Cybersecurity researchers reveal security flaws in the Chinese Android app DJI Drones
DJI which stands for Dà-Jiāng Innovations is a world-leading manufacturer of commercial unmanned aerial vehicles (commonly known as “drones”) for aerial photography and videography. It also designs and manufactures camera gimbals, action cameras, camera stabilizers, flight platforms, and propulsion systems, and flight control systems.
DJI is the dominant market leader in the civilian drone industry, accounting for over 70 percent of the world’s drone market. Its camera drone technology has been used widely for the music, television, and film industries. The company’s products have also been used by militaries and police forces, as well as terrorist groups, with the company taking steps to limit access to the latter.
Cybersecurity researchers have revealed security issues in the Android app developed by Chinese drone-maker Da Jiang Innovations (DJI) that comes with an auto-update mechanism that bypasses Google Play Store and could be used to install malicious applications and transmit sensitive personal information to DJI’s servers.
According to the reports, it was found that the DJI’s Go 4 Android app not only asks for extensive permissions and collects personal data (IMSI, IMEI, the serial number of the SIM card), it makes of anti-debug and encryption techniques to thwart security analysis.
According to researchers, the four main causes of concern within the DJI GO 4 application are as follows:
- The application contains a self-update feature that bypasses the Google Play store.
- The application contains the ability to download and install arbitrary applications (with user approval) via the Weibo SDK. During this process, the Weibo SDK also collects the user’s private information and transmits it to Weibo.
- Prior to version 4.3.36, the application contained the Mob SDK, which collects the user’s private information and transmits it to MobTech, a Chinese analytics company.
- The application restarts itself when closed via the Android swipe closed gesture. Thus, users may be tricked into thinking the application is closed, but it could be running in the background while sending Telemetry requests.
GRIMM’s researchers used two different set-ups: an arm-based Android 6.0 Marshmallow (API 23) emulator, and another with two physical devices, a rooted Nexus 6 and an unrooted Motorola Moto 3G for the testing of these flaws and discovered that Android Studio is able to redirect all traffic to an HTTP Proxy through Burp suite, under which requests can be captured and intercepted.
“We modified this request to trigger a forced update to an arbitrary application, which prompted the user first for allowing the installation of untrusted applications, then blocking him from using the application until the update was installed,” the researchers said.
Reverse engineering the app, Synacktiv said it uncovered the existence of a URL (“hxxps://service-adhoc.dji.com/app/upgrade/public/check”) that it uses to download an application update and prompt the user to grant permission to “Install Unknown Apps.”
According to Hacker News, Last May, the DHS had warned companies that their data may be at risk if they use commercial drones manufactured in China and that they “contain components that can compromise your data and share your information on a server accessed beyond the company itself.”