DJI Pilot App Security: DJI Says Claims About App Security Misleading

DJI is clearly getting sick of the barrage of recent reports questioning their security; some of which don’t even bother to get the facts right.  The latest report from Synacktiv questions the DJI Pilot App security: but DJI has issued a statement pointing out the problems with a report written by a firm that doesn’t know drones and doesn’t seem to understand how features like geofencing work.

If the response sounds at times frustrated, it’s hard to blame the world’s largest manufacturer.  DJI garners headlines, and any reports about their app security are generally well publicized.  French security firm Synacktiv’s report of the DJI Go App was covered by the New York Times: after which they quickly launched a second analysis of the Pilot App.  Analysis by for-profit firms unfamiliar with drone technology, however, should be like any other headline these days – taken with the proverbial grain of salt.  Removing the perception of security issues can be harder than planting the seeds of doubt: DJI users should examine every point carefully for themselves.

The full text of DJI’s response is below.

DJI Statement On Further Misleading Claims About App Security

Today’s report from the Synacktiv digital security firm about DJI software includes further inaccuracies and misleading statements about how our products work, following similar reports from them last week. We want to make clear that DJI’s products protect user data; that DJI, like most software companies, continually updates products as real and perceived vulnerabilities come to light; and that there is no evidence that any of the hypothetical vulnerabilities reported by Synacktiv have ever been exploited. In this post, we address Synacktiv’s new report.

Synacktiv’s False Claim Concerning Weibo SDK

The DJI Pilot app for Android available from both the DJI website and the Google Play store do not integrate a software development kit (SDK) to connect with Weibo. This claim by Synacktiv is false. In fact, no versions of the DJI Pilot app have any function for users to share data to Weibo.

Synacktiv’s Misleading Claims Concerning DJI Pilot Auto-Updates

The DJI Pilot app for Android that is available on the Google Play store only updates to official versions downloaded from the Google Play store. The user is prompted to update in a pop-up window, and the app will not update unless the user agrees. For customers who operate our products in countries where the Google Play store is not available, the app and app updates are made available on our website. The headline, summary, and first half of Synacktiv’s report are intentionally misleading because they fail to note that this mechanism is limited to the website version of the DJI Pilot app only, and does not affect anyone who obtains the DJI Pilot app from the Google Play store.

Synacktiv’s Incomplete Understanding of DJI’s Geofencing System

The DJI Pilot app includes a feature called Local Data Mode that allows the user to sever the connection to the internet as soon as the setting is turned on in the app. In addition to enhancing data security assurance, this feature blocks the drone’s ability to update flight safety restrictions and blocks the user’s ability to “unlock” some geofenced areas. However, Synacktiv appears to misunderstand the function of DJI’s geofencing safety system and the many other available methods for customers to unlock. For example, government agencies can participate in our Qualified Entities Program which unlocks the entire region they request, with no need to connect to the internet after initial activation. Also, our Government Edition drones have no geofencing at all. DJI users understand these limitations and plan ahead for when and how to unlock geofencing flight restrictions, if needed.

As with automatic updates, these features are implemented for purposes that benefit the public by enhancing airspace safety during the use of our products. The important safety role of geofencing has been recognized by the U.S. Federal Aviation Administration’s (FAA) Drone Advisory Committee; the Airports International Council-North America and Association for Unmanned Vehicle Systems International joint Blue Ribbon Task Force on Airport Mitigation; and the FAA-industry joint Unmanned Aircraft Safety Team. No other company has done as much as DJI to proactively enhance the safety of drone operations. We are dismayed that safety features have again been misunderstood and misconstrued as hypothetical security threats by researchers who are evidently unfamiliar with the operation of drone technology.

DJI Immediately Remediated The Prior Reported Issues

While Synacktiv’s exaggerated and misleading initial report on security was cited in the New York Times, a serious examination of their work shows it falls short. DJI promptly updated the DJI GO 4 Android app July 31 to address the earlier hypothetical concerns Synacktiv noted about the DJI GO 4 app, removing the Weibo SDK and directing automatic safety-related updates to the Google Play store rather than our website.

DJI remains the only drone manufacturer to have its products successfully evaluated in publicly-available reports by multiple independent government and private institutions. DJI also remains the only drone manufacturer to have created a Bug Bounty Program to actively solicit responsible disclosure of security vulnerabilities and pays rewards to the researchers who find them.

For further details on DJI’s robust security protections, please refer to our response to the original allegations at this link: https://www.dji.com/newsroom/news/dji-statement-on-recent-reports-from-security-researchers