In den vergangenen Tagen wurden Sicherheitslücken in der Android-Version der DJI GO 4-App öffentlich diskutiert. Die Sicherheitsmängel in der DJI GO 4-App wurden insbesondere durch die Internet-Sicherheitsfirma Synacktiv aus Frankreich bekanntgemacht. Nun reagiert DJI in einem offiziellen Statement auf die Vorwürfe.
Synacktiv: Sicherheitsmängel in der DJI GO 4-App
In dem Bericht des Sicherheitsunternehmens heißt es unter anderem, dass einige Funktionen der DJI GO 4-App den Mechanismen klassischer Malware sehr ähnlich sein sollen. Im Sinne der Cybersicherheit wird auch bemängelt, dass durch die zahlreichen Zugriffsberechtigungen – etwa auf Kontakte, Mikrofon, Kamera, Standort, Speicher oder Netzwerk des Smartphones – ein Sicherheitsrisiko besteht, da die entsprechenden Daten durch die DJI-Server unbefugt ausspioniert werden könnten. Laut Synacktiv soll durch die DJI GO 4-App sogar der Download weiterer Schadsoftware hypothetisch möglich sein, was wiederum gegen die Richtlinien des Google Play Stores verstoßen würde. Zudem soll es Versionen von der DJI GO 4-App gegeben haben, die personenbezogene Daten wie IMEI, Seriennummer der SIM-Karte oder andere für den Drohnenflug nicht relevante Daten gesammelt haben sollen.
Diese Daten könnten gemäß der französischen Sicherheitsfirma von Geheimdiensten oder böswilligen Personen verwendet werden, um Personen zu verfolgen oder Gespräche und Nachrichten abzuhören. Des Weiteren wird kritisiert, dass sich die DJI GO 4-App auf Android-Smartphones durch einen Wisch nach rechts nicht schließen lässt. Dadurch wird die App lediglich weiterhin im Hintergrund ausgeführt und stellt entsprechende Netzwerkanforderungen. Das Entwicklerteam von Synacktiv betont, dass die Sicherheitsmängel ausschließlich in der DJI GO 4-App bestehen – für die iOS-Version der DJI GO 4-App sprechen die Sicherheitsexperten hingegen ein gutes Zeugnis aus. Konkret lesen sich die Vorwürfe an DJI folgend:
Drones are currently one of the most dynamic products, with multiple use cases across sectors such as personal and commercial videography, farming and land surveying, law enforcement and national security, and more. One of the market leaders, China-based Daijiang Innovations (DJI), is often in the news for suspected cybersecurity and data privacy issues.
While there are technical reports sponsored by DJI stating that their associated mobile application, DJI GO 4, is harmless and does not send any personal information back to the Chinese manufacturer, we wanted to assess the technical capabilities of the application ourselves.
We found that:
- Despite being under scrutiny, DJI did not improve the transparency surrounding the potential abuse of its Android mobile application: DJI GO 4 application makes use of the similar anti-analysis techniques as malware, such as anti-debug, obfuscation, packing and dynamic encryption.
- After de-obfuscation, our research located two features of the software that call home and wait for a file that orders the user’s phone to install a forced update or install a new software. This mechanism is very similar to command and control servers encountered with malwares. Given the wide permissions required by DJI GO 4 (access contacts, microphone, camera, location, storage, change network connectivity, etc.), the DJI or Weibo Chinese servers have almost full control over the user’s phone. This way of updating an Android App or pushing a new app completely circumvents Google feature module delivery or in-app updates 7. Google is not able then to do any verification on update and modifications pushed by DJI. According to Google Play, the application has been installed on more than a million personal devices, suggesting any security risks are widespread.
- The MobTech component embedded in recent versions of DJI Android GO 4 application collects personal data such as IMSI, IMEI, the serial number of the SIM card, etc. This data is not relevant or necessary for drone flights and go beyond DJI privacy policy. For example, IMSI is used by cellular network operators. These sensitive, unique, persistent data identifiers can be used by intelligence agencies or malicious people to later track individuals or eavesdrop communications.
- The DJI GO 4 application on the Android platform does not close when the user closes the app with a swipe right. The app continues to run in the background and makes network requests.
- Whereas our findings affect the Android version of DJI GO 4, the iOS version of the application is not obfuscated and doesn’t have the hidden update mechanisms.
