For the last year or so, a security expert & researcher and drone fan named Kevin Finisterre has been taking apart DJI source code and looking for potential vulnerabilities.
In May, Finisterre presented what he believed was some suspicious activity on DJI drones and possible security concerns. Shortly after, in a memo dated this August, the US Army asked its members to stop using DJI drones, citing concerns over cyber vulnerabilities. A later story clarified that the Army would continue using DJI equipment if the company’s software could pass a security check. “Some people think that was triggered by my talk,” says Finisterre, who spoke with The Verge by phone earlier this week.
DJI – Dà-Jiāng Innovations
DJI is the world’s most successful consumer drone company, estimated to control around two-thirds of the market for drones that cost $5,000 or less. DJI’s rise to the top has been rapid: in five years, the company has gone from supplying parts to hobbyists to selling devices to Hollywood cinematographers, Fortune 500 companies, and law enforcement agencies. Over the past six months, however, concerns have emerged regarding the security and privacy of the millions of photos, videos, and flight logs that those DJI drones collect. And now DJI is doing damage control.
The security weakness Finisterre identified is tied to two pieces of third-party code, Tinker and JSPatch, which are used for so-called “hotpatching,” a process that allows DJI’s mobile app to download and execute code without having to go through the official app store update process. But that also means that the updated code isn’t reviewed by an app store security team, and users may not even be aware of the updates. Hotpatching software like JSPatch has previously been identified as a vulnerability that could allow attackers to plant malware onto mobile devices. Apple has asked iOS developers not to use it.
In response to the Army’s memo, DJI announced a number of new security initiatives and changes throughout August of this year. It plans to debut a local mode that turns off all data transfers between the drone and the cloud. It started a bug bounty program that will pay white-hat hackers like Finisterre who report bugs to the company, and it removed the two pieces of code found by Finisterre. “We know that recent issues have created some concerns for our customers. These new steps, along with our recent announcement that we’re creating a local data mode for our apps to stop any data transfer during operation, demonstrate that DJI takes these concerns seriously and is working to address them with substantive actions.”
But conversation has continued to swirl on industry forums and websites about DJI’s security protocols. “People definitely have the pitchforks out,” says Finisterre. In late August, SUAS News ran op-eds questioning the US of Chinese-made equipment by US government agencies and law enforcement. “The sheer scale of the threat posed by such a broad and deep espionage scheme should force all US companies and government actors to take this problem seriously,” wrote Rob Thompson, a drone industry consultant.
Another SUAS op-ed, this one by drone pilot Kevin Pomaski, included the wild claim that “just by creating a personal account with DJI, you willingly provided many details about yourself. Using a simple Google search the data mined by DJI from your provided flights (imagery, position and flight logs) and your audio can be accessed without your knowing consent.” Pomaski didn’t back this claim up with evidence.
Michael Murray, vice president of security intelligence at Lookout, says DJI will have to work harder than American companies to earn customers’ trust in the US. “For the business community, there is a larger threat implied when the data is sent to China instead of say, Omaha. It’s unfair, but that’s the way things are.” He says that the company’s response so far, removing the malicious code and starting a bug bounty program, was the right one. What matters now is whether this kind of mistake happens again. “It means they need to be under increased scrutiny in the future. We’re all going to watch them, so five years from now, they may become that company we can all trust.”
Finisterre, for his part, says some of his research has been taken out of context. “There are a lot of people that have tried to use some of my quotes for evidence of malice. There are definitely no direct indicators of solid malice,” he says. What he sees is a company taking shortcuts in a rush to get products to market. DJI’s product cycle went from a new drone every year to every eight months, and most recently, every six months. All the while, it’s under increased scrutiny, as its hardware becomes commonplace in active combat zones. “Security is not in their wheelhouse,” Finisterre argued. “But I’m sure they are trying to change that.”
“Concerns about DJI’s poor security practices are well founded, particularly in light of the Chinese government’s demonstrated interest in collecting intelligence via all available means along with the ability of the government to influence Chinese firm’s policies. However, attributing malicious intent seems unwarranted when the simpler, and much more common, scenario is a rush to market reducing any investment in good security design and development practices,” said David Kovar, a longtime veteran of the search and rescue industry who now runs a consultancy with a focus on integrating drones into emergency services and law enforcement. “We’ve faced security concerns related to foreign, not just Chinese, products for decades. DJI drones are just the latest iteration, and certainly not the last. Applying sane, thoughtful, and often existing cyber security policies to this current risk enables organizations to build policies that will address current and future risks effectively and proactively rather than reactively.”
1st published at The Verge