A serious vulnerability has been discovered in the Android app of DJI drones. As observed by the researchers, the vulnerability potentially allows installing malicious apps and transmits users’ data stealthily.
DJI Drones Vulnerability
Researchers from two separate firms Synacktiv and Grimm have found security issues affecting the Chinese DJI Drones. One such vulnerability in the DJI Drone app even allows for the installation of malicious programs.
Briefly, the security issues first caught the attention of Synacktiv. As stated in their report, they intended to test the DJI Go 4 Android app themselves, despite the reports of the app being harmless.
Eventually, they found multiple security flaws. Here is what they found:
- Android app exhibits anti-detection capabilities like malware, such as obfuscation, anti-debug, packing and dynamic encryption.
- C&C like feature with the app that communicates with home to force update or install new software on the device.
- Evading Google Play Store’s security check by forcing updates from the home instead of going through the Play Store.
- The MobTech component of the app collects unnecessary and sensitive data from the users, including IMSI numbers.
- The app continues to run in the background even after the user closes it.
After Synacktiv’s report, Grimm also analyzed the app for a countercheck upon request from the vendors. Grimm also verified the issues highlighted by Synacktiv. Both Synacktiv and Grimm have elaborated on their findings in their reports available here and here.
Vulnerability Remains Unpatched
Despite the reports from separate researchers, the vendors have still not patched the flaw. It means the users of the DJI Go 4 Drone Android app remain vulnerable to the aforementioned security risks.
Consequently, all users should be very careful with the app. As Synacktiv advised,
Users of the DJI drone are advised to use caution, due to the risks of leakage or misuse of sensitive data elements, and hidden command and control features, seemingly not needed for safe or secure use of the product.
The issues affecting the Android app do not exist with the DJI Go 4 iOS version. Therefore, iOS users are potentially safe for now.
This isn’t the first time that the Chinese vendor Daijiang Innovations (DJI) appeared in the news for a security risk. In 2018, researchers found a vulnerability affecting the DJI Drone Web app that could allow an adversary to access users’ accounts and steal data stealthily.
Let us know your thoughts in the comments.