DJI Statement On Further Misleading Claims About App Security
Today’s report from the Synacktiv digital security firm about DJI software includes further inaccuracies and misleading statements about how our products work, following similar reports from them last week. We want to make clear that DJI’s products protect user data; that DJI, like most software companies, continually updates products as real and perceived vulnerabilities come to light; and that there is no evidence that any of the hypothetical vulnerabilities reported by Synacktiv have ever been exploited. In this post, we address Synacktiv’s new report.
Synacktiv’s False Claim Concerning Weibo SDK
The DJI Pilot app for Android available from both the DJI website and the Google Play store do not integrate a software development kit (SDK) to connect with Weibo. This claim by Synacktiv is false. In fact, no versions of the DJI Pilot app have any function for users to share data to Weibo.
Synacktiv’s Misleading Claims Concerning DJI Pilot Auto-Updates
The DJI Pilot app for Android that is available on the Google Play store only updates to official versions downloaded from the Google Play store. The user is prompted to update in a pop-up window, and the app will not update unless the user agrees. For customers who operate our products in countries where the Google Play store is not available, the app and app updates are made available on our website. The headline, summary, and first half of Synacktiv’s report are intentionally misleading because they fail to note that this mechanism is limited to the website version of the DJI Pilot app only, and does not affect anyone who obtains the DJI Pilot app from the Google Play store.
Synacktiv’s Incomplete Understanding of DJI’s Geofencing System
The DJI Pilot app includes a feature called Local Data Mode that allows the user to sever the connection to the internet as soon as the setting is turned on in the app. In addition to enhancing data security assurance, this feature blocks the drone’s ability to update flight safety restrictions and blocks the user’s ability to “unlock” some geofenced areas. However, Synacktiv appears to misunderstand the function of DJI’s geofencing safety system and the many other available methods for customers to unlock. For example, government agencies can participate in our Qualified Entities Program which unlocks the entire region they request, with no need to connect to the internet after initial activation. Also, our Government Edition drones have no geofencing at all. DJI users understand these limitations and plan ahead for when and how to unlock geofencing flight restrictions, if needed.
As with automatic updates, these features are implemented for purposes that benefit the public by enhancing airspace safety during the use of our products. The important safety role of geofencing has been recognized by the U.S. Federal Aviation Administration’s (FAA) Drone Advisory Committee; the Airports International Council-North America and Association for Unmanned Vehicle Systems International joint Blue Ribbon Task Force on Airport Mitigation; and the FAA-industry joint Unmanned Aircraft Safety Team. No other company has done as much as DJI to proactively enhance the safety of drone operations. We are dismayed that safety features have again been misunderstood and misconstrued as hypothetical security threats by researchers who are evidently unfamiliar with the operation of drone technology.
DJI Immediately Remediated The Prior Reported Issues
While Synacktiv’s exaggerated and misleading initial report on security was cited in the New York Times, a serious examination of their work shows it falls short. DJI promptly updated the DJI GO 4 Android app July 31 to address the earlier hypothetical concerns Synacktiv noted about the DJI GO 4 app, removing the Weibo SDK and directing automatic safety-related updates to the Google Play store rather than our website.
DJI remains the only drone manufacturer to have its products successfully evaluated in publicly-available reports by multiple independent government and private institutions. DJI also remains the only drone manufacturer to have created a Bug Bounty Program to actively solicit responsible disclosure of security vulnerabilities and pays rewards to the researchers who find them.
For further details on DJI’s robust security protections, please refer to our response to the original allegations at this link: https://www.dji.com/ie/newsroom/news/dji-statement-on-recent-reports-from-security-researchers