get all of that information from spy satellites or their idiot balloons.

There is a bigger risk with their software on your phone.
Click to expand...

I tried to explain to you why there may be security concerns that have nothing to do with data leakage although that by itself is one.
anotherlab said:
And nothing to do with drones or the DJI security assessment.
Click to expand...

I disagree. The US government has made clear since 2017 that DJI's 80+% global market share is by itself a threat to national security. The drone war in eastern Europe proves it. Drone manufacturing is a valuable strategic asset. Just like everything else I listed including oil, gas, rare earth minerals, microchips, and yes pharmaceuticals:

China dominates large-scale manufacturing of active pharmaceutical ingredients (APIs) and has surpassed the US in the number of new clinical trials initiated. Key differences include China's cost advantages in manufacturing (due to lower labor and environmental regulations) and its fast-growing but still developing innovation ecosystem, compared to the US's leading R&D and risk-tolerant investment culture.
 
Look at the big picture:

Xi Jinping says Taiwan 'must and will be' reunited with China​

Over 60% of the world's total semiconductors are manufactured in Taiwan.

The production of the most advanced chips (those under 10 nanometers) is even more concentrated, with Taiwan holding over 90% of the global capacity for high-end processors.

China dominates the rare earth metals supply chain, producing about 60% of global mining output and over 90% of processing, which is used in everything from electronics to defense systems. This dominance was built through strategic investment, lower costs, and a conscious decision to control the market starting in the 1980s and 90s. Recent export controls have escalated trade tensions, though a deal was recently struck to "effectively eliminate" these restrictions for now, as other countries work to build their own supply chains.
 
Last edited:
Chip said:
Look at the big picture:

Xi Jinping says Taiwan 'must and will be' reunited with China​

Over 60% of the world's total semiconductors are manufactured in Taiwan.

The production of the most advanced chips (those under 10 nanometers) is even more concentrated, with Taiwan holding over 90% of the global capacity for high-end processors.

China dominates the rare earth metals supply chain, producing about 60% of global mining output and over 90% of processing, which is used in everything from electronics to defense systems. This dominance was built through strategic investment, lower costs, and a conscious decision to control the market starting in the 1980s and 90s. Recent export controls have escalated trade tensions, though a deal was recently struck to "effectively eliminate" these restrictions for now, as other countries work to build their own supply chains.
Click to expand...
The problem isn't that China thinks strategically, but that the United States doesn't. Decision makers in this country, even the old fossils who've been feeding for decades at the public trough, can't see beyond the next election.
 
  • Like
Reactions: mavic3usa

Similar threads

1gratefulflyingdawg
Mandated National Security Risk Assessment of DJI drones
Replies
54
Views
8K
General Discussions
Paul Harvey
P
msinger
Tell Congress to Complete the Drone Security Audit
Replies
15
Views
652
General Discussions
Oceanlines
O
Dave Pitman
Possible Answer to DJI sales in the US
Replies
11
Views
2K
News
Macinfo
Macinfo
Mach25
  • Locked
News just keeps getting (potentially) worse for us DJI Drone flyers in the U.S.
Replies
21
Views
5K
Mavic 4 Pro
GadgetGuy
G
VenomXts
  • Locked
DJI to US: Ban our drones with evidence, not fearmongering
Replies
3
Views
3K
News
Dave Pitman
Dave Pitman
Lycus Tech Mavic Air 3 Case

DJI Drone Deals

1. NEO
2. Flip
3. Mini 4k
4. Mini 4 Pro
5. Air 3s
6. Avata 2
7. Mavic 3 Pro

New Threads

Members online

Total: 3,582 (members: 4, guests: 3,578)

Forum statistics

Threads
139,359
Messages
1,647,302
Members
167,602
Latest member
yairvalladares
Want to Remove this Ad? Simply login or create a free account