DJI Assertion On Latest Studies From Safety Researchers – Drones Information
DJI takes the security of its apps and the protection of customer data seriously. While these researchers discovered two hypothetical vulnerabilities in one of our recreational apps, nothing in their work is relevant to, or contradicts, reports by the U.S. Department of Homeland Security, Booz Allen Hamilton and others who found no evidence of unexpected data transfer connections from DJI’s apps for government and professional customers.
These researchers found typical software problems without evidence that they were ever exploited. The app update feature described in these reports serves the very important security goal of reducing the use of hacked apps that are designed to override our geofencing or altitude limiting features. As the only major drone maker with a bug bounty program, we encourage all researchers to responsibly report security concerns about our products at security.dji.com.
We develop our systems so that DJI customers have full control over how or whether to share their photos, videos and flight logs, and we support the creation of industry standards for drone data security that provide protection and trust to all drone users.
We hope these details provide more context to understand these reports:
- If our systems determine that a DJI app is not the official version – for example, if it has been modified to remove important flight safety features such as geofencing or altitude restrictions – we will notify the user and ask them to download the latest official version of the app from our website. In future versions, users will also be able to download the official version from Google Play, if it is available in their country. If users do not agree, their unauthorized (hacked) version of the app will be deactivated for security reasons.
- Since our leisure customers often want to share their photos and videos with friends and family on social media, DJI integrates our consumer apps into the leading social media websites via their native SDKs. We need to address questions about the security of these SDKs to their respective social media services. However, please note that the SDK will only be used if our users proactively enable it.
- DJI GO 4 cannot restart without user input, and we are investigating why these researchers claim this. We have so far not been able to replicate this behavior in our tests.
- The hypothetical vulnerabilities described in these reports are best characterized as potential bugs that we proactively identified through our Bug Bounty program, in which security researchers responsibly disclose security issues they discover when making payments of up to $ 30,000 -Dollar received. Since all DJI flight control apps are designed for use in any country, we have been able to improve our software thanks to the contributions from researchers around the world that appear on this list.
- The MobTech and Bugly components identified in these reports were previously removed from DJI flight control apps after previous researchers identified potential vulnerabilities in them. Again, there is no evidence that they have ever been exploited, and they have not been used in DJI’s flight control systems for government and professional customers.
- The DJI GO4 app is mainly used to control our recreational drone products. DJI’s drone products developed for government agencies do not transfer data to DJI and are only compatible with a non-commercial version of the DJI Pilot app. The software for these drones is only updated through an offline process. This means that this report is not relevant to drones that are intended for sensitive government use. A recent Booz Allen Hamilton safety report has examined these systems and found no evidence that the data or information collected by these drones is being transmitted to DJI, China, or any other unexpected party.
- DJI has long called for the creation of industry standards for drone data security. We hope this process continues to provide reasonable protection to drone users with security concerns. If this type of security function is a problem, it should be covered in objective standards that can be set by customers. DJI is committed to protecting drone user data. For this reason, we develop our systems so that drone users have control over whether they share data with us. We are also committed to security and try to contribute technology solutions to the security of the airspace.
Previous articleDrones and image analysis help locate graves