Cybersecurity researchers revealed a newfound vulnerability in an app that controls the world’s most popular consumer drones, threatening to intensify the growing tensions between China and the United States.
In two reports, the researchers contended that an app on Google’s Android operating system that powers drones made by China-based Da Jiang Innovations, or DJI, collects large amounts of personal information that could be exploited by the Beijing government. Hundreds of thousands of customers across the world use the app to pilot their rotor-powered, camera-mounted aircraft.
The world’s largest maker of commercial drones, DJI has found itself increasingly in the cross hairs of the United States government, as have other successful Chinese companies. The Pentagon has banned the use of its drones, and in January the Interior Department decided to continue grounding its fleet of the company’s drones over security fears. DJI said the decision was about politics, not software vulnerabilities.
For months, U.S. government officials have stepped up warnings about the Chinese government’s potentially exploiting weaknesses in tech products to force companies there to give up information about American users. Chinese companies must comply with any government request to turn over data, according to American officials.
“Every Chinese technology company is required by Chinese law to provide information they obtain, or information stored on their networks, to Chinese authorities if requested to do so,” said William R. Evanina, director of the National Counterintelligence and Security Center. “All Americans should be concerned that their images, biometrics, locational and other data stored on Chinese apps must be turned over to China’s state security apparatus.”
The drone vulnerability, said American officials, is the kind of security hole that worries Washington.
The security research firms that documented it, Synacktiv, based in France, and GRIMM, located outside Washington, found that the app not only collected information from phones but that DJI can also update it without Google reviewing the changes before they are passed on to consumers. That could violate Google’s Android developer terms of service.
The changes are also difficult for users to review, the researchers said, and even when the app appears to be closed, it awaits instructions from afar, they found.
“The phone has access to everything the drone is doing, but the information we are talking about is phone information,” said Tiphaine Romand-Latapie, a Synacktiv engineer. “We don’t see why DJI would need that data.”
To read the full report from Synacktiv click here and for the GRIMM report click here.
Source: New York Times