DJI offer $30,000 bounty to hack its products and find security threats

Aug 29, 2017

John Aldred

John Aldred is a photographer with over 20 years of experience in the portrait and commercial worlds. He is based in Scotland and has been an early adopter – and occasional beta tester – of almost every digital imaging technology in that time. As well as his creative visual work, John uses 3D printing, electronics and programming to create his own photography and filmmaking tools and consults for a number of brands across the industry.

DJI offer $30,000 bounty to hack its products and find security threats

Aug 29, 2017

John Aldred

John Aldred is a photographer with over 20 years of experience in the portrait and commercial worlds. He is based in Scotland and has been an early adopter – and occasional beta tester – of almost every digital imaging technology in that time. As well as his creative visual work, John uses 3D printing, electronics and programming to create his own photography and filmmaking tools and consults for a number of brands across the industry.

Join the Discussion

Share on:

Well, I guess now we know why the US Army pulled all of its DJI products from service. DJI have removed the JPush plugin from the DJI Go and DJI Go 4 apps. It turns out that it had been collecting user data without its knowledge. Not without the user’s knowledge, without DJI’s knowledge. DJI blame the third party developer who created the JPush plugin.

The Verge reports that JPush wouldn’t have needed to collect a lot of  data to do its job. But DJI say the app actually collected personal information, including a list of apps installed on the user’s Android device. In addition to this update, they’ve also announced a bug bounty programme rewarding up to $30,000 for those who can find exploits in their systems.

The JPush plugin was designed to provide smooth delivery of push notifications to Android devices once videos had completed the upload to DJO’s branded photo & video sharing platform, Skypixel. But it was doing far more than that, recording and reporting back personal information.

Many balked when DJI recently announced “Local Mode” that will let you fly your drone without Internet data on your mobile device. This seems to justify those privacy concerns. It’s obviously something that DJI are taking very seriously. Whether or not this particular issue is what the US Army declared as “Cyber Vulnerabilities” three weeks ago is unclear, but it would explain the move.

DJI have also removed its “hot-patching” plugins, jsPatch for iOS and Tinker for Android. These let the DJI update elements of their drone apps without having to update the entire app.

While DJI blame the third party company who maintain the plugin for the issue, it is ultimately their responsibility. They really should check the systems they distribute through their own platform. But, it is nice to see them taking things seriously enough to offer a bounty for those that can identify security issues and exploits within their system.

[via The Verge]

Filed Under:

Tagged With:

Find this interesting? Share it with your friends!

John Aldred

John Aldred

John Aldred is a photographer with over 20 years of experience in the portrait and commercial worlds. He is based in Scotland and has been an early adopter – and occasional beta tester – of almost every digital imaging technology in that time. As well as his creative visual work, John uses 3D printing, electronics and programming to create his own photography and filmmaking tools and consults for a number of brands across the industry.

Join the Discussion

DIYP Comment Policy
Be nice, be on-topic, no personal information or flames.

Leave a Reply

Your email address will not be published. Required fields are marked *