Chinese drone firm DJI is pushing back against claims it quietly beams user data back to the homeland by releasing the results of an audit it paid for – which found the DJI Go 4 app indeed sends some data to Hong Kong.
This follows on from last year’s embarrassing DJI security cockup in which we revealed the firm’s developers had left its private AWS keys exposed on Github for so long that users had forked them. Github later rejected a DMCA takedown request by DJI aimed at nixing the forks with the keys in.
In addition, DJI was slapped with a blanket ban by the US Army, which ordered all of its personnel to stop using DJI drones immediately and hand them in for disposal. Small drones are increasingly popular with military and aligned governmental agencies around the world for their portable surveillance properties.
The British government has notably refused to implement any such ban, in spite of what appeared to be well-grounded fears from its closest ally last year.
Drone maker DJI left its private SSL, firmware keys open to world+dog on GitHub FOR YEARSREAD MORE
The data security audit which now says that DJI largely has a clean bill of health was carried out by San Francisco, USA-based Kivu Consulting at DJI’s request. It bought sample DJI drones off the open market and downloaded the company's flight control apps from the various app stores, just like any other ordinary user would.
On launch of the DJI Go 4 app on both Android and iOS devices, Kivu noticed it made DNS requests to a variety of servers around the world. In addition to US-based AWS and Alibaba boxes, the server list included Chinese-based ones for Bugly (hosted on Tencent's QQ service) and Hong Kong-based servers controlled by DJI, as Kivu described:
"Upon opening the GO 4 application, an
HTTP POST command to an IP address of
126.96.36.199 resolving to djiservice.org is sent. This IP address is associated with an Alibaba cloud server located in Hong Kong. The POST is to
/api/v1/sn/status and contains the country code, mobile device operating system, and a serial number."
In order to sniff network traffic, Kivu set up a dedicated test environment as follows:
Utilising a laptop installed with Kali Linux, a wireless Access Point ("AP") was connected to the Ethernet port on the laptop. With the laptop connected to a segregated wireless network, IP tables were set to forward any traffic from the AP to the internet. With this in place, Kivu was able to intercept all network traffic being sent to and received from the connected mobile device without interference of any other network traffic. Kivu used TCPDUMP, a network packet capture utility, to collect data transmission to and from the GO 4 application. The captured network data was later analyzed in Wireshark.
The security auditors then carried out what appeared to be a thorough series of tests, including turning them on and off, connecting and disconnecting the controlling device to the drone, flicking the Wi-Fi off and on, and so on – all while sniffing the airwaves to see to whom the Spark, Mavic Pro, Phantom 4 Pro and Inspire 2 were talking.
Video uploads to DJI servers were SSL encrypted, according to the audit, while user-initiated flight log uploads were sent in "non-encoded, plaintext form" and included details of "the tracking number, token, app-type, serial number, timestamp, and signature".
A developers' diagnostic app called Bugly was also present in the DJI Go 4 app data, which logs the host device's IP address and its IMEI number, along with various other debugging info. Kivu did not appear, from the report shown to The Register, to have delved much further into Bugly’s workings within DJI's kit, though it did separately record details of Bugly servers seemingly hosted on Tencent's QQ service.
The audit also looked at DJI's cloud storage locations, which Kivu said were operated by AWS and China's Alibaba – though both sets of servers were firmly planted in the US, it found. A review of security policies on DJI's buckets by Kivu "confirmed that DJI's network access controls are in order and designed to prevent unauthorised access to information stored on DJI's AWS cloud servers".
An audit of the servers themselves, as well as the DJI Go app, did reveal some vulns – precisely what was unspecified – that were reported to DJI for a fix which was later implemented under Kivu's direction.
Almost as an aside, Kivu noted that DJI's Faceaware tech, which lets dronies use gestures to send their 'copters careering across the living room, does not actually distinguish between individual faces, in spite of the tech requiring a human to gawp at the drone's camera during the setup phase. Faceaware uses Intel Movidius' Myriad 2 chip for this, as a typically hype-laden press release from Intel attests (sample: "DJI has implemented the cutting-edge vision and deep learning algorithms enabled by Myriad 2").
Talking to China? Yes – but only if you allow it
"Kivu's analysis of the drones and the flight control system (drone, hardware controller, GO 4 mobile app) concluded that users have control over the types of data DJI drones collect, store, and transmit," stated the report's executive summary.
Going by the details of the report (which DJI has asked not be shared publicly, on the basis that it includes screenshots of what the firm described as proprietary code), DJI's drones now mostly do not broadcast user data, flight logs, video or imagery to Chinese-controlled servers unless the user specifically enables uploading and transmission of these things – a position the company has consistently held since El Reg started looking at its products more closely.
While in the past it certainly had some gaping security holes, and there are other aspects of its operations that give the non-casual observer pause for thought, for now the average Joe probably has no need to worry about the Chinese state reading off their data. At least, unless you start using the built-in upload features. ®