Tuesday, January 26, 00:19
Home security Security bugs affect Chinese DJI drones!

Security bugs affect Chinese DJI drones!

Synacktiv and GRIMM security researchers have uncovered security bugs in the Android application developed by Chinese drone maker Da Jiang Innovations (DJI), which comes with an automatic update mechanism that bypasses the Google Play Store and can be used for installation malware, as well as for the transmission of sensitive personal information to servers of DJI. In particular, the researchers found that Android application DJI Go4 not only does it ask for extended licenses and collect personal data (IMSI, IMEI, SIM card serial number), but uses anti-debug and encryption techniques to prevent security analyzes.

DJI Go4


Synacktiv reported that this mechanism is very similar to command and control servers found with malware. He added that given the broad licenses required by the Android application DJI Go4 - contacts, microphone, camera, location, storage, change network connection - DJI or Weibo servers have complete control over a user's phone.


It is worth noting that the Android application has over one million downloads and installations from the Google Play Store. Also, the security bugs found on it do not apply to the version iOS, which does not have the hidden notification feature, so it is not affected by security errors.


According to GRIMM, the investigation was conducted in response to a security check requested by an anonymous supplier of defense and public security technology, which sought to investigate the privacy implications of DJI drones within the Android application DJI GO 4.


Examining the application, Synacktiv reported finding a URL (“Hxxps: //service-adhoc.dji.com/app/upgrade/public/check”), which she uses to download a information application and ask the user to grant permission for "Installing unknown applications".


The researchers modified this request to enable a forced update on an arbitrary application, which first motivated the user to allow the installation of unreliable applications and then prevented them from using the application until the update was installed.

DJI


Not only is this a direct violation of the Google Play Store guidelines, but it also has very serious consequences. In particular, an attacker could compromise the update server to target users with malicious application updates. An even more serious consequence is that the application continues to run in the background even after it closes and utilizes a Weibo SDK (“Com.sina.weibo.sdk”) to install an arbitrarily downloaded application.


In addition, the researchers concluded that the application utilizes the MobTech SDK to convert metadata about the phone, such as screen size, brightness, WLAN address, MAC address, BSSID numbers, addresses Bluetooth, IMEI and IMSI numbers, carrier name, SIM serial number, SD card information, OS language and kernel version and location information.

security flaws

Noting that the findings were "typical software concerns", DJI challenged the investigation, saying it contradicted reports from the US Department of Homeland Security (DHS), Booz Allen Hamilton and others who had not found any evidence of surprises. data transmission links from DJI applications designed for government clients. The company noted that there is no data that has ever been utilized, nor used in DJI flight control systems, for government customers.


In future releases, users will also be able to download the official version from Google Play, if available in their home country. If users do not agree to do so, the unauthorized version of the application will be disabled for security reasons, the company said.
DJI is the largest manufacturer of commercial drones in the world and is subject to inspections, along with other Chinese companies, for national issues. security, which led the US Department of the Interior to jam its drones in January.

DJI drones

Also in May, DHS warned companies that their data could be compromised if they used commercial drones built in China, stressing that they contain information that could jeopardize their data and reveal their confidential information.


The movement of USA makes it clear that the US government's concerns about DJI drones have nothing to do with security. Instead, it is their policy to reduce market competition and support domestic drone technology production.

LEAVE ANSWER

Please enter your comment!
Please enter your name here

Pohackontas
Pohackontashttps://www.secnews.gr
Every accomplishment starts with the decision to try.

LIVE NEWS

00:02:40

COVID-19 vaccines: Ways to protect supply chains

The development of vaccines for COVID-19 in such a short period of time has created many challenges and these are not only related to ...
00:02:17

How do insurance companies "enhance" ransomware attacks?

Ransomware attacks have increased significantly, with experts warning that their victims should not pay ransom to hackers ....

Russia: "US may be planning retaliation for SolarWinds hack"!

The Russian government warns the country's organizations about possible cyber attacks that the US may carry out, as "retaliation" for the hack ...

iPhone: How to see which apps have access to your contacts

Some iPhone privacy issues go deeper than accessing your contacts list, which exposes your contacts to ...

COVID-19: Google makes vaccination clinics available

Google CEO Sundar Pichai said Monday that the company will make its facilities available to become clinics ...

Netflix offers "studio quality" audio upgrade on Android

Do not be surprised if Netflix sounds better the next time you run a marathon with rows on your Android phone ...

Will Bitcoin return to $ 40.000? There is concern!

Bitcoin lovers who take his return above the level of $ 40.000 for granted have been worried because the demand ...

Avaddon ransomware: Its operators threaten with DDoS attacks to get ransom!

Lately, more and more ransomware gangs tend to threaten their targets with DDoS attacks in order to secure profits ....

Volunteer firefighters will be trained through VR simulation

Volunteer firefighters in the Australian state of Victoria will soon have access to the virtual reality (VR) training that will be available in ...

Tesla: Accuses its former employee of stealing her confidential data!

On January 23, Tesla sued former employee Alex Khatilov for stealing 26.000 confidential documents, including trade secrets. The software ...