This week, China-based DJI, the drone industry’s leading manufacturer of drones, issued a public statement regarding the recent reports released by cybersecurity researchers (neither Synacktiv nor GRIMM) about the security of its drones’ control app.

In two reports, the researchers claimed that an app on Google’s Android operating system that powers DJI drones collects large amounts of personal information that could be exploited by the Chinese government. In the report, the researchers claim to have discovered typical software concerns, but no specific evidence that those potential vulnerabilities have been exploited. This is not the first time DJI has been accused of lax security safeguards.

DJI responded to these claims, saying that its goal is to help ensure that its comprehensive airspace safety measures are applied consistently across its control apps. However, because recreational pilots often want to share the photos and video they take using the drone with their family and friends over social media, the security of those social media sites must be reviewed by the pilot user. Further, DJI said, “When our systems detect that a DJI app is not the official version – for example, if it has been modified to remove critical flight safety features like geofencing or altitude restrictions – we notify the user and require them to download the most recent official version of the app from our website.”

The report also claimed that one of DJI’s drones could restart itself without any input from the pilot. DJI responded stating,”[Our] DJI GO 4 is not able to restart itself without input from the user, and we are investigating why these researchers claim it did so. We have not been able to replicate this behavior in our tests so far.”

The potential vulnerabilities identified in the report have not been identified by DJI at this point, but DJI says that it has proactively offered security researchers payments of up to $30,000 (through its Bug Bounty Program), to assist in identifying and disclosing security issues with the control apps.

DJI also stated that its drone products designed for government agencies do not transmit data to DJI and are compatible only with a non-commercially available version of the DJI Pilot app. More specifically, “The software for these drones is only updated via an offline process, meaning this report is irrelevant to drones intended for sensitive government use. A recent security report from Booz Allen Hamilton audited these systems and found no evidence that the data or information collected by these drones is being transmitted to DJI, China, or any other unexpected party.”

All in all, DJI has been a part of the ongoing call for a set of industry standards for drone data security. However, until those standards have been set, we are sure to continue to see alleged flaws and risks to data collected and transmitted via drone.

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.