Dell Cameron* says the world’s largest consumer drone maker has been put on the defensive over concerns its applications may be transmitting sensitive user data to China.
Photo: Diana Macesanu
The world’s largest consumer drone maker is pushing back amid swelling concerns that its applications may be insecure, as well as rumours that it may be transmitting sensitive user data to China, where the company was founded more than a decade ago.
Amid increasing fears of Chinese companies operating overseas, last week China-based drone manufacturer DJI began circulating the summary findings of San Francisco-based Kivu Consulting, Inc., which DJI contracted to offer an independent analysis of its data and security practices in the hope of quelling those concerns.
Gizmodo has learned, however, that DJI had been privately sharing — including among some US military officials — what it called the “preliminary conclusions” of Kivu’s independent research since at least February.
Prematurely releasing the positive results of an ongoing forensic analysis is out of the ordinary, to say the least.
Having cornered the consumer drone market for several years running, DJI was forced on to defensive footing last year after the US Army ordered its troops to cease all use of DJI applications in a vaguely worded memo citing classified research into potential “cyber vulnerabilities”.
China-based technology companies have come under increasing scrutiny over the past year.
Several US companies have cancelled deals with Huawei, a Chinese phone manufacturer, and DJI, Huawei and ZTE have also been the subject of concern regarding security in Australia.
These moves follow a late-2017 internal memo from the US Department of Homeland Security that warned of DJI’s commercial drones — a growing sector of the company’s business — could potentially gather intelligence for China’s Government.
DJI called the memo’s findings “profoundly wrong” and said they were “based on clearly false and misleading claims”.
DJI gave Gizmodo access to the full 27-page report under the condition that it not be published in full.
The Kivu report, which contains detailed observations covering DJI’s handling of data storage, flight logs and personally identifiable information, largely absolves the company of the allegations that it mishandles user data, though it appears to gloss over some of the prior issues highlighted by researchers.
“Kivu’s analysis of the drones and the flight control system … concluded that users have control over the types of data DJI drones collect, store and transmit,” said Douglas Brush, Director of Kivu’s cybersecurity investigations.
For its analysis, Kivu says it purchased four models for testing (as opposed to being provided drones by DJI), including a DJI Spark, DJI Mavic, DJI Phantom 4 Pro and DJI Inspire 2.
Both Android and Apple iOS version of the GO 4 mobile app were obtained independently via their app stores.
Notably, Kivu reports that DJI collects no personally identifiable information (PII) about its customers, beyond an email address and phone number, which can be easily faked.
The company apparently makes no attempt to validate this information.
“[U]sers may enter any information they choose to anonymise themselves, with no impact on drone use or operation,” the report states.
Much of the data which users would find sensitive have an opt-in feature, including media files and flight logs shared with the company.
Diagnostic data and location checks, whereby DJI checks for “No Fly Zones” (NFZ), require users to opt-out.
Notably, NFZ data is not precise with regard to location.
The initial location check data, compared against an NFZ database containing information about areas where drone flight is prohibited (that is, airports, military bases and so on), is only accurate down to roughly a 10 km radius, Kivu found.
(Independent drone researchers dispute this detail, however.)
For whatever reason, Kivu only briefly mentions that when the Go 4 application is launched, a file is sent from the user’s phone to an Alibaba server located in San Mateo, California, containing details about the operating system of the user’s mobile device and the SSID (or name) of the connected Wi-Fi network.
Kivu researchers found that DJI’s GO 4 app did communicate with servers in China through Bugly, an app used to report crashes.
Files within a database named “Bugly_db_” include a table that “contained the last IP address the mobile device was connected to, along with the International Mobile Equipment Identity (‘IMEI’) of the mobile device”.
Strangely, unlike other areas of the report, Kivu does not specifically identify the locations of the Chinese Bugly servers.
Kevin Finisterre, a long-time penetration tester with Netragard, told Gizmodo Kivu’s report “completely glosses over” concerns about DJI’s app.
“The snapshot in time that the paper is based on does not in any way address the realm of possibilities last year,” said Finisterre, who also works as a senior threat engineer for Department 13, which makes counter-drone technologies.
As reported by The Register in August, DJI’s Go app previously contained a framework that allowed DJI to make “substantial changes” to the app without triggering a review by Apple.
According to Finisterre, the hot-patch mechanism would have allowed DJI to covertly update the app without first seeking user consent, a critical security flaw.
A DJI spokesperson told Gizmodo by email that the data breach it suffered last year and the prior hot-patching issues were not mentioned in the report because those issues had been previously addressed by the company.
“The security researcher you quoted has not identified any problems with Kivu’s report, but apparently is flagging issues that were both raised and resolved last year,” the spokesperson said.
Further, the spokesperson intimated that DJI’s customers are not concerned about security issues that affected the company as recently as five months ago.
“The report is based on the most current drones and apps available when Kivu did their work,” he said.
“That’s what our customers want to know about.”
“This report answers their questions and addresses their concerns.”
“Contrary to [Finisterre’s] claims, DJI has been very clear that we improved our security systems last year in response to flaws identified in our SSL certificate and our AWS server controls,” the spokesperson said.
* Dell Cameron covers privacy and security for Gizmodo. He tweets at @dellcam.
This article first appeared at www.gizmodo.com.au.
