The world’s largest consumer drone maker is pushing back amid swelling concerns that its applications may be insecure, as well as rumours that it may be transmitting sensitive user data to China, where the company was founded more than a decade ago.
Amid increasing fears of Chinese companies operating in the US, on Monday China-based drone manufacturer DJI began circulating the summary findings of San Francisco-based Kivu Consulting, Inc., which DJI contracted to offer an independent analysis of its data and security practices in the hope of quelling those concerns.
Gizmodo has learned, however, that DJI had been privately sharing – including among some US military officials – what it called the “preliminary conclusions” of Kivu’s independent research since at least February 14. Prematurely releasing the positive results of an ongoing forensic analysis is out of the ordinary, to say the least.
Having cornered the consumer drone market for several years running, DJI was forced onto defensive footing last year after the US Army ordered its troops to cease all use of DJI applications in a vaguely worded memo citing classified research into potential “cyber vulnerabilities”.
China-based technology companies have come under increasing scrutiny over the past year. Several US companies, including AT&T, Verizon and Best Buy, have cancelled deals with Huawei, a Chinese phone manufacturer, amid US intelligence community concerns about the company. US intelligence leaders also warned that products made by ZTE – another Chinese phone maker that was recently banned from buying American-made components because it sold goods to Iran – may be used for cyber espionage.
These moves follow a late-2017 internal memo from the US Department of Homeland Security that warned of DJI’s commercial drones – a growing sector of the company’s business – could potentially gather intelligence for China’s government. DJI called the memo’s findings “profoundly wrong” and said they were “based on clearly false and misleading claims”.
Over the weekend, DJI gave Gizmodo access to the full 27-page report under the condition that it not be published in full. (According to DJI, the report contains screenshots of some code it considers proprietary information.)
The Kivu report, which contains detailed observations covering DJI’s handling of data storage, flight logs and personally identifiable information, largely absolves the company of the allegations that it mishandles user data, though it appears to gloss over some of the prior issues highlighted by researchers who had previously gained access to DJI’s source code or spent time reverse engineering DJI products.
“Kivu’s analysis of the drones and the flight control system (drone, hardware controller, GO 4 mobile app) concluded that users have control over the types of data DJI drones collect, store and transmit,” said Douglas Brush, director of Kivu’s cybersecurity investigations.
For its analysis, Kivu says it purchased four models for testing (as opposed to being provided drones by DJI) including a DJI Spark, DJI Mavic, DJI Phantom 4 Pro and DJI Inspire 2. Both Android and Apple iOS version of the GO 4 mobile app were obtained independently via their app stores, the researchers said.
Notably, Kivu reports that DJI collects no personally identifiable information (PPI) about its customers, beyond an email address and phone number, which can be easily faked. The company apparently makes no attempt to validate this information. “[U]sers may enter any information they choose to anonymize themselves, with no impact on drone use or operation,” the report states.
Kivu reports that all data consensually uploaded by users in the United State is transmitted to cloud servers in the United States, including multimedia files (photos and video) uploaded to DJI’s SkyPixel social media sharing platform, which may include GPS location at the time of the recording.
Much of the data which users would find sensitive have an opt-in feature, including media files and flight logs shared with the company. Diagnostic data and location checks, whereby DJI checks for “No Fly Zones” (NFZ), require users to opt-out. Notably, NFZ data is not precise with regard to location. The initial location check data, compared against an NFZ database containing information about areas where drone flight is prohibited (that is, airports, military bases and so on), is only accurate down to roughly a 10km radius, Kivu found. (Independent drone researchers dispute this detail, however.)
Regarding DJI’s phone app, Kivu reported (emphasis ours):
The GO 4 application was important to Kivu’s analysis because the flight control application is the only part of the drone system that can transmit data over the Internet. The aircraft and remote controllers do not connect directly to the Internet. The GO 4 application is the only part of the usual DJI product stack that has the ability to connect to the Internet, and it must be connected through the user’s mobile device. After a thorough review of all aforementioned data, Kivu confirmed that DJI drones do not automatically transmit most types of user data without explicit user authorization. For example, within the flight control apps, users must choose to share user information such as photographs, videos, flight logs, and obstacle avoidance data. These types of data are not automatically transmitted by default.
Other types of data are transmitted by default but users can prevent these transmissions if desired. For example, by default the GO 4 application will automatically transmit information related to the type of aircraft, camera and remote controller. Additionally, the GO 4 application will by default transmit certain data for the safe use of drones, customer support, and data analytics. This includes application performance data, user experience data, and initial location check data. The user can prevent these transmissions by deactivating them in the GO 4 application settings and/or using a mobile device that is not connected to the Internet.
For whatever reason, Kivu only briefly mentions that when the Go 4 application is launched, a file is sent from the user’s phone to an Alibaba server located in San Mateo, California, containing details about the operating system of the operator’s mobile device and the SSID (or name) of the connected Wi-Fi network.
Kivu researchers found that DJI’s GO 4 app did communicate with servers in China through Bugly, an app used to report crashes. Files within a database named “Bugly_db_” include a table that “contained the last IP address the mobile device was connected to, along with the International Mobile Equipment Identity (‘IMEI’) of the mobile device”. Strangely, unlike other areas of the report, Kivu does not specifically identify the locations of the Chinese Bugly servers.
Kevin Finisterre, a long-time penetration tester with Netragard, told Gizmodo that Kivu’s report “completely glosses over” concerns about DJI’s app, which peaked in the middle of last year.
“The snapshot in time that the paper is based on does not in any way address the realm of possibilities last year,” said Finisterre, who also works as a senior threat engineer for Department 13, which makes counter-drone technologies. “As an example, the old hot patching mechanism would allow a rogue DJI developer, or skilled attacker, to have complete control over a phone running the DJI Go application. The fact that DJI left their production SSL keys on GitHub further enabled this fact. Absolutely zero mention of this fact was made.”
As reported by The Register in August, DJI’s Go app previously contained a framework that allowed DJI to make “substantial changes” to the app without triggering a review by Apple. According to Finisterre, the hot-patch mechanism would have allowed DJI to covertly update the app without first seeking user consent, a critical security flaw.
DJI spokesperson told Gizmodo by email that the data breach it suffered last year and the prior hot-patching issues were not mentioned in the report regarding its current security posture because those issues had been previously addressed by the company. “The security researcher you quoted has not identified any problems with Kivu’s report, but apparently is flagging issues that were both raised and resolved last year,” he said.
Further, the spokesperson intimated that DJI’s customers are not concerned about security issues that affected the company as recently as five months ago. “The report is based on the most current drones and apps available when Kivu did their work,” he said. “That’s what our customers want to know about. This report answers their questions and addresses their concerns.”
“Contrary to [Finisterre’s] claims, DJI has been very clear that we improved our security systems last year in response to flaws identified in our SSL certificate and our AWS server controls,” the spokesperson said.