The Android application used to operate drones manufactured by DJI contains a number of features that could allow attackers to target users with malicious applications or gain full control of users’ phones, according to recent research by France-based Synacktiv and U.S.-based GRIMM.
Researchers found that the DJI GO 4 application can force updates on users without routing them through the Google Play Store. Given the access the application has — including users’ contacts, microphone, camera, geolocation — it could give DJI or third parties nearly full control of users’ phones, Synacktiv and GRIMM found. It’s also the kind of update that could place the company in violation of the store’s guidelines.
The application also may install arbitrary applications through the Weibo software development kit, bypassing Google once again, according to GRIMM researchers. In so doing, the application shares users’ personal information with Weibo and could allow attackers to target individuals with malicious application installations, according to GRIMM.
The DJI application simultaneously collects personal information, such as IMSI, IMEI, and the serial number of the SIM card in a phone — none of which are necessary for the operation of the drones, which could raise concerns this information is gathered for other purposes, the researchers found. The application also continues to run in the background and make network requests even when users close the application, according to Synacktiv.
GRIMM CEO Brian DeMuth told CyberScoop these features could give anyone who has the potential to gain access to DJI servers — including the Chinese government — the ability to target users.
“Purely from a technical point of view, if you get access to the DJI servers, or you’re someone who has the legal authority over DJI to force themselves to have access, you can target users, not just for mass exploitation but also targeted exploitation,” DeMuth told CyberScoop. “The concern here is that you can push an update to the device. That update could include…an exploit that takes over the phone. From there, you have access to everything.”
The iOS version of the application does not appear to have the same features, according to Synacktiv.
It’s not the first time DJI has faced challenges over cybersecurity concerns. The U.S. Army banned DJI drones three years ago following warnings from the Navy that their drone systems were “highly vulnerable.”
Chinese technology firms have been under a microscope in Washington in recent months, as the U.S. intelligence community warns that Chinese companies, including telecommunications firm Huawei, must abide by Chinese intelligence laws requiring them to share data on Americans with Beijing. Chinese drone companies have broadly faced heightened scrutiny in U.S. government circles in the last several years. The U.S. Department of Interior last year grounded approximately 800 Chinese-made drones, which it expanded earlier this year over cybersecurity concerns.
DJI said in a statement that the features in question are not in the government-version of its software, claiming that the features are intended to block hackers from overriding safety constraints in the application.
“This safety feature in the Android version of one of our recreational flight control apps blocks anyone from trying to use a hacked version to override our safety features, such as altitude limits and geofencing,” DJI spokesperson Brendan Schulman said in a statement shared with The New York Times. “If a hacked version is detected, users are prompted to download the official version from our website.”
DeMuth countered DJI’s statement, contending that it doesn’t address the core concerns raised in the Synacktiv and GRIMM research.
“That [statement] doesn’t hold any weight … They have a mechanism — just like everybody else that has applications on the Google Play Store — to update the applications. Period. They have that,” DeMuth told CyberScoop. “Maybe it applies within China where their users can’t get to the play store which is totally possible…most companies who have that requirement, they take those features out of international versions.”
A DJI spokesperson added that users may soon be able to download the official app from the Google Play Store.
“In future versions, users will also be able to download the official version from Google Play if it is available in their country,” the spokesperson told CyberScoop in a statement. “If users do not consent to doing so, their unauthorized (hacked) version of the app will be disabled for safety reasons.”