Enlarge /. A DJI Phantom 4 quadcopter drone.
Until recently, the Android version of DJI Go 4 – an app that allows users to control drones – secretly gathers sensitive user data and can download and execute code at the developer’s option, according to researchers in two reports that demonstrate the security and trustworthiness of a question program with more than 1 million Google Play downloads.
The app is used to control and collect video and flight data of drones from China-based DJI, the world's largest manufacturer of commercial drones, in real time. The Play Store shows that there are more than 1 million downloads, but due to the way Google reveals numbers, the true number could be up to 5 million. The app has a rating of three and a half out of a total of five possible stars from more than 52,000 users.
Large selection of confidential user data
Security company Synactive reverse-engineered the app two weeks ago. On Thursday, security firm Grimm released the results of its own independent analysis. At the very least, they both found that the app circumvented Google terms and that until recently the app collected a large number of sensitive user data and sent it to servers in mainland China. A worst-case scenario is that developers misuse hard-to-identify features to spy on users.
Suspicious behaviors are reported to include:
- The ability to download and install applications of the developer’s choice via a self-update feature or a special installer in a software development kit from the China-based Weibo social media platform. Both functions can be downloaded outside of Play in violation of the Google Code provisions.
- A recently removed component that captured a variety of phone data, including IMEI, IMSI, carrier name, SIM serial number, SD card information, operating system language, kernel version, screen size and brightness, wireless network name, address and MAC, and Bluetooth addresses. These and other details were sent to MobTech, manufacturer of a software developer kit that was used until the last version of the app.
- Automatic restart when a user swipes the app to close. The restarts cause the app to run in the background and continue to make network requests.
- Advanced obfuscation techniques that make third-party analysis of the app time-consuming.
This month's reports come three years after the U.S. Army banned the use of DJI drones for reasons that remain secret. In January, the Home Office grounded drones from DJI and other Chinese manufacturers because of concerns that data could be sent back to the mainland.
DJI officials said the researchers found "hypothetical vulnerabilities" and none of the reports provided evidence that they were ever exploited.
"The app update feature described in these reports serves the very important security goal of reducing the use of hacked apps that are designed to override our geofencing or height-limiting features," said a statement. Geofencing is a virtual barrier that prevents the Federal Aviation Administration or other government agencies from crossing drones. Drones use GPS, Bluetooth and other technologies to enforce the restrictions.
A Google spokesman said the company is reviewing the reports. The researchers said that the iOS version of the app did not contain any obfuscation or update mechanisms.
Veiled, acquisitive and always on
DJI Go 4 for Android mimicked the behavior of botnets and malware in several ways. For example, both the self-update and auto-installation components call a server specified by the developer and wait for commands to download and install code or apps. The obfuscation techniques were very similar to those used by malware to prevent researchers from discovering their true purpose. Other similarities were constant status and the collection of sensitive data that was not relevant or necessary for the stated purpose of flying drones.
Behavior is enhanced by the breadth of permissions required to use the app, including access to contacts, microphone, camera, location, storage, and the ability to change network connectivity. Because of these far-reaching permissions, DJI's or Weibo's servers, both located in a country known for its government-sponsored espionage hacking, had almost full control over users' devices, the researchers said.
Both research teams said they saw no evidence that the app installer was ever actually used, but they saw the automatic update mechanism trigger and a new version being downloaded and installed from the DJI server. The download URLs for both functions are generated dynamically, ie they are provided by a remote server and can be changed at any time.
The researchers from both companies carried out experiments that showed how both mechanisms can be used to install any apps. While the programs were delivered automatically, the researchers had to click on their approval before the programs could be installed.
Neither research report said that the app was actually targeting individuals, and both found that the collection of IMSIs and other data ended with the release of the current version 4.3.36. However, the teams did not rule out the possibility of shameful uses. Grimm researchers wrote:
At best, these functions are only used to install legitimate versions of applications that may be of interest to the user, e.g. B. to suggest additional DJI or Weibo applications. In this case, it is far more common to display the additional application in the Google Play Store app by linking it in your application. If the user wishes, he can install the application directly from the Google Play Store. Likewise, the self-updating components may only be used to provide users with the latest version of the application. However, this can be achieved more easily via the Google Play Store.
