Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
China Security

Popular Chinese-Made Drone Is Found To Have Security Weakness (nytimes.com) 60

Cybersecurity researchers revealed on Thursday a newfound vulnerability in an app that controls the world's most popular consumer drones, threatening to intensify the growing tensions between China and the United States. From a report: In two reports, the researchers contended that an app on Google's Android operating system that powers drones made by China-based Da Jiang Innovations, or DJI, collects large amounts of personal information that could be exploited by the Beijing government. Hundreds of thousands of customers across the world use the app to pilot their rotor-powered, camera-mounted aircraft. The world's largest maker of commercial drones, DJI has found itself increasingly in the cross hairs of the United States government, as have other successful Chinese companies. The Pentagon has banned the use of its drones, and in January the Interior Department decided to continue grounding its fleet of the company's drones over security fears. DJI said the decision was about politics, not software vulnerabilities.

For months, U.S. government officials have stepped up warnings about the Chinese government's potentially exploiting weaknesses in tech products to force companies there to give up information about American users. Chinese companies must comply with any government request to turn over data, according to American officials. "Every Chinese technology company is required by Chinese law to provide information they obtain, or information stored on their networks, to Chinese authorities if requested to do so," said William R. Evanina, director of the National Counterintelligence and Security Center. "All Americans should be concerned that their images, biometrics, locational and other data stored on Chinese apps must be turned over to China's state security apparatus." The drone vulnerability, said American officials, is the kind of security hole that worries Washington.

This discussion has been archived. No new comments can be posted.

Popular Chinese-Made Drone Is Found To Have Security Weakness

Comments Filter:
  • The DJI software is very phone homie and is getting worse with every iteration.

    Why does the battery firmware need to talk to DJI servers?

    • Re:Can Confirm (Score:4, Interesting)

      by Fly Swatter ( 30498 ) on Thursday July 23, 2020 @10:03AM (#60322739) Homepage

      Why does the battery firmware need to talk to DJI servers?

      I am no conspiracy nut, but it would seem to me that a foreign entity being able to cause battery fires because the firmware could be easily updated or triggered to do so when a toy phones home could be a national security problem.

      Wasn't there just a story about poor firmware in fast chargers allowing it to destroy and possibly cause fire to connected devices?

    • Re:Can Confirm (Score:5, Insightful)

      by AmiMoJo ( 196126 ) on Thursday July 23, 2020 @10:07AM (#60322753) Homepage Journal

      Yeah that's to keep the drone legal in your country. They download things like databases of no-fly zones and firmware updates enforcing them, because people can't be trusted not to go buzz an airport.

      • Re:Can Confirm (Score:4, Informative)

        by ArchieBunker ( 132337 ) on Thursday July 23, 2020 @10:27AM (#60322853)

        I'll let everyone in on a little secret. The no fly database is a file kept on your device. If you have write access you can edit the file yourself.

        • Which is why open-source Android can't have this... iPhone forever!

        • Re:Can Confirm (Score:5, Insightful)

          by thegarbz ( 1787294 ) on Thursday July 23, 2020 @11:05AM (#60322997)

          If you have write access you can edit the file yourself.

          I'll let you in on a secret. This is to stop morons not terrorists.

          • "This is to stop morons not terrorists." - Same thing really.
            • Don't make that dumb mistake. If anything actual people attempting to insight terror have shown to go a long way to circumvent basic systems. Encryption, burner devices, very much the kind of people who won't be foiled by a piece of DJI software.

              Quite a different breed from some mouth-breather who thinks it would be cool to get an aerial shot at an airport.

              • by j-beda ( 85386 )

                Don't make that dumb mistake. If anything actual people attempting to insight terror have shown to go a long way to circumvent basic systems. Encryption, burner devices, very much the kind of people who won't be foiled by a piece of DJI software.

                Quite a different breed from some mouth-breather who thinks it would be cool to get an aerial shot at an airport.

                While there is some truth to this, there is also a huge overlap between the "moron" class and the "terrorist" class (which has a lot of overlap with the "criminal" class for that matter). Putting barriers in front of the morons who endanger us because they are morons and didn't think what they were doing was dangerous also makes it a lot harder for the morons who are actively trying to do damaging things.

      • I have a DJI drone. It's amazing. I am very sick and tired of made-in-china scare stories which are obviously drummed up by the half-wits in the US who can't keep up. Tell me which company in the US makes a great drone. No. Body.

        The US is turning into a losing team that will lie and cheat and steal to win, instead of actually, you know, doing the work and being the best.

  • by jacks smirking reven ( 909048 ) on Thursday July 23, 2020 @10:10AM (#60322771)

    Genuine question to folks with drone experience on here, I have been interested in building a drone since there seems to be a pretty vibrant open source community around it with Pixhawk, Ardupilot, Mavlink etc but how does it math up feature-wise to something like DJI which seems to be abundantly popular due to it being so easy to buy and operate (too easy it could be said). It seems inevitable with every large Chinese manufacturer (and probably US/EU ones perhaps as well) that these concerns of data collection will appear.

