Researchers Reveal New Security Flaw Affecting China's DJI Drones

Researchers Reveal New Security Flaw Affecting China's DJI Drones

Cybersecurity researchers on Thursday revealed security issues in the Android app developed by Chinese drone-maker Da Jiang Innovations (DJI) that comes with an auto-update mechanism that bypasses Google Play Store and could be used to install malicious applications and transmit sensitive personal information to DJI's servers.

Cybersecurity researchers on Thursday revealed security issues in the Android app developed by Chinese drone-maker Da Jiang Innovations (DJI) that comes with an auto-update mechanism that bypasses Google Play Store and could be used to install malicious applications and transmit sensitive personal information to DJI's servers.

The twin reports, courtesy of cybersecurity firms Synacktiv  and GRIMM , found that DJI's Go 4  Android app not only asks for extensive permissions and collects personal data (IMSI, IMEI, the serial number of the SIM card), it makes use of anti-debug and encryption techniques to thwart security analysis.

"This mechanism is very similar to command and control servers encountered with malware," Synacktiv said.

"Given the wide permissions required by DJI GO 4 — contacts, microphone, camera, location, storage, change network connectivity — the DJI or Weibo Chinese servers have almost full control over the user's phone."

The Android app has over one million installs via the Google Play Store. But the security vulnerabilities identified in the app don't apply to its iOS version, which is not obfuscated, nor does it have the hidden update feature.

A "Shady" Self-Update Mechanism

GRIMM said the research was undertaken in response to a security audit requested by an unnamed defense and public safety technology vendor that sought to "investigate the privacy implications of DJI drones within the Android DJI GO 4 application."

Reverse engineering the app, Synacktiv said it uncovered the existence of a URL ("hxxps://service-adhoc.dji.com/app/upgrade/public/check") that it uses to download an application update and prompt the user to grant permission to "Install Unknown Apps ."

"We modified this request to trigger a forced update to an arbitrary application, which prompted the user first for allowing the installation of untrusted applications, then blocking him from using the application until the update was installed," the researchers said.

security

Bootstrap 5 Complete Course with Examples

Bootstrap 5 Tutorial - Bootstrap 5 Crash Course for Beginners

Nest.JS Tutorial for Beginners

Hello Vue 3: A First Look at Vue 3 and the Composition API

Building a simple Applications with Vue 3

Deno Crash Course: Explore Deno and Create a full REST API with Deno

How to Build a Real-time Chat App with Deno and WebSockets

Convert HTML to Markdown Online

HTML entity encoder decoder Online

Best Custom Web & Mobile App Development Company

Top Web & Mobile Application Development Company in India & USA. We specialize in Golang, Ruby on Rails, Symfony, Laravel PHP, Python, Angular, Mobile Apps, Blockchain, & Chatbots

10 Cyber Security Tools to Watch Out for in 2021 - DZone Security

In this article, take a look at ten cyber security tools to watch out for in 2021, including NMap, Wireshark, Metasploit, and more!

How to Keep Your Java Applications Secure - DZone Security

The solution to keeping your Java applications secure is simple: make sure they stay up to date. Check out the details within.

What are the top Cyber Security Threats in 2020?

Learn Cyber Defense programming by Cyber Security Training. Know how to stop tactics of ransomware, malware, social engineering, phishing by hacking course.

Cloud Security: Is it Worth it?

Storing and managing corporate data by applying the cloud is becoming more and more popular. Companies grow, and it gets too expensive, and resources consuming to store their data on traditional servers. To prove it, look at the research conducted by Google in 2019 that includes insights for the cloud computing market for the next 10 years.