In the worst case, these features can be used to target certain users with malicious updates or applications that can take advantage of the user's phone. Given the amount of user information retrieved from their device, DJI or Weibo can easily identify specific targets of interest. The next step in exploiting these goals is to propose a new application (via the Weibo SDK) or to update the DJI application with a customized version specifically designed to take advantage of your device. As soon as the device is used, additional information can be acquired from the phone, the user can be tracked via the various sensors on the phone, or used as a springboard for attacks on other devices in the phone's WLAN network. This targeting system would allow an attacker to be much more secretive of exploitation than of louder techniques, such as the exploitation of all devices that visit a website.
DJI officials have released a comprehensive and vigorous response, saying that all of the features and components in the reports were either for legitimate purposes or were unilaterally removed and not used maliciously.
“We develop our systems so that DJI customers have full control over how or whether to share their photos, videos and flight logs, and we support the creation of industry standards for drone data security that provide protection and trust to all drone users . "Statement said. It provided the following point-by-point discussion:
- If our systems determine that a DJI app is not the official version – for example, if it has been modified to remove important flight safety features such as geofencing or altitude restrictions – we will notify the user and ask them to download the latest official version of the app from our website. In future versions, users will also be able to download the official version from Google Play, if it is available in their country. If users do not agree, their unauthorized (hacked) version of the app will be deactivated for security reasons.
- Unauthorized changes to DJI control apps have raised concerns in the past. This technology is intended to ensure that our comprehensive airspace security measures are applied consistently.
- Since our leisure customers often want to share their photos and videos with friends and family on social media, DJI integrates our consumer apps into the leading social media websites via their native SDKs. We need to address questions about the security of these SDKs to their respective social media services. However, please note that the SDK will only be used if our users proactively enable it.
- DJI GO 4 cannot restart without user input, and we are investigating why these researchers claim this. We have so far not been able to replicate this behavior in our tests.
- The hypothetical vulnerabilities described in these reports are best characterized as potential bugs that we proactively identified through our Bug Bounty program, in which security researchers responsibly disclose security issues they discover when making payments of up to $ 30,000 -Dollar received. Since all DJI flight control apps are designed for use in any country, we have been able to improve our software thanks to the contributions from researchers around the world that appear on this list.
- The MobTech and Bugly components identified in these reports were previously removed from DJI flight control apps after previous researchers identified potential vulnerabilities in them. Again, there is no evidence that they have ever been exploited, and they have not been used in DJI's flight control systems for government and professional customers.
- The DJI GO4 app is mainly used to control our recreational drone products. DJI's drone products developed for government agencies do not transfer data to DJI and are only compatible with a non-commercial version of the DJI Pilot app. The software for these drones is only updated through an offline process. This means that this report is not relevant to drones that are intended for sensitive government use. A recent Booz Allen Hamilton safety report has examined these systems and found no evidence that the data or information collected by these drones is being transmitted to DJI, China, or any other unexpected party.
- This is only the latest independent validation of DJI product security after reviews by the U.S. National Oceanic and Atmospheric Administration, the U.S. cyber security company Kivu Consulting, the U.S. Department of the Interior and the U.S. Department of Homeland Security.
- DJI has long called for the creation of industry standards for drone data security. We hope this process continues to provide reasonable protection to drone users with security concerns. If this type of security function is a problem, it should be covered in objective standards that can be set by customers. DJI is committed to protecting drone user data. For this reason, we develop our systems so that drone users have control over whether they share data with us. We are also committed to security and try to contribute technology solutions to the security of the airspace.
Don't forget the Android Chaos app
DJI's research and response underscore the clutter of Google's current app procurement system. Ineffective reviews, the lack of granularity of permissions in older versions of Android and the openness of the operating system make it easier to publish malicious apps on the Play Store. The same things make it easy to confuse legitimate functions with malicious ones.
People who have DJI Go 4 for Android installed may want to at least remove it until Google announces the results of its investigation (the reported automatic restart behavior is not sufficient to simply restrict use of the app for the time being). Ultimately, users of the app find themselves in a position similar to TikTok, which has also raised suspicions, both because of behavior that some consider to be incomplete and because of the property of ByteDance from China.
There is little doubt that many Android apps without connection to China commit similar or worse violations than those attributed to DJI Go 4 and TikTok. People who want to be on the side of security should stay away from a large majority.