    • by nnet ( 20306 ) on Thursday July 23, 2020 @10:44AM (#60322923) Journal
      Since DJI has designed their UAVs to be video platforms, flight stability and smoothness is paramount. When I built UAVs using other flight controllers, I found the ease and smoothness to be lacking compared to DJI. I stopped flying around 2015 when the FAA started injecting itself into the hobby so I dont know how far other flight controller hardware/software have developed since.
    • by mobby_6kl ( 668092 ) on Thursday July 23, 2020 @11:18AM (#60323045)

      DJI is basically the Apple of drones, a walled garden where they get to say what you can do (down to refusing to fly without a firmware update or if it thinks the area is restricted airspace). But if you want to make great videos, that's the way to go. It'll keep you and your drone safe, the video stable, and has a bunch of CV features that will track you as you run around on the ground. Flying it is pretty boring though. You just point it in the direction you want and it flies there.

      Ardupilot etc are extremely customizable and will let you do anything you want but it's the DIY approach that will probably have you spending more time tweaking PID values on the controller than flying it. These will let you fly in completely manual mode which is quite difficult but also rewarding. Since it looks like you want to actually build a drone, that's the way to go. DJI are all basically ready to fly dones now, I don't think they even have frame kits like they used to years ago.

    • by ceoyoyo ( 59147 ) on Thursday July 23, 2020 @02:24PM (#60323541)

      Want to record great video and the thought of tuning the damping factors in a motorized gimbal (and building the gimbal) doesn't turn you on? Get a DJI.

      Want to experiment, do acrobatics, fly through trees, crash lots and not cry too much? Buy some parts and build your own.

      Always fancied having a try at aircraft design? Get a 3d printer, wood shop or lots of styrofoam and git gud with a hot wire, and really build your own.

  • Don't a lot of devices and software, Chinese and not, do this? Also, the part about the Chinese government being able to access the data upon request .. isn't that the same of all data anywhere? Which country can't force its way onto a company's data? I am not saying it's right or acceptable, I'm saying we should prevent it everyplace rather than trading one tyranny for another.

    • At this point I don't understand why anyone in the US would buy electronics or software from the Eastern Bloc. Russia has dropped all pretense at being a reformed, pro-democracy nation and China is still China. How can we possibly trust them when they say their products are safe?
  • by Tailhook ( 98486 ) on Thursday July 23, 2020 @10:40AM (#60322905)

    Let's hope they are using better firmware in the ones they make with Gatling guns and bombs. [youtube.com] and selling in the Middle East. Sadly the odds that those are also running DJI code with the weapons stuff tacked on is somewhere between 99.99% and 99.999%.

  • I do find it inefficient for a drone to communicate to a Cloud server thousand of mile away to bounce back to a phone that are only hundreds of feet apart.

    For a lot of IoT devices, it seems the cloud isn't for what it is good for, (the ability to perform large calculations and be be better balanced) but as a cheap workaround for the fact that TCP/IP was never designed to be a Remote Control input. Thus needing to connect to a shared public server to have both parts considered a client.

    • DJI doesn't use the cloud for remote, you have a normal RC controller for that. It does phone home though for firmware updates, restricted airspace database, etc.

  • If you RTFA, you'll see the article title is misleading and alarmist.

  • Am I supposed to take special notice about the completely unnewsworthy notice that complex computer systems have errors? Slashdot news!!! Software is not perfect! Gasp.

    Or am I instead supposed to care that this could be as easily exploited by China (China!!!! scary!!!) as by my own corrupt surveillance state? The land of the free my ass. The US is more corrupt and cares less about privacy or human rights than any modern nation. The US is an abomination, and I'm supposed to worry about China hacking my

    • The US is more corrupt and cares less about privacy or human rights than any modern nation.

      More than Russia or China? Now look, the USA is a shithole country, but it's still better than either of those two, where they don't even bother to pretend that you still have rights.

  • That DJI is insecure and probably spying on users is not news. The US Military banned the use of DJI drones back in 2017 citing the issues and several other government agencies and organizations followed suit soon after. These researchers are about 3 years late to the party...
  • This is a problem, because DJI products are actually very, very good, they are at the top of the game quality and price wise. There is really no US completion or any other decent competitors, world wide. For $399 you can get a 249 gram drone with a out there and back range of almost 3 miles and almost 30 min flight time, 2.7 megapixel resolution, and 60 frame/min video... whats not to like? The thing also finds its way home, if you leave it enough battery. I actually may buy one (as a hobby item). Thi
  • "Every Chinese technology company is required by Chinese law to provide information they obtain, or information stored on their networks, to Chinese authorities if requested to do so," said William R. Evanina, director of the National Counterintelligence and Security Center. "All Americans should be concerned that their images, biometrics, locational and other data stored on Chinese apps must be turned over to China's state security apparatus."

    That there is a beautiful example of implied verbal irony.

    Maybe

  • So legalize reverse engineering their shit with the offending code removed, and allow an American company to bootstrap homegrown drone software based on "stolen" code.

    If it's good for the goose...

  • Before the entire comment section goes into political name-calling, read the NYTimes report IN FULL please. Thought ./ was above stupid clickbait headlines. From the same NYTimes article https://www.nytimes.com/2020/0... [nytimes.com] "Ms. Romand-Latapie acknowledged that the security vulnerability did not amount to a backdoor, or a flaw that allowed hackers into a phone." "DJI says its app forces updates on users to stop hobbyists who try to hack the app to circumvent government-imposed restrictions on where and how
  • From drones to any other electronic device, everything has weaknesses. With time, most if not all can be owned.

"Confound these ancestors.... They've stolen our best ideas!" - Ben Jonson

Working...