Cyber security researchers have warned that DJI, a drone manufacturer used by British police, may be collecting unnecessary amounts of information from users’ phones, presenting a potential security concern.
French and American researchers at Synacktiv and GRIMM also found, in two separate reports, that the Android app used to power DJI drones was also able to bypass the Google Play store, which vets apps and updates to make sure they are safe to use on phones. This behaviour, the researchers said, is sometimes seen in malicious software.
The app collected information including unique phone identifiers, which are not needed for flying drones and can be used to track, identify or eavesdrop on phone owners.
Adam Nichols, an expert in discovering software vulnerabilities and principal researcher at GRIMM, said that the strange data collection could be down to “slightly odd implementations for acceptable behaviour”, but added that they “could also be used in a much more nefarious way”.
In the worst case scenario, DJI could enough information to accurately identify users and could target them, sending them malicious updates or applications to snoop on their phone or hop from there to the phone’s Wi-Fi network, Mr Nichols said. Regardless of the intention, “they have created an effective targeting system,” he added.
The researchers pointed out that there was no evidence that any information had been collected and sent to Beijing, nor that the glitch was an intentional backdoor, however the existence of the vulnerability will give more ammo to Washington officials, who have been hurling espionage allegations at Chinese technology companies in recent months.
A DJI spokesman said that the issues were “typical software concerns, with no evidence they have ever been exploited”, adding that there was currently “no evidence of unexpected data transmission connections from DJI’s apps designed for government and professional customers”. Google said it was looking into the issue. It said that the bugs were found on apps that operate DJI GO4 devices, which are not sold for government use.