Synacktiv and GRIMM security researchers have uncovered security bugs in the Android application developed by Chinese drone maker Da Jiang Innovations (DJI), which comes with an automatic update mechanism that bypasses the Google Play Store and can be used for installation malware, as well as for the transmission of sensitive personal information to servers of DJI. In particular, the researchers found that Android application DJI Go4 not only does it ask for extended licenses and collect personal data (IMSI, IMEI, SIM card serial number), but uses anti-debug and encryption techniques to prevent security analyzes.
Synacktiv reported that this mechanism is very similar to command and control servers found with malware. He added that given the broad licenses required by the Android application DJI Go4 - contacts, microphone, camera, location, storage, change network connection - DJI or Weibo servers have complete control over a user's phone.
It is worth noting that the Android application has over one million downloads and installations from the Google Play Store. Also, the security bugs found on it do not apply to the version iOS, which does not have the hidden notification feature, so it is not affected by security errors.
According to GRIMM, the investigation was conducted in response to a security check requested by an anonymous supplier of defense and public security technology, which sought to investigate the privacy implications of DJI drones within the Android application DJI GO 4.
Examining the application, Synacktiv reported finding a URL (“Hxxps: //service-adhoc.dji.com/app/upgrade/public/check”), which she uses to download a information application and ask the user to grant permission for "Installing unknown applications".
The researchers modified this request to enable a forced update on an arbitrary application, which first motivated the user to allow the installation of unreliable applications and then prevented them from using the application until the update was installed.
Not only is this a direct violation of the Google Play Store guidelines, but it also has very serious consequences. In particular, an attacker could compromise the update server to target users with malicious application updates. An even more serious consequence is that the application continues to run in the background even after it closes and utilizes a Weibo SDK (“Com.sina.weibo.sdk”) to install an arbitrarily downloaded application.
In addition, the researchers concluded that the application utilizes the MobTech SDK to convert metadata about the phone, such as screen size, brightness, WLAN address, MAC address, BSSID numbers, addresses Bluetooth, IMEI and IMSI numbers, carrier name, SIM serial number, SD card information, OS language and kernel version and location information.
Noting that the findings were "typical software concerns", DJI challenged the investigation, saying it contradicted reports from the US Department of Homeland Security (DHS), Booz Allen Hamilton and others who had not found any evidence of surprises. data transmission links from DJI applications designed for government clients. The company noted that there is no data that has ever been utilized, nor used in DJI flight control systems, for government customers.
In future releases, users will also be able to download the official version from Google Play, if available in their home country. If users do not agree to do so, the unauthorized version of the application will be disabled for security reasons, the company said.
DJI is the largest manufacturer of commercial drones in the world and is subject to inspections, along with other Chinese companies, for national issues. security, which led the US Department of the Interior to jam its drones in January.
Also in May, DHS warned companies that their data could be compromised if they used commercial drones built in China, stressing that they contain information that could jeopardize their data and reveal their confidential information.
The movement of USA makes it clear that the US government's concerns about DJI drones have nothing to do with security. Instead, it is their policy to reduce market competition and support domestic drone technology production.