August 15, 2020

Volume X, Number 228

August 14, 2020

Subscribe to Latest Legal News and Analysis

August 13, 2020

Subscribe to Latest Legal News and Analysis

August 12, 2020

Subscribe to Latest Legal News and Analysis

DJI Responds to Recent Cybersecurity Report on App Vulnerabilities

This week, China-based DJI, the drone industry’s leading manufacturer of drones, issued a public statement regarding the recent reports released by cybersecurity researchers (neither Synacktiv nor GRIMM) about the security of its drones’ control app.

In two reports, the researchers claimed that an app on Google’s Android operating system that powers DJI drones collects large amounts of personal information that could be exploited by the Chinese government. In the report, the researchers claim to have discovered typical software concerns, but no specific evidence that those potential vulnerabilities have been exploited. This is not the first time DJI has been accused of lax security safeguards.

DJI responded to these claims, saying that its goal is to help ensure that its comprehensive airspace safety measures are applied consistently across its control apps. However, because recreational pilots often want to share the photos and video they take using the drone with their family and friends over social media, the security of those social media sites must be reviewed by the pilot user. Further, DJI said, “When our systems detect that a DJI app is not the official version – for example, if it has been modified to remove critical flight safety features like geofencing or altitude restrictions – we notify the user and require them to download the most recent official version of the app from our website.”

The report also claimed that one of DJI’s drones could restart itself without any input from the pilot. DJI responded stating,”[Our] DJI GO 4 is not able to restart itself without input from the user, and we are investigating why these researchers claim it did so. We have not been able to replicate this behavior in our tests so far.”

The potential vulnerabilities identified in the report have not been identified by DJI at this point, but DJI says that it has proactively offered security researchers payments of up to $30,000 (through its Bug Bounty Program), to assist in identifying and disclosing security issues with the control apps.

DJI also stated that its drone products designed for government agencies do not transmit data to DJI and are compatible only with a non-commercially available version of the DJI Pilot app. More specifically, “The software for these drones is only updated via an offline process, meaning this report is irrelevant to drones intended for sensitive government use. A recent security report from Booz Allen Hamilton audited these systems and found no evidence that the data or information collected by these drones is being transmitted to DJI, China, or any other unexpected party.”

All in all, DJI has been a part of the ongoing call for a set of industry standards for drone data security. However, until those standards have been set, we are sure to continue to see alleged flaws and risks to data collected and transmitted via drone.

Copyright © 2020 Robinson & Cole LLP. All rights reserved.National Law Review, Volume X, Number 212


About this Author

Kathryn Rattigan Attorney Cybersecurity Data Privacy

Kathryn Rattigan is a member of the firm's Business Litigation Group and Data Privacy + Cybersecurity Team. She advises clients on data privacy and security, cybersecurity, and compliance with related state and federal laws. Kathryn also provides legal advice regarding the use of unmanned aerial systems (UAS, or drones) and Federal Aviation Administration (FAA) regulations. She represents clients across all industries, such as insurance, health care, education, energy, and construction.

Data Privacy and Cybersecurity Compliance

Kathryn helps clients comply...