Chinese drone maker DJI is hunting security flaws

World
Europe

The world’s largest civilian drone maker, Chinese manufacturer SZ DJI Technology Co., Ltd, said on Wednesday it was hunting for security flaws in its flight-control software after coders found its apps could be “hot patched," circumventing scrutiny from Apple and Alphabet.

“We have updated the apps to remove the suspect code,” said Adam Lisberg, spokesman for DJI, said of the hot-patching problem. “We are going through all the code now to see if there’s anything else we didn’t know about.”

DJI’s camera-equipped drones, which range from palm-sized models to the size of a small outdoor grill, command about 70 percent of the global commercial and consumer drone markets, Goldman Sachs and Oppenheimer estimated in 2016.

A drone by DJI company. /Reuters Photo

Their cameras are increasingly used in sensitive settings, such as making movies or inspecting industrial facilities. AT&T deployed about four dozen drones, including DJI models, to spot cell tower damage after Hurricane Harvey. Lisberg said DJI had sent drones and spare batteries to help with the recovery.

But as their popularity has grown, so have concerns about data privacy. Until recently DJI’s apps, which run on Apple IOS and Google Android, allowed for “hot patching” new code into an app any time a tablet or phone connected to the Internet.

Such code can turn a phone into a listening device, or send out sensitive data, computer security experts said.

“App developers are finding ways to circumvent the controls that go into the app stores,” said Michael Murray, vice president of security intelligence at cyber firm Lookout, which researched hot patching.

DJI’s apps connected with more than two dozen websites while booting up, sending user and location data, said Andreas Makris, a coder in Germany familiar with the apps.

Adam Lisberg, spokesman for DJI. /Screenshot from YouTube

DJI’s Lisberg said problems stemmed from third-party plug-ins that help users share images on social media. But at least one was sending data DJI didn’t know about, he said. DJI stopped it and is looking for other problems.

DJI is offering a “bug bounty” of up to 30,000 US dollars for coders who find flaws. It plans to release a feature this month that lets users disconnect phones or tablets from the Internet while flying to ensure data is not sent out.

Source(s): Reuters