Researchers have analyzed the security of DJI’s Pilot app for Android, but the Chinese drone giant says the claims they’ve made are misleading.
Last month, France-based cybersecurity company Synacktiv reported that it had found some potentially serious security issues in the DJI GO 4 Android app, which allows users to control and manage recreational drones made by DJI.
Synacktiv, whose findings were validated by US-based cybersecurity firm GRIMM, reported discovering a “forced update” mechanism that allowed the vendor to directly install an update or new software on a user’s device without going through the checks required by Google Play. It also found an SDK that collected sensitive device information (e.g. IMEI, IMSI and SIM card serial number).
DJI responded to Synacktiv’s findings and while it confirmed some of the vulnerabilities — the company said it released patches within a week of the report being published — it argued that the forced update mechanism is necessary to prevent users from installing hacked versions of its app in order to “help ensure that our comprehensive airspace safety measures are applied consistently.”
Synacktiv on Tuesday published an analysis of DJI’s Pilot app, which is designed for enterprise drones. The company said it found the same forced upgrade mechanism in this application as well, and warned that enabling the drone’s offline mode is not efficient in preventing external interference.
Its researchers also claim that one of the SDKs present in the GO 4 application, which has been found to collect some device information, is also present in some releases of the Pilot app.
Synacktiv also investigated the Local Data Mode, whi ..
Support the originator by clicking the read the rest link below.
