The evidence, says DJI, is clear: Its software does not pose a threat to the privacy of users. This, after a story in the New York Times suggested its Android DJI GO 4 app could share personal data with Chinese social media and analytics firms. This has put DJI, again, in the position of having to defend itself.
The new allegations surfaced in a July 23 story published in the New York Times. The paper said two research firms tested the Android version of the popular consumer DJI GO 4 app and found some issues. The story alleged: “…an app on Google’s Android operating system…collects large amounts of personal information that could be exploited by the Beijing government.”
Two research firms test GO 4
Two security research firms were involved in the work – France’s Synacktiv and the Washington-based Grimm. The NYT story said that both firms found that the Android DJI GO 4 app “not only collected information from phones but that DJI can also update it without Google reviewing the changes before they are passed on to consumers. That could violate Google’s Android developer terms of service.”
The Synacktiv analysis identified four main areas of concern. They include:
- The app can self-update, bypassing the Google Play store
- The app apparently allows a Chinese social media (Weibo) SDK interface to collect private user information
- An older version of the app (4.3.36) allowed Chinese analytics company MobTech to collect private user data
- The application can restart itself when closed, meaning it could be transmitting while the phone owner is unaware
DJI pushes back
DJI could not replicate at least one of the issues identified by researchers – the app restarting on its own. It had detailed explanations and context for some of the other behaviours, and questioned whether they could accurately be described as significant.
The hypothetical vulnerabilities outlined in these reports are best characterized as potential bugs, which we have proactively tried to identify through our Bug Bounty Program, where security researchers responsibly disclose security issues they discover in exchange for payments of up to $30,000. Since all DJI flight control apps are designed to work in any country, we have been able to improve our software thanks to contributions from researchers all over the world, as seen on this list.
DJI Security Statement
The DJI statement provides a rebuttal or context for all concerns raised by the researchers. This is a screen grab covering only half of the document.
And what might happen if a social media firm had some of your data? Well, according to the director of the National Counterintelligence and Security Centre, this:
““Every Chinese technology company is required by Chinese law to provide information they obtain, or information stored on their networks, to Chinese authorities if requested to do so. All Americans should be concerned that their images, biometrics, locational and other data stored on Chinese apps must be turned over to China’s state security apparatus.”
William R. Evanina, National Counterintelligence and Security Centre
Who commissioned the work?
But there’s still a question. Who asked for this work? We don’t know. The Grimm blog offered a glimpse, but not much more, of who requested the analysis:
Given the recent controversy with DJI drones, a defense and public safety technology vendor sought to investigate the privacy implications of DJI drones within the Android DJI GO 4 application.
It certainly does raise the question of whether a competitor paid for this work, hoping to exploit overall concerns of Chinese-made products and components. That might not be surprising, as we’ve seen some aggressive anti-DJI marketing coming from Parrot prior to the launch of its recent Anafi USA.
The deep background
This controversy, or variations thereof, is not new. Back in 2017, it offered a “Bug Bounty” – whereby *anyone* who identifies a legitimate problem could be eligible for a generous cash reward (up to $30k). It was transparent and clearly showed the company was taking concerns seriously. And, as shown here, DJI acknowledged there were some issues, which it dealt with.
Then, in October of 2019, the US Department of the Interior grounded its fleet of some 800 drones over concerns that they might be vulnerable to cyber-attacks from China or other types of spying. It wasn’t necessarily a DJI-specific allegation, more of a general concern about Chinese-made drones, or drones that utilize a significant number of Chinese-made parts. This was detailed at the time by the Wall Street Journal.
There doesn’t appear to be any clear evidence that critical data was truly at risk – only the perception there could be a threat. Evaluations of some of DJI’s products were carried out by the renowned firm Booz Allen Hamilton. It tested, through Precision Hawk’s Unmanned Aerial Intelligence Technology Center of Excellence (UAS COE), three DJI models: The Government Edition Mavic Pro and Matrice 600 Pro drones, as well as the Mavic 2 Enterprise. The results found no connections made by these drone platforms to DJI or to Chinese servers. It did find some potential concerns, but they were not terribly significant.
The testing did identify potential vulnerabilities associated with one or more of the three drone platforms that could be exploited or triggered by a threat source. Nearly all of those vulnerabilities require physical access to the drone itself, or for the attacker to be within direct radio range during specific operations.
Precision Hawk’s UAS Center of Excellence
In late January, the Department of the Interior decided to continue keeping its drones grounded. The only exceptions would be firefighting deployments or other emergency services. Even a Homeland Security report that cleared the drones didn’t clear the air. The DOI said it would fly these products only in situations where deemed absolutely necessary:
We must ensure that the technology used for these operations is such that it will not compromise our national security interests.
DOI Statement, January 2020
For DJI, Enterprise clients like US government agencies or big utilities form a significant part of its overall revenue. But right now, with US-China tensions heating up, this is a potentially volatile area.
DJI is a big company. The last time we heard someone try to peg a value on the company, it was $10 billion. It likes being on top, and it basically owns the consumer and enterprise market globally. In our view, it simply does not make sense for DJI to incorporate malicious flaws that could hurt its bottom line. Nor does it make sense for the company to offer a global “Bug Bounty” program designed to find and eliminate the very kinds of issues that others accuse the company’s software and products of potentially having.
We spoke recently with DJI’s senior manager for corporate communications and public affairs in North America, Michael Oldenburg. He states that that DJI takes strong data security measures for its consumer line, even moreso with its Government Editions. But he also made a very clear point:
“It’s important to draw one clear distinction,” explained Oldenburg.
There’s drones for the Department of Defense and then there’s drones for everything else in the commercial/industrial sector. And largely, we have always said from the get-go we don’t create them to be military spec or compliant with DoD standards. That’s not a market that we’re trying to serve.
If there’s an issue, DJI is likely to fix it
If the researchers did find something significant, we’re confident that DJI will deal with it. And that’s not just out of concern for the customer. Ultimately, the company’s bottom line depends on trust. And anything which puts that into question is just far too far too costly.
Do you feel there’s something to this latest report? Or do you believe DJI’s products are secure enough for the average user? Let us know in the comments below!