Cybersecurity researchers revealed on Thursday a newly discovered vulnerability in an app that controls the world’s most popular consumer drones, threatening to escalate mounting tensions between China and the United States.
In two reports, investigators argued that an application in Google’s Android operating system that powers drones made by China-based Da Jiang Innovations, or DJI, collects large amounts of personal information that could be exploited by the Beijing government. Hundreds of thousands of customers around the world use the app to pilot their camera-mounted, rotor-powered aircraft.
DJI, the world’s largest manufacturer of commercial drones, is increasingly in the sights of the United States government, as are other successful Chinese companies. The Pentagon has banned the use of its drones, and in January the Interior Department decided to continue grounding its company drone fleet for fear of safety. DJI said the decision was political, not software vulnerabilities.
For months, US government officials have escalated warnings about the Chinese government’s potentially exploitative weaknesses in technology products to compel companies there to hand over information about US users. According to the US authorities, Chinese companies must comply with any government request to release data.
“Chinese law requires all Chinese technology companies to provide the Chinese authorities with the information they obtain, or the information stored on their networks, if they so request,” said William R. Evanina, director of the National Center for Counterintelligence and Security. “All Americans should be concerned that their images, biometric, location data and other data stored in Chinese applications should be turned over to the Chinese state security apparatus.”
The drones’ vulnerability, US officials said, is the type of security hole that worries Washington.
The security research companies that documented it, Synacktiv, based in France, and GRIMM, located outside of Washington, found that the app not only collected information from phones, but that DJI can also update it without Google reviewing the changes beforehand. that they are passed on to consumers. . That could violate Google’s Android developer terms of service.
The changes are also difficult for users to review, the researchers said, and even when the app appears to be closed, they await instructions from afar, they found.
“The phone has access to everything the drone does, but the information we are talking about is information from the phone,” said Tiphaine Romand-Latapie, an engineer at Synacktiv. “We don’t see why DJI would need that data.”
Ms. Romand-Latapie acknowledged that the security vulnerability did not amount to a back door or a flaw that allowed hackers to access a phone.
DJI says its app forces updates on users to stop fans trying to hack the app to bypass government-imposed restrictions on where and how high a drone can fly.
“This security feature in the Android version of one of our recreational flight control applications prevents anyone from trying to use a hacked version to override our security features, such as altitude limits and geofencing,” said Brendan Schulman, spokesman. from DJI, in a statement. . “If a pirated version is detected, users are asked to download the official version from our website.” He added that the function was not present in the software used by governments and companies.
Neither Synacktiv nor GRIMM disclose to their clients, but both have worked for aerospace companies and drone manufacturers that could complement DJI.
A Google spokesperson said the company was investigating the claims in the new reports. Synacktiv did not find the same vulnerability in the drone maker’s iPhone app. The Apple App Store is available in China.
“This research is a good reminder that organizations must pay attention to the risks associated with the various technologies they are using for operations,” said Christopher Krebs, director of the Cybersecurity and Infrastructure Security Agency.
Some of the privacy concerns about drones are common in many apps that collect much more information than consumers can realize. But other potential vulnerabilities described by the researchers stem from attempts to span radically different Internet environments in China, where the government can demand user data with near impunity, and elsewhere, such as the United States, where broader legal protections exist. .
For example, DJI’s direct link to the Android app was likely designed as a workaround for Chinese policies that block Google in China, forcing companies to send Android app updates themselves. App makers in China must rely on a chaotic and competitive set of websites and app stores to bring their products to the consumer. Under such limitations, upgrades are not easy, and some companies create software that can be upgraded directly when needed.
Much of the technical data the app collects conforms to the Chinese government’s surveillance practices, which require phones and drones to be tied to the user’s identity.
Such features are more like vulnerabilities in places like the United States. And with ties between the United States and China at their lowest point in decades, Washington has had an increasingly dim view of such problems, assuming that if Beijing can exploit a technological failure, it will eventually do so.
An icon of Chinese innovation, as well as a long-standing safety concern in the United States, DJI has struggled to allay concerns about the safety of its drones, which film movies, protect power plants, tell wildlife and They help the military and the police. For years, he has repeatedly responded to reports of patch vulnerabilities and has worked closely with the United States government to quell other fears.
Still, security researchers with Synacktiv said the pattern of problems in DJI’s code and its solutions were implemented quickly, suggesting that the company was already aware of some of the problems but had not fixed them, which was also a reason. of concern.
“It is the mix of everything that has made us suspicious,” said Ms Romand-Latapie. “It makes the application quite dangerous for the user if they are not aware of what the application is capable of doing.”
Synacktiv did not identify any malicious payloads, but simply raised the possibility that the drone app could be used that way.
An analysis of the New York Times software confirmed the functionality. An attempt to update the application directly from DJI’s servers delivered a message stating that the phone The Times used “was not eligible for an update package.”
While the federal government has stopped using Chinese-made drones, state and local governments continue to use them, although they do have the option of using a professional version of the app that has additional security measures.
Lin Qiqing contributed to the investigation.
