Skip to main content

DJI says it fixed drone firmware security flaws before publication of research revealing them

Drone giant DJI has responded to a study that revealed significant security flaws in the firmware controlling four of its models by offering assurances it had been informed of the gaps and moved to eliminate them before the German researchers behind the discovery released their findings.

As DroneDJ reported, researchers at Ruhr University Bochum’s Horst Görtz Institute for IT Security conducted experiments that ultimately permitted them to over-ride various security measures in the firmware of four popular DJI drones. One of those could allow third-party hackers to determine the exact location of pilots operating compromised UAVs, while others resulted in key elements intended for remote craft identification use by authorities being altered – including serial numbers.

Read moreGerman research finds security flaws in four leading DJI drones

Those findings arose from the team submitting the DJI drones – a Mini 2Mavic Air 2Mavic 2, and Mavic 3 ­– to fuzzing experiments, during which the crafts’ firmware were bombarded by streamed random data inputs that provoked crashes or altered functioning. The researchers then identified modifications that included inaccurate UAV identification, and pilot localization capabilities representing potential security vulnerabilities.

“An attacker can thus change log data or the serial number and disguise their identity,” said lead researcher Thorsten Holz of the tests. “Plus, while DJI does take precautions to prevent drones from flying over airports or other restricted areas such as prisons, these mechanisms could also be overridden.” 

Not anymore, it would seem. 

Today, DJI responded to the considerable media coverage the study had attracted by assuring users it had already taken steps to fix the potential firmware weaknesses. In doing so, it noted Holz and his unit had – as they stipulated in their report – alerted the company’s Bug Bounty program of their findings prior to releasing them so remedial measures could be taken by DJI. 

This morning the company said it did just that, providing background to its firmware development – but without actually explaining the origins of the flaws.

“The Drone ID solution that DJI designed a few years ago was aligned with regulatory Remote ID solutions in many jurisdictions, including the United States and the European Union, which have adopted these a mandatory requirements as a new industry standard,” DJI said in a tweet today. “We also recognize the heightened expectation of data security in recent years… Safety is DJI’s top priority. We will evaluate international safety and legal requirements for Remote ISD and explore possible solutions in the future.”

FTC: We use income earning auto affiliate links. More.

You’re reading DroneDJ — experts who break news about DJI and the wider drone ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow DroneDJ on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel.

Comments

Author

Avatar for Bruce Crumley Bruce Crumley

Bruce Crumley is journalist and writer who has worked for Fortune, Sports Illustrated, the New York Times, The Guardian, AFP, and was Paris correspondent and bureau chief for Time magazine specializing in political and terrorism reporting. He splits his time between Paris and Biarritz, and is the author of novel Maika‘i Stink Eye.

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications