Data security flaws found in China-owned DJI drones


Serious security vulnerabilities in multiple drones made by Chinese manufacturer DJI have allowed users to modify crucial identification details and even bring down the devices remotely in flight, researchers say.

These findings were presented by Nico Schiller of the Horst Görtz Institute for IT Security at Ruhr University Bochum, Germany, and Professor Thorsten Holz from the CISPA Helmholtz Center for Information Security.

Since the researchers informed DJI of the detected vulnerabilities prior to releasing the information publicly, the Chinese manufacturer has fixed the issues. But they were problematic, to say the least.

ADVERTISEMENT

DJI, the consumer drone market leader, has supposedly done its best to complement traditional countermeasures to enforce safe and secure use of drones.

Not only does the company impose the usual software limits regarding speed and altitude and use geofencing, or virtual boundaries, to implement no-fly zones around airports or prisons – it also implements a tracking protocol called DroneID designed to transmit the position of the drone and its operator to law enforcement or operators of critical infrastructures.

However, the researchers have analyzed the drone attack surface and, after adding a bit of reverse engineering, showed that the data transmitted to and from the drone was not encrypted. This means it was accessible to anyone, thus compromising the drone operator’s privacy.

More critical flaws were uncovered in drone firmware that allowed attackers to “gain elevated privileges on two different DJI drones and their remote control” and abuse the devices.

The team tested three DJI drones of different categories: the small DJI Mini 2, the medium-sized Mavic Air 2, and the large Mavic 2 Pro. Later, results for the newer Mavic 3 model were reproduced as well after being unavailable during the initial analysis.

In total, 16 vulnerabilities were found, and they ranged from denial of service to arbitrary code execution, which is defined as a threat actor’s capacity to run commands on a targeted device. Moreover, 14 of the bugs could be triggered remotely via the operator’s smartphone – the researchers found they could take over the phone and crash the drone mid-flight.

“An attacker can thus change log data or the serial number and disguise their identity,” explained Professor Holz. “While DJI does take precautions to prevent drones from flying over airports or other restricted areas such as prisons, these mechanisms could also be overridden.”

ADVERTISEMENT

In the spotlight

DJI drone vulnerabilities have been identified before. In October 2022, the Cybernews research team discovered that over 80,000 drone IDs were exposed in a data leak after a database containing information from dozens of airspace-monitoring devices manufactured by DJI was left accessible to the public.

Aras Nazarovas, a Cybernews researcher, said then that this information was upsetting to hobbyists since it can essentially show the routes they take with their drone.

The Shenzhen-headquartered company holds a whopping 70% of the global consumer and enterprise drone market, according to the Business Insider report from 2020.

DJI was blacklisted by the Biden Administration in 2021 for its alleged involvement in the surveillance of the Uyghur Muslim minority in China.

On October 5, 2022, the US Defense Department added DJI and a dozen other companies to a list of Chinese entities believed to be connected to the Chinese military. The Pentagon paved the way to further restrictions on their businesses, arguing that access to advanced technologies is crucial for modernizing the People’s Liberation Army.

DJI was also in the spotlight after Ukraine’s Vice Prime Minister Mykhailo Fedorov accused the company of helping the Kremlin to kill civilians by allowing Russia to freely use DJI devices, including AeroScope, on Ukrainian soil.