Drone giant DJI has responded to a study that revealed significant security flaws in the firmware controlling four of its models by offering assurances it had been informed of the gaps and moved to eliminate them before the German researchers behind the discovery released their findings.
As DroneDJ reported, researchers at Ruhr University Bochum’s Horst Görtz Institute for IT Security conducted experiments that ultimately permitted them to over-ride various security measures in the firmware of four popular DJI drones. One of those could allow third-party hackers to determine the exact location of pilots operating compromised UAVs, while others resulted in key elements intended for remote craft identification use by authorities being altered – including serial numbers.
Read more: German research finds security flaws in four leading DJI drones
Those findings arose from the team submitting the DJI drones – a Mini 2, Mavic Air 2, Mavic 2, and Mavic 3 – to fuzzing experiments, during which the crafts’ firmware were bombarded by streamed random data inputs that provoked crashes or altered functioning. The researchers then identified modifications that included inaccurate UAV identification, and pilot localization capabilities representing potential security vulnerabilities.
“An attacker can thus change log data or the serial number and disguise their identity,” said lead researcher Thorsten Holz of the tests. “Plus, while DJI does take precautions to prevent drones from flying over airports or other restricted areas such as prisons, these mechanisms could also be overridden.”
Not anymore, it would seem.
Today, DJI responded to the considerable media coverage the study had attracted by assuring users it had already taken steps to fix the potential firmware weaknesses. In doing so, it noted Holz and his unit had – as they stipulated in their report – alerted the company’s Bug Bounty program of their findings prior to releasing them so remedial measures could be taken by DJI.
This morning the company said it did just that, providing background to its firmware development – but without actually explaining the origins of the flaws.
“The Drone ID solution that DJI designed a few years ago was aligned with regulatory Remote ID solutions in many jurisdictions, including the United States and the European Union, which have adopted these a mandatory requirements as a new industry standard,” DJI said in a tweet today. “We also recognize the heightened expectation of data security in recent years… Safety is DJI’s top priority. We will evaluate international safety and legal requirements for Remote ISD and explore possible solutions in the future.”