DJI has issued a lengthy statement hitting out at what it calls “further misleading claims” about the security of its apps.
The world’s largest drone maker said a report from digital security firm Synacktiv about how its products work – the second in the space of a week – contained “further inaccuracies”.
DJI said: “We want to make clear that DJI’s products protect user data; that DJI, like most software companies, continually updates products as real and perceived vulnerabilities come to light; and that there is no evidence that any of the hypothetical vulnerabilities reported by Synacktiv have ever been exploited.”
DJI has even gone to the length of individually addressing all of the points in Synacktiv’s report that it disputes.
CDP has published its rebuttals in their entirety below:
Synacktiv’s claim concerning Weibo SDK
DJI’s response: The DJI Pilot app for Android available from both the DJI website and the Google Play store do not integrate a software development kit (SDK) to connect with Weibo. This claim by Synacktiv is false. In fact, no versions of the DJI Pilot app have any function for users to share data to Weibo.
Synacktiv’s claims concerning DJI Pilot auto-updates
DJI’s response: The DJI Pilot app for Android that is available on the Google Play store only updates to official versions downloaded from the Google Play store. The user is prompted to update in a pop-up window, and the app will not update unless the user agrees.
For customers who operate our products in countries where the Google Play store is not available, the app and app updates are made available on our website.
The headline, summary, and first half of Synacktiv’s report are intentionally misleading because they fail to note that this mechanism is limited to the website version of the DJI Pilot app only, and does not affect anyone who obtains the DJI Pilot app from the Google Play store.
Synacktiv’s understanding of DJI’s geofencing system
DJI’s response: The DJI Pilot app includes a feature called Local Data Mode that allows the user to sever the connection to the internet as soon as the setting is turned on in the app. In addition to enhancing data security assurance, this feature blocks the drone’s ability to update flight safety restrictions and blocks the user’s ability to “unlock” some geofenced areas.
However, Synacktiv appears to misunderstand the function of DJI’s geofencing safety system and the many other available methods for customers to unlock. For example, government agencies can participate in our Qualified Entities Program which unlocks the entire region they request, with no need to connect to the internet after initial activation.
Also, our Government Edition drones have no geofencing at all. DJI users understand these limitations and plan ahead for when and how to unlock geofencing flight restrictions, if needed.
As with automatic updates, these features are implemented for purposes that benefit the public by enhancing airspace safety during the use of our products. The important safety role of geofencing has been recognized by the U.S. Federal Aviation Administration’s (FAA) Drone Advisory Committee; the Airports International Council-North America and Association for Unmanned Vehicle Systems International joint Blue Blue Ribbon Task Force on Airport Mitigation; and the FAA-industry joint Unmanned Aircraft Safety Team.
No other company has done as much as DJI to proactively enhance the safety of drone operations. We are dismayed that safety features have again been misunderstood and misconstrued as hypothetical security threats by researchers who are evidently unfamiliar with the operation of drone technology.
DJI immediately remediated the prior reported issues
DJI’s response: While Synacktiv’s exaggerated and misleading initial report on security was cited in the New York Times, a serious examination of their work shows it falls short.
DJI promptly updated the DJI GO 4 Android app on July 31 to address the earlier hypothetical concerns Synacktiv noted about the DJI GO 4 app, removing the Weibo SDK and directing automatic safety-related updates to the Google Play store rather than our website.
DJI remains the only drone manufacturer to have its products successfully evaluated in publicly-available reports by multiple independent government and private institutions.
DJI also remains the only drone manufacturer to have created a Bug Bounty Program to actively solicit responsible disclosure of security vulnerabilities and pays rewards to the researchers who find them.
DJI added that further details on its security protections could be found in its response to the original allegations at the link HERE.