Popular Chinese-Made Drone Is Found to Have Security Weakness

Cybersecurity researchers revealed on Thursday a newfound vulnerability in an app that controls the world’s most popular consumer drones, threatening to intensify the growing tensions between China and the United States.

In two reports, the researchers contended that an app on Google’s Android operating system that powers drones made by China-based Da Jiang Innovations, or DJI, collects large amounts of personal information that could be exploited by the Beijing government. Hundreds of thousands of customers across the world use the app to pilot their rotor-powered, camera-mounted aircraft.

The world’s largest maker of commercial drones, DJI has found itself increasingly in the cross hairs of the United States government, as have other successful Chinese companies. The Pentagon has banned the use of its drones, and in January the Interior Department decided to continue grounding its fleet of the company’s drones over security fears. DJI said the decision was about politics, not software vulnerabilities.

For months, U.S. government officials have stepped up warnings about the Chinese government’s potentially exploiting weaknesses in tech products to force companies there to give up information about American users. Chinese companies must comply with any government request to turn over data, according to American officials.

“Every Chinese technology company is required by Chinese law to provide information they obtain, or information stored on their networks, to Chinese authorities if requested to do so,” said William R. Evanina, director of the National Counterintelligence and Security Center. “All Americans should be concerned that their images, biometrics, locational and other data stored on Chinese apps must be turned over to China’s state security apparatus.”

The drone vulnerability, said American officials, is the kind of security hole that worries Washington.

The security research firms that documented it, Synacktiv, based in France, and GRIMM, located outside Washington, found that the app not only collected information from phones but that DJI can also update it without Google reviewing the changes before they are passed on to consumers. That could violate Google’s Android developer terms of service.

The changes are also difficult for users to review, the researchers said, and even when the app appears to be closed, it awaits instructions from afar, they found.

“The phone has access to everything the drone is doing, but the information we are talking about is phone information,” said Tiphaine Romand-Latapie, a Synacktiv engineer. “We don’t see why DJI would need that data.”

Ms. Romand-Latapie acknowledged that the security vulnerability did not amount to a backdoor, or a flaw that allowed hackers into a phone.

DJI says its app forces updates on users to stop hobbyists who try to hack the app to circumvent government-imposed restrictions on where and how high drone can fly.

“This safety feature in the Android version of one of our recreational flight control apps blocks anyone from trying to use a hacked version to override our safety features, such as altitude limits and geofencing,” Brendan Schulman, a DJI spokesman, said in a statement. “If a hacked version is detected, users are prompted to download the official version from our website.” He added that the feature was not present in software used by governments and companies.

Neither Synacktiv nor GRIMM disclose their clients, but both have done work for aerospace companies and drone manufacturers that could potentially complete with DJI.

A Google spokesman said the company was looking into the claims in the new reports. Synacktiv did not find the same vulnerability in the drone maker’s iPhone application. Apple’s App Store is available in China.

“This research is a good reminder that organizations need to pay attention to the risks associated with the various technologies they’re using for operations,” said Christopher Krebs, director of the Cybersecurity and Infrastructure Security Agency.

Some of the privacy concerns about the drones are common across many applications that scrape far more information than consumers may realize. But other potential vulnerabilities outlined by the researchers come from attempts to straddle the radically different internet environments in China, where the government can demand user data with near impunity, and in other places, like the United States, where broader legal protections exist.

For instance, DJI’s direct link to the Android app was most likely designed as a workaround for Chinese policies that block Google in China, forcing companies to send Android app updates themselves. App makers in China must rely on a chaotic and competitive clutch of websites and app stores to get their products to the consumer. Under such limitations, updates are not easy, and some companies craft software that can be upgraded directly when needed.

Much of the technical data that the app collects fits with Chinese government surveillance practices, which require phones and drones to be linked to a user’s identity.

Such features look more like vulnerabilities in places like the United States. And with U.S.-China ties at their lowest in decades, Washington has taken an increasingly dim view of such issues, assuming that if Beijing can exploit a flaw in technology, it eventually will.

An icon of Chinese innovation, as well as a longtime security concern in the United States, DJI has struggled to allay worries about the safety of its drones, which shoot movies, guard power plants, count wildlife and assist military and the police. For years, it has responded repeatedly to reports of vulnerabilities with patches and has worked closely with the U. S. government to quash other fears.

Still, security researchers with Synacktiv said the pattern of problems in DJI’s code and its quickly implemented fixes, which suggested that the company was already aware of some of the problems but had not fixed them, were also reason for concern.

“It is the mix of all of that which has made us suspicious,” said Ms. Romand-Latapie. “It makes the application quite dangerous for the user if they are not aware of what the application is capable of doing.”

Synacktiv did not identify any malicious uploads but simply raised the prospect that the drone app could be used that way.

A New York Times analysis of the software confirmed the functionality. An attempt to update the app directly from DJI’s servers delivered a message indicating that the phone The Times used “did not meet the qualifications for an update package.”

While the federal government has largely stopped using Chinese-made drones, state and local governments continue to use them, though they have the option of using a professional version of the app that has additional security measures.

Lin Qiqing contributed research.