So, not long after allegations that the Android version of DJI’s popular GO 4 app might have some security issues, there’s a new claim that the DJI Pilot app – meant for professional Enterprise users – may share similar problems. DJI has fired back, saying the app does not have any of these issues. A public relations firm pushed the latest allegations to drone news websites. And that…raises some questions of its own.
Back on July 23, news broke that there could be an issue with the DJI GO 4 app. The New York Times wrote a story, based on the research of two firms, that suggested there could be some oddball things going on with the Android version of DJI GO 4. Much of it seemed to be related to third-party Chinese apps being able to glean some personal data. DJI defended its software – and said its own engineers had been unable to replicate at least one of the behaviors the researchers had observed: the app re-starting and updating of its own accord and without the user’s knowledge.
The initial work was carried out by two firms: France’s Synacktiv and the Washington-based Grimm. Now, Synacktiv has posted some new findings about the DJI Pilot app on its blog. Specifically, the blog contains the following bullets, which we quote:
- “The professional DJI Pilot application is protected using the same packer as the consumer grade DJI GO 4 application”
- “The professional DJI Pilot application includes the same forced upgrade mechanism as the one present in its consumer grade applications”
- “The ‘offline’ Local Data Mode requires an Internet connection in order to install unlocking certificates”
DJI has historically prepared statements that offer detailed refutations of such allegations. Today, DJI said that its engineers had been notified about the Synacktiv concerns and that it would release a statement later on. We’ll obviously update this story when we hear something.
UPDATE: DJI responds
About 15 hours after the allegations were disseminated, DJI had prepared its own statement of rebuttal. It states that Synacktiv’s findings are false:
Today’s report from the Synacktiv digital security firm about DJI software includes further inaccuracies and misleading statements about how our products work, following similar reports from them last week. We want to make clear that DJI’s products protect user data; that DJI, like most software companies, continually updates products as real and perceived vulnerabilities come to light; and that there is no evidence that any of the hypothetical vulnerabilities reported by Synacktiv have ever been exploited. In this post, we address Synacktiv’s new report.
As part of our ongoing coverage – and reflecting that developments are occurring over two days – we’ve posted DJI’s statement in full detail here.
But when we saw the concerns raised in the initial Synacktiv report, we wondered how serious these concerns were. Did these issues pose a major security issue? Others who read our coverage felt the same way. Here are two comments users posted with the story:
What I want to see someone do is find the DJI App on your phone make a connection to a server and transmit data to that server. If they can’t demonstrate this, then all their talk about “possibly” harvesting data or the Chinese government receiving your information means squat. I don’t think we’ll ever see this because it’s not happening. DJI has too much too (sic) lose to take such a risk. Much easier to throw around vague accusations and let people jump to their own conclusions.
Disqus User FOHEng
That wasn’t the only user to question whether what Synacktiv had found constituted something serious:
Overall i think their findings indicate a total disregard for privacy, i don’t think that necessarily means there’s any malicious intent; there are quite a few high profile android apps (including the nytimes’ own app) that have been called out for scooping up user data. The problem is almost always in 3rd party tracking services’ sdks rather than the app code itself.
Disqus User Bob DoLe
The concern is that the Chinese government could somehow request any and all data from DJI. In fact, variations of the following phrase – also placed as a comment on our site – have surfaced on other sites. It makes you wonder if people are just copying and pasting this phrase, or if it’s part of a more orchestrated campaign:
Every Chinese technology company is required by Chinese law to provide information they obtain, or information stored on their networks, to Chinese authorities if requested to do so. All Americans should be concerned that their images, biometrics, locational and other data stored on Chinese apps must be turned over to China’s state security apparatus.
Disqus User Eoaoos
Ever since it’s been raised that non-US technology could potentially pose security concerns (with a particular emphasis on China) it feels a bit like it’s been open season on DJI. We’ve seen some pretty pointed digs made by Parrot prior to announcing its Anafi USA model. That new drone line is going directly after some of DJI’s Enterprise clients, and the marketing focuses heavily on its “Made in the USA” heritage. It also used these promotions as part of the buildup to its launch:
The accusations force DJI into a defensive posture, having to address or negate each and every allegation. The optics of that aren’t good, and are likely a huge pain For DJI. More than that, however, is that such statements leave behind a taint that’s difficult to scrub clean. When you look at the big picture, it starts to feel a bit like the collective goings-on may be part of a deliberate attempt to damage the company’s reputation. It’s a bit like when someone is accused of a major crime but is later found to be innocent: Some will always wonder if they didn’t just ‘get away’ with it.
Who’s behind it?
Drones are big business. And Enterprise drones, which are more expensive than consumer drones, are increasingly in demand. DJI has historically been the product of choice in this sector. It would, therefore, be advantageous for a competitor to help payroll these studies and also help disseminate the results. It would also be in the interests of any company hired to find problems…to point out every issue it could find.
Is that what’s going on here? We can’t say with certainty. But our Spidey Sense tingles when we receive news of the Synacktiv blog post from a PR agency. That’s very different from it surfacing in a story from the New York Times. This feels, in fact, just all a bit too contrived – which, for me, detracts from credibility.
We’ve contacted the agency and asked, directly, if it has been hired by one of DJI’s competitors. So far…they have not responded to our inquiry.
Hang on – are you biased?
Good question. And if I were reading this, I’d wonder the same thing. I mean, seems like I’m going out of my way to defend the company.
While it may seem that way, that’s not the case. Because the truth is this: DJI is about the bottom line. The company is at the top and wants to stay there. It has offered a generous ‘Bug Bounty’ – which rewards people for identifying software problems – for years. It continuously upgrades its products and software, and is so notoriously tight with money that employees expecting a deep staff discount on products are in for a surprise. In short: DJI would not deliberately ignore software issues that are likely to hurt its reputation and earnings. And – especially with its Bug Bounty program – would never intentionally insert malicious code when it’s likely to be immediately discovered and outed.
So to us, it just doesn’t make sense. And, when you look at some of the other pieces floating around this story, there’s potential here for a very different narrative.
Hey – if you still have concerns that’s your business. If any of the issues Synacktiv identified concern you, its blog recommends the following measures:
To mitigate the risks presented in this blogpost, we recommend to keep the application updated, and to check that the update comes from the official Google Play Store.
More to come
This story isn’t going away anytime soon. When there are further developments, we’ll cover them.
Note: This story has been slightly updated to include DJI’s response, and delete statements indicating DroneDJ was still awaiting DJI’s response.