This post is also available in: עברית (Hebrew)
Cybersecurity vulnerabilities in an Android app that powers the Chinese DJI drone could help the Chinese government scoop up reams of information. However, there’s no proof the app has been used to steal any information so far or to hand anything over to Beijing.
The vulnerability could allow DJI, the world’s largest drone maker, or someone with access to its computer systems, to grab information from the microphones, cameras, contacts and even locations of hundreds of thousands of drone owners worldwide, two independent cybersecurity firms Grimm and Synacktiv found.
After reverse-engineering the DJI Go 4 app, the security firms found that the software at best violates Google’s Play Store policies, and at worst, could have been used to spy on the company’s users, androidauthority.com reports.
The feature is only present in Android apps used by consumer drone owners, not in the version used by companies and government agencies. It’s also not present in the iPhone version of the app.
DJI is reportedly also able to send automatic updates to the apps without Google or the drone owner consenting or even necessarily knowing the app is being updated, researchers found. Theoretically that update function could be used to load the phones with malware that could send troves of data back to China, they said, according to washingtonpost.com.
The alarm comes as DJI is already under intense scrutiny by China hawks and some U.S. officials. The Pentagon banned the company’s drones in 2017 over spying concerns and the Interior Department grounded its fleet of about 800 DJI drones in January. US lawmakers are seeking to ban them across the rest of the federal government and to root them out from state and local governments as well.
A DJI spokesman told the New York Times the auto update feature is there to ensure drone hobbyists don’t hack the system so they can break government rules about where they can fly drones and how high.
The allegations come over the backdrop of the argument that Chinese companies are effectively arms of the government and would be powerless to refuse an order from Beijing to turn over sensitive data.
The Department of Homeland Security and the National Security Agency issued a joint alert warning adversaries are eager to attack the Internet-connected components of critical industries such as energy plants and defense contractors. They advised that critical infrastructure OT and control systems assets would be aware of current threats, prioritize assessing their cybersecurity defenses and take appropriate action to secure their systems.