Security News > 2020 > August > Drone Maker DJI Says Claims About Security of Pilot App 'Misleading'
Last month, France-based cybersecurity company Synacktiv reported that it had found some potentially serious security issues in the DJI GO 4 Android app, which allows users to control and manage recreational drones made by DJI. Synacktiv, whose findings were validated by US-based cybersecurity firm GRIMM, reported discovering a "Forced update" mechanism that allowed the vendor to directly install an update or new software on a user's device without going through the checks required by Google Play.
DJI responded to Synacktiv's findings and while it confirmed some of the vulnerabilities - the company said it released patches within a week of the report being published - it argued that the forced update mechanism is necessary to prevent users from installing hacked versions of its app in order to "Help ensure that our comprehensive airspace safety measures are applied consistently."
"Moreover, to unlock flying in restricted airspace, a user has to ask DJI for permission using their process and will be delivered an unlock certificate linked to their aircraft and user account," Synacktiv said.
DJI told SecurityWeek that Synacktiv's latest claims are "False" and "Misleading." The company claims that no version of its DJI Pilot app uses the SDK that collects device data.
"In addition to enhancing data security assurance, feature blocks the drone's ability to update flight safety restrictions and blocks the user's ability to 'unlock' some geofenced areas," DJI said in an emailed statement.