sUAS News: DJI Security Assessment

[mavic3usa]

I'm 1000% against a DJI ban of course, but could Congress's best argument be that DJIs drones give the CCCP access to the innerworkings of a few million DJI owners' phones?

If so, and as mentioned here befire, then what about hundreds of millions of China made cell phones, routers, TVs, tablets, a few million robotic home vacs, not to mention automotive electronics, and more?

What will be banned next? It seems that DJI was just one easy target.

Do you think China is able to sneak Malware onto Apple phones without Apple knowing it just because the iPhone is built in China? That's the rational you think drone owners should try to sell to the American people that your iPhone is infected and China is spying on your iPhone without Apple knowing it?

 

[anotherlab]

Do you think China is able to sneak Malware onto Apple phones without Apple knowing it just because the iPhone is built in China? That's the rational you think drone owners should try to sell to the American people that your iPhone is infected and China is spying on your iPhone without Apple knowing it?

Apple wasn't the problem. Companies like Hauwei and TP-Link were the problem.

 

[mavic3usa]

Apple wasn't the problem. Companies like Hauwei and TP-Link were the problem.

I believe the question is does DJI fit in the category with Apple or does DJI fit in the category with Huawei and TP-Link?

 

[robisen]

This article is very interesting. I believe Robi Sen started Department 13 and developed counter drone technology with Kevin Finisterre several years ago. DJI used to have a bounty program for hackers--anyone who could prove that DJI drones were insecure or leaked information were promised $100,000 or something similar. So Kevin claimed he proved DJI drones were insecure and DJI refused to pay him the reward igniting a firestorm. Department 13 published a White Paper summarizing some of the issues and confirmed that our Mavics began broadcasting the functional equivalent of unencrypted Remote ID with no consumer warning or consent via an update.

View attachment 186479

This may be why Robi Sen says this:

The company maintains a documented history of adversarial relationships with independent security researchers and third-party auditors, which itself represents a significant security concern. Organizations committed to robust security typically welcome external scrutiny and engage constructively with the security research community. DJI’s pattern of legal threats and researcher intimidation undermines confidence in the company’s security claims and suggests a priority on reputation management over genuine security improvement.

And this:

Independent security researchers, including Kevin Finisterre, Synacktiv, GRIMM, River Loop Security, Nozomi Networks, and academic teams from the NDSS symposium, have repeatedly demonstrated that while DJI’s offline operational modes can prevent automatic data exfiltration, the broader Android and iOS application ecosystem and firmware update mechanisms remain heavily obfuscated.

I am sorry I have not responded to your comments. I had no idea that there was even this forum. I want to clarify a couple of things. I did indeed start D13. We went after ALL drones. We got attention for DJI in part because DJI was the biggest company and because of their behavior. The bounty was 30K. I should also note that I have worked on securing DJI as well as a novel way of exploiting it. The whitepaper was for Auroscope, and DJI’s response was surprising in its unsubstantiated claims and threatening language. Please check out this article that focuses on how Russia may have used Aeroscope to find and kill Ukrainian drone pilots. Also, how emphatically DJI denied Kevin’s claims that their communications were unencrypted. DJI ended have to admit they did not encrypt.

DJI drones, Ukraine, and Russia — what we know about AeroScope.



The comment about an adversarial relationship is in part why I wrote the comment. I am trying to tell people my prejudices to help them make up their own minds. Crazy I know. That said, numerous people and groups have gotten the light version of DJI’s responses. DJI has flaws it wont address. It has suspected issues it wont let us see. It has an accusative comment and hostility. Thanks for the comment. Well written and appreciated.

 

[anotherlab]

I believe the question is does DJI fit in the category with Apple or does DJI fit in the category with Huawei and TP-Link?

Realistically? Neither.

The current legal actions facing DJI in the US are an attempt to force-start US production of drones by hobbling the vendor with 70% of the US market.

 

[robisen]

I'm no doubt naive when it comes to the motives and methods of the world's bad actors. But, as a practical matter, of what conceivable value are my (or anyone else's) flight data to them? I'd imagine they have bigger fish to fry.

They can get all of that information from spy satellites or their idiot balloons.

There is a bigger risk with their software on your phone.

I'm no doubt naive when it comes to the motives and methods of the world's bad actors. But, as a practical matter, of what conceivable value are my (or anyone else's) flight data to them? I'd imagine they have bigger fish to fry.

