DJI, the World's Most Popular Drone Maker, is Apparently Leaking User Data to China

Cybersecurity researchers revealed Thursday a newfound vulnerability in an app that controls the world’s most popular consumer drones, threatening to intensify the growing tensions between China and the United States. In two reports, the researchers contended that an app on Google’s Android operating system that powers drones made by China-based Da Jiang Innovations, or DJI, collects large amounts of personal information that could be exploited by the Beijing government. Hundreds of thousands of customers across the world use the app to pilot their rotor-powered, camera-mounted aircraft.

The world’s largest maker of commercial drones, DJI has found itself increasingly in the crosshairs of the U.S. government, as have other successful Chinese companies. The Pentagon has banned the use of its drones, and in January the Interior Department decided to continue grounding its fleet of the company’s drones over security fears. DJI said the decision was about politics, not software vulnerabilities.

For months, U.S. government officials have stepped up warnings about the Chinese government’s potentially exploiting weaknesses in tech products to force companies there to give up information about U.S. users. Chinese companies must comply with any government request to turn over data, according to U.S. officials. The drone vulnerability, said U.S. officials, is the kind of security hole that worries Washington.

The security research firms that documented it, Synacktiv, based in France, and GRIMM, located outside Washington, found that the app not only collected information from phones but that DJI can also update it without Google reviewing the changes before they are passed on to consumers. That could violate Google’s Android developer terms of service.

“The phone has access to everything the drone is doing, but the information we are talking about is phone information,” said Tiphaine Romand-Latapie, a Synacktiv engineer. “We don’t see why DJI would need that data.” Romand-Latapie acknowledged that the security vulnerability did not amount to a backdoor, or a flaw that allowed hackers into a phone. DJI says its app forces updates on users to stop hobbyists who try to hack the app to circumvent government-imposed restrictions on where and how high drone can fly.

A Google spokesman said the company was looking into the claims in the new reports. Synacktiv did not find the same vulnerability in the drone-maker’s iPhone application.

Paul Mozur, Julian E. Barnes and Aaron Krolik. c.2020 The New York Times Company