DJI Assertion On Additional Deceptive Claims About App Safety – Drones Information
Today’s Synacktiv digital security firm’s report on DJI software contains more inaccuracies and misleading statements about how our products work after similar reports were released last week. We want to make it clear that DJI products protect user data. that DJI, like most software companies, constantly updates products when real and perceived vulnerabilities emerge; and that there is no evidence that any of the hypothetical vulnerabilities reported by Synacktiv have ever been exploited. In this post, we’ll look at Synacktiv’s new report.
False statement by Synacktiv regarding the Weibo SDK
The DJI Pilot app for Android, which is available on both the DJI website and the Google Play Store, does not include a software development kit (SDK) for connecting to Weibo. This statement by Synacktiv is wrong. In fact, no versions of the DJI Pilot app have a feature that allows users to share data with Weibo.
Synacktiv’s misleading claims regarding automatic updating of DJI pilots
The DJI Pilot app for Android available in the Google Play Store only updates the official versions downloaded from the Google Play Store. The user is prompted to update in a pop-up window, and the app is only updated if the user agrees. For customers who operate our products in countries where the Google Play Store is not available, the app and app updates are available on our website. The headline, summary, and first half of the Synacktiv report are deliberately misleading as they fail to notice that this mechanism is limited to the website version of the DJI Pilot app and does not affect anyone using the DJI Pilot app through Google Play gets business.
Synacktiv’s incomplete understanding of DJI’s geofencing system
The DJI Pilot app includes a feature called Local Data Mode, which allows the user to disconnect from the internet once the setting is activated in the app. In addition to improving data security, this feature blocks the drone’s ability to update flight security restrictions and blocks the user’s ability to “unlock” some geofenced areas. However, Synacktiv seems to misunderstand the function of DJI’s geofencing security system and the many other methods available for unlocking for customers. For example, government agencies can participate in our Qualified Business Program, which unlocks the entire region they request without having to connect to the Internet after initial activation. In addition, our Government Edition drones have no geofencing at all. DJI users know these restrictions and plan in advance when and how they can lift geofencing flight restrictions if necessary.
As with automatic updates, these features are implemented for purposes that benefit the public by improving airspace security while using our products. The important security role of geofencing has been recognized by the Drone Advisory Committee of the United States Federal Aviation Administration (FAA). the Airports International Council-North America and the Association for Unmanned Vehicle Systems International, joint blue ribbon task force for airport abatement; and the joint FAA and industry unmanned aircraft security team. No other company has done as much as DJI to proactively improve the safety of drone operations. We are dismayed that security features have once again been misunderstood by researchers who are apparently unfamiliar with how drone technology works, and misunderstood as hypothetical security threats.
DJI fixed the previously reported issues immediately
While Synacktiv’s exaggerated and misleading first safety report was quoted in the New York Times, a serious examination of her work shows that it is not enough. DJI immediately updated the DJI GO 4 Android app on July 31 to address the earlier hypothetical concerns that Synacktiv noted regarding the DJI GO 4 app. The Weibo SDK was removed and automatic security-related updates were forwarded to the Google Play Store and not to our website.
DJI remains the only drone manufacturer whose products have been successfully evaluated in publicly available reports by several independent government and private institutions. DJI remains the only drone maker to have developed a bug bounty program to actively promote responsible vulnerability disclosure and pay rewards to those who find it.
For more information on DJI’s robust security protection, see our response to the original allegations at this link: https://www.dji.com/newsroom/news/dji-statement-on-recent-reports-from-security- Researchers