You might Google 聚沙成塔 (jù shā chéng tǎ) which is often translated as this “gather sand to form a pagoda” but a more common phrase in the west 积少成多 (jī shǎo chéng duō), which is usually in English” The Thousand Grains of Sand”(note if you know Chinese, please correct). This is a Strategy and tactic where every little bit of data is collected and later used to create insights that can be of great importance. The US does the same thing, but not at the same scale. A little bit of data may have far more value. This is sort of a real example. Let's say you live in McLean, Virginia, which is filled with important Government employees and foreign workers at whatever embassy. You fly your drone for some reason, from which they get data dumps on an infrequent schedule via your phone or Wi-Fi. They really like your neighbor, who is a military attaché from Australia. You guys like to drive 45 minutes out to a shooting range, and then back. Every Sunday. At some point, some of you guys come and wire up your car. Everything is recorded, digitized, and analyzed by computers. Often something important pops up.

 

[robisen]

They can get all of that information from spy satellites or their idiot balloons.

There is a bigger risk with their software on your phone.

Can you provide your ROI? I think you should make sure you define the investment carefully and opportunity cost

 

[robisen]

My flight data and your flight data probably have no value. But embedding thousands and thousands of drones into America's law enforcement, fire, search and rescue, agriculture, utilities, power line inspections, etc. could create a serious vulnerability and has huge potential value. Especially if there is a kill switch.

Please see my response about 1000 grains of sand. In general, you want everything you can get. Even the absence of data can be important.

 

[mavic3usa]

Realistically? Neither.

The current legal actions facing DJI in the US are an attempt to force-start US production of drones by hobbling the vendor with 70% of the US market.

My guess is unless they rise to the level of an Apple, they're going to come under heavy scrutiny.

I understand the idea that you get rid of the competition to clear the way for your own but honestly, no one believes that will work.

 

[robisen]

They can get all of that information from spy satellites or their idiot balloons.

There is a bigger risk with their software on your phone.

Im not sure that satellites would be used for that when large-scale ill-disguised hacking campaigns are amazingly effective. As for phone. I think that is true.

 

[robisen]

I'm 1000% against a DJI ban of course, but could Congress's best argument be that DJIs drones give the CCCP access to the innerworkings of a few million DJI owners' phones?

If so, and as mentioned here befire, then what about hundreds of millions of China made cell phones, routers, TVs, tablets, a few million robotic home vacs, not to mention automotive electronics, and more?

What will be banned next? It seems that DJI was just one easy target.

This is a good argument. This is essentially anything from China is suspect. Solar cells have had hardware "bugs." China switched Samsung radios with their own for spying. Going forward a little bit at a time may make China more willing to negotiate. China has trapped Apil in difficult situation. Sivestment would wreck them, US should step in. If China lost apple its 100s of Billions.

 

[robisen]

When you install a Go or Fly app on Android, in order to use that app, you are granting that app wide access to your phone. It requests access to the microphone, camera, location, storage, network settings, etc. None of that is unexpected for what the app needs to do.

When you couple that with the ability of DJI to update the code in the app without permission or review from Google, that opens the door to your phone being accessible to bad actors. This is how malware operates on Android; it's not the usual behavior for a legitimate app.

DJI gave its Android apps the ability to update themselves without going through the Google Play review process. This is probably the prime reason why they removed their drone control apps from the Google Play Store, and you now have to sideload their apps on Android.

It doesn't take DJI doing something bad to make this very sketchy. If they are hacked and a malicious party gains access to a phone with the DJI, the potential exists for that device to be used for illicit surveillance.

This is less of an issue on iOS, because Apple doesn't allow dynamic code updates or sideloading and has tight restrictions on 3rd party app stores.

This is a similar rationale for the current US investigation into TP-Link routers. It's not that TP-Link is inherently evil; it's that their security is so horrible that it's an easy target for bad people using TP-Link products to run botnets.

DJI could resolve some of this by making its control apps open source. Allow people to take the code and make their own versions that could be installed.

1. Security issues could be addressed and patched without DJI shooting the messenger.
2. Organizations that need tighter security could make versions that were completely locked down. These apps wouldn't be publicly listed in the app stores.
3. Other features could be added.

Very good response, but this was a situation of an insecure app that had code that should not have been there. part of if you read teh analysis there is small fragment of code. We provide a fragment dude ethical security practices.
If it was DJI. The code provides data to China. User and telemetry.