As concerns about Chinese computer component vendors continue to raise alarms, The New York Times has also reported on drones that are linked to security risks. Da Jiang Innovations, or DJI, makes drones that run off a Google Android app. Cybersecurity experts have studied the DJI drones and caution that users’ information may be compromised.
The alleged problem is that the app that powers the drone also collects information from the user’s phone, which can be updated by DJI. The process skips over the safeguard that should allow Google to review the changes. Eliminating the Google oversight is a potential violation of Google’s Android developer terms of service. The Pentagon has already banned the use of DJI drones.
In response, DJI claimed the decision was politically based and has not acknowledged a security risk with its product. “This safety feature in the Android version of one of our recreational flight control apps blocks anyone from trying to use a hacked version to override our safety features, such as altitude limits and geofencing,” stated DJI spokesman, Brendan Schulman. “If a hacked version is detected, users are prompted to download the official version from our website.”
Researchers did note that from DJI’s perspective, the app that the DJI devised was likely intended to address a situation in China. China blocks the Google app in their own country. Sidestepping the Google connection and handling updates themselves would benefit drone flyers in China since DJI could directly manage the information without routing through Google. In the west, this workaround could look subversive.
“This research is a good reminder that organizations need to pay attention to the risks associated with the various technologies they’re using for operations,” said Christopher Krebs, director of the Cybersecurity and Infrastructure Security Agency.
“The phone has access to everything the drone is doing, but the information we are talking about is phone information,” said Tiphaine Romand-Latapie, a Synacktiv engineer who researched the vulnerability. “We don’t see why DJI would need that data. It is the mix of all of that which has made us suspicious. It makes the application quite dangerous for the user if they are not aware of what the application is capable of doing.”