The US government has, over the past few months, increased its warnings regarding the Chinese government potentially misusing the weaknesses in tech products to force the companies to share user data with them.
User data leak: Drone powering app leaking user data to Beijing, find researchers! Cybersecurity researchers on Thursday reported that there were vulnerabilities in an app which controlled one of the most popular drones meant for consumers. In two separate reports, the researchers revealed that an app powering drones manufactured by China-based Da Jiang Innovations or DJI which is available on the Google Android operating system, is collecting a large amount of personal data. This data, they said, could be exploited by the Chinese government. Lakhs of people worldwide use the app to control their drones. This information could worsen the already tense situation between the US and China.
DJI, which is the largest maker of commercial drones in the world, has been increasingly finding itself in the crosshairs of the Donald Trump-led US government, much like other successful companies based in China. According to a report in NYT, the use of DJI’s drones has been banned by the Pentagon, while in January, the Interior Department decided that it would continue to ground its fleet of DJI drones due to security concerns. The decision, DJI said, was based on politics and not software vulnerabilities.
The US government has, over the past few months, increased its warnings regarding the Chinese government potentially misusing the weaknesses in tech products to force the companies to share user data with them, since the companies based in China must comply with the governmental request, according to the US officials. They added that the vulnerability of the DJI app is the kind of security loophole that they have been worried about.
The security research firms that documented the vulnerability – France-based Synacktiv and GRIMM located near Washington – found that the app was not only collecting user data from their phones, but the app could also update itself and release it to the consumers without Google reviewing the changes. This, they said, could violate the developer terms of service by Google Android operating system.
The NYT report quoted Synacktiv engineer Tiphaine Romand-Latapie as saying that while the phone can access everything that the drone does, the problem was that the information that the app was gathering was phone information, which they did not understand why DJI would want. Romand-Latapie said that this vulnerability does not necessarily amount to a backdoor or a flaw that lets users hack into a phone.
DJI on the other hand said that the app forced its updates on the users so that hobbyists couldn’t hack the app and circumvent the governmental restrictions regarding the flying of the drone.
Meanwhile, a spokesperson from Google said that the tech giant was looking into the claims made in the new reports.
Synacktiv said that the same vulnerabilities were not found in the iOS app of the drone maker.