DJI denies allegations that its Android “Pilot” app has security issues that could compromise user data. The company released a statement overnight refuting each of the allegations made yesterday morning in the blog of French tech firm Synacktiv.
The allegations were released yesterday morning. They were similar to allegations released about one week earlier against the Android version fo DJI’s popular GO 4 app (which DJI also refuted). A problem For DJI yesterday was the 12-hour difference in time zones between New York and Shenzhen. A PR firm promoting the Synactiv findings emailed a number of news outlets shortly before 9:00 am. That means, of course, that it was night-time in Shenzhen. Engineers would be at home, wrapping up their days. They would have to be roused to investigate what merit, if any, there might be to Synacktiv’s claims.
After investigating the various claims, which we wrote about here, DJI released this statement. We quote it in its entirety:
DJI Statement On Further Misleading Claims About App Security
Today’s report from the Synacktiv digital security firm about DJI software includes further inaccuracies and misleading statements about how our products work, following similar reports from them last week. We want to make clear that DJI’s products protect user data; that DJI, like most software companies, continually updates products as real and perceived vulnerabilities come to light; and that there is no evidence that any of the hypothetical vulnerabilities reported by Synacktiv have ever been exploited. In this post, we will address Synacktiv’s new report.
Synacktiv’s False Claim Concerning Weibo SDK
The DJI Pilot app for Android available from both the DJI website and the Google Play store do not integrate a software development kit (SDK) to connect with Weibo. This claim by Synacktiv is false. In fact, no versions of the DJI Pilot app have any function for users to share data to Weibo.
Synacktiv’s Misleading Claims Concerning DJI Pilot Auto-Updates
The DJI Pilot app for Android that is available on the Google Play store only updates to official versions downloaded from the Google Play store. The user is prompted to update in a pop-up window, and the app will not update unless the user agrees. For customers who operate our products in countries where the Google Play store is not available, the app and app updates are made available on our website. The headline, summary, and first half of Synacktiv’s report are intentionally misleading because they fail to note that this mechanism is limited to the website version of the DJI Pilot app only, and does not affect anyone who obtains the DJI Pilot app from the Google Play store.
Synacktiv’s Incomplete Understanding of DJI’s Geofencing System
The DJI Pilot app includes a feature called Local Data Mode that allows the user to sever the connection to the internet as soon as the setting is turned on in the app. In addition to enhancing data security assurance, this feature blocks the drone’s ability to update flight safety restrictions and blocks the user’s ability to “unlock” some geofenced areas. However, Synacktiv appears to misunderstand the function of DJI’s geofencing safety system and the many other available methods for customers to unlock. For example, government agencies can participate in our Qualified Entities Program which unlocks the entire region they request, with no need to connect to the internet after initial activation. Also, our Government Edition drones have no geofencing at all. DJI users understand these limitations and plan ahead for when and how to unlock geofencing flight restrictions, if needed.
As with automatic updates, these features are implemented for purposes that benefit the public by enhancing airspace safety during the use of our products. The important safety role of geofencing has been recognized by the U.S. Federal Aviation Administration’s (FAA) Drone Advisory Committee; the Airports International Council-North America and Association for Unmanned Vehicle Systems International joint Blue Ribbon Task Force on Airport Mitigation; and the FAA-industry joint Unmanned Aircraft Safety Team. No other company has done as much as DJI to proactively enhance the safety of drone operations. We are dismayed that safety features have again been misunderstood and misconstrued as hypothetical security threats by researchers who are evidently unfamiliar with the operation of drone technology.
DJI Immediately Remediated The Prior Reported Issues
While Synacktiv’s exaggerated and misleading initial report on security was cited in the New York Times, a serious examination of their work shows it falls short. DJI promptly updated the DJI GO 4 Android app July 31 to address the earlier hypothetical concerns Synacktiv noted about the DJI GO 4 app, removing the Weibo SDK and directing automatic safety-related updates to the Google Play store rather than our website.
DJI remains the only drone manufacturer to have its products successfully evaluated in publicly-available reports by multiple independent government and private institutions. DJI also remains the only drone manufacturer to have created a Bug Bounty Program to actively solicit responsible disclosure of security vulnerabilities and pays rewards to the researchers who find them.
For further details on DJI’s robust security protections, please refer to our response to the original allegations at this link: https://www.dji.com/newsroom/news/dji-statement-on-recent-reports-from-security-researchers
These exposés about DJI software – two within as many weeks and by the same accuser – have a somewhat corporate feel. Someone paid Synacktiv to look into the code. And someone paid a PR firm to shop around the latest Synacktiv blog. These two things didn’t just happen.
Does this mark a new phase in competitive marketing? If so, it’s a bit like those negative ad campaigns that sully political competitions. DJI also faces an unnamed accuser, who appears to simply be paying a research firm.
Our view? It’s not a great look. If this is part of some company’s marketing efforts, we encourage you to focus on the capabilities of your own product. There’s enough confusion in the world today.
You’ll find DJI’s statement here.
FTC: We use income earning auto affiliate links. More.