Quelle: https://www.synacktiv.com/en/publications/dji-android-go-4-application-security-analysis.html
DJI: Stellungnahme zu Sicherheitslücke in DJI GO 4-App
Gemäß DJI soll es sich bei den entdeckten Sicherheitsmängeln in der DJI GO 4-App lediglich um potenzielle Sicherheitslücken und typische Sicherheitsprobleme handeln, die laut eigener Aussage niemals ausgenutzt worden sein sollen. Die Funktion für die App-Aktualisierung soll laut DJI dem Ziel dienen, die Verwendung von gehackten Apps zu verringern. Immerhin wäre es bei gehackten Apps für DJI-Drohnen möglich, Geofencing-Einstellungen oder Begrenzungen bei der Flughöhe außer Kraft zu setzen. Auch die Sicherheitsmängel in vergangenen Versionen der DJI GO 4-App wurden laut DJI niemals ausgenutzt. Das komplette Statement von DJI gibt es hier:
DJI takes the security of its apps and the privacy of customer data seriously. While these researchers discovered two hypothetical vulnerabilities in one of our recreational apps, nothing in their work is relevant to, or contradicts, the reports from the U.S. Department of Homeland Security, Booz Allen Hamilton and others that have found no evidence of unexpected data transmission connections from DJI’s apps designed for government and professional customers.
These researchers found typical software concerns, with no evidence they have ever been exploited. The app update function described in these reports serves the very important safety goal of mitigating the use of hacked apps that seek to override our geofencing or altitude limitation features. As the only major drone manufacturer with a Bug Bounty Program, we encourage all researchers to responsibly disclose security concerns about our products at security.dji.com.
We design our systems so DJI customers have full control over how or whether to share their photos, videos and flight logs, and we support the creation of industry standards for drone data security that will provide protection and confidence for all drone users.
We hope these details provide more context to understand these reports:
- When our systems detect that a DJI app is not the official version – for example, if it has been modified to remove critical flight safety features like geofencing or altitude restrictions – we notify the user and require them to download the most recent official version of the app from our website.In future versions, users will also be able to download the official version from Google Play if it is available in their country. If users do not consent to doing so, their unauthorized (hacked) version of the app will be disabled for safety reasons.
- Unauthorized modifications to DJI control apps have raised concerns in the past, and this technique is designed to help ensure that our comprehensive airspace safety measures are applied consistently.
- Because our recreational customers often want to share their photos and videos with friends and family on social media, DJI integrates our consumer apps with the leading social media sites via their native SDKs. We must direct questions about the security of these SDKs to their respective social media services. However, please note that the SDK is only used when our users proactively turn it on.
- DJI GO 4 is not able to restart itself without input from the user, and we are investigating why these researchers claim it did so. We have not been able to replicate this behavior in our tests so far.
- The hypothetical vulnerabilities outlined in these reports are best characterized as potential bugs, which we have proactively tried to identify through our Bug Bounty Program, where security researchers responsibly disclose security issues they discover in exchange for payments of up to $30,000. Since all DJI flight control apps are designed to work in any country, we have been able to improve our software thanks to contributions from researchers all over the world, as seen on this list.
- The MobTech and Bugly components identified in these reports were previously removed from DJI flight control apps after earlier researchers identified potential security flaws in them. Again, there is no evidence they were ever exploited, and they were not used in DJI’s flight control systems for government and professional customers.
- The DJI GO4 app is primarily used to control our recreational drone products. DJI’s drone products designed for government agencies do not transmit data to DJI and are compatible only with a non-commercially available version of the DJI Pilot app. The software for these drones is only updated via an offline process, meaning this report is irrelevant to drones intended for sensitive government use. A recent security report from Booz Allen Hamilton audited these systems and found no evidence that the data or information collected by these drones is being transmitted to DJI, China, or any other unexpected party.
- This is only the latest independent validation of the security of DJI products following reviews by the U.S. National Oceanic and Atmospheric Administration, U.S. cybersecurity firm Kivu Consulting, the U.S. Department of Interior and the U.S. Department of Homeland Security.
- DJI has long called for the creation of industry standards for drone data security, a process which we hope will continue to provide appropriate protections for drone users with security concerns. If this type of feature, intended to assure safety, is a concern, it should be addressed in objective standards that can be specified by customers. DJI is committed to protecting drone user data, which is why we design our systems so drone users have control of whether they share any data with us. We also are committed to safety, trying to contribute technology solutions to keep the airspace safe.
Quelle: https://www.dji.com/newsroom/news/dji-statement-on-recent-reports-from-security-researchers