DJI has created a bug bounty program to reward those who discover security issues with the company’s software. DJI says its new threat-identification reward program is part of an expanded commitment to work with researchers and others to responsibly discover, disclose and remediate issues that could affect the security of its software.
Earlier this month, DJI came under fire by the U.S. Army, which said it would “halt use of all DJI products” due to “increased awareness of cyber vulnerabilities.” The Army memo cited an Army Research Laboratory report, “DJI UAS Technology Threat and User Vulnerabilities,” and a Navy memorandum, “Operational Risks with Regards to DJI Family of Products.” In turn, DJI developed a new local data mode that allows users to stop internet traffic to and from its drone flight control apps.
According to the company, the bug bounty program aims to gather insights from researchers and others who discover issues that may create threats to the integrity of users’ private data, such as their personal information or details of the photos, videos and flight logs they create. The program is also seeking issues that may cause app crashes or affect flight safety, such as DJI’s geofencing restrictions, flight altitude limits and power warnings.
“Security researchers, academic scholars and independent experts often provide a valuable service by analyzing the code in DJI’s apps and other software products and bringing concerns to public attention,” says DJI’s director of technical standards, Walter Stockwell. “DJI wants to learn from their experiences as we constantly strive to improve our products, and we are willing to pay rewards for the discoveries they make.”
Rewards for qualifying bugs will range from $100 to $30,000, depending on the potential impact of the threat, the company says. DJI is developing a website with full program terms and a standardized form for reporting potential threats related to DJI’s servers, apps or hardware.
Starting today, bug reports can be sent to firstname.lastname@example.org for review by technical experts.
Even more security initiatives
DJI has also released updates to its DJI GO and DJI GO 4 apps to address concerns about software elements that transfer data over the internet.
Many features of the DJI GO and DJI GO 4 apps use third-party plugins that serve important functions, such as livestreaming, sharing photos and paying for items in the DJI Store. However, DJI has removed some third-party plugins from the apps after discovering their operations do not meet the company’s security standard.
DJI has removed JPush, which was implemented as a way to push notifications when video files are uploaded to DJI’s SkyPixel video sharing platform. JPush assigns a unique JPush ID to each user and informs SkyPixel of this ID when the user chooses to upload a video. After uploading is complete, SkyPixel sends the user’s unique JPush ID back to the JPush server, triggering an “Upload Complete” notification on the user’s DJI GO or DJI GO 4 apps. By using JPush’s third-party plugin, DJI has allowed users to multitask while uploading large video files to SkyPixel.
As a third-party company, JPush only needs to send and receive a minimal, narrowly defined amount of data in order for this function to work properly. Recent work by DJI’s software security team and external researchers has now discovered that JPush also collects extraneous packets of data, including a list of apps installed on the user’s Android device, and sends them to JPush’s server. DJI says it never accessed this data and did not authorize or condone either the collection or transmission of the data.
DJI has also removed “hot-patching” plugins jsPatch for iOS and Tinker for Android, which enabled DJI to immediately update elements within its apps without updating the entire app. These plugins were implemented to speedily address emerging flight security concerns such as temporary no-fly zones and critical bugs. Nevertheless, DJI has removed these plugins to ensure all app updates undergo the same thorough screening before installation.
DJI says it will continue examining other third-party plugins and services in DJI GO and DJI GO 4 and is committed to thoroughly investigating any new third-party plugins before adopting them. Existing plugins include YouTube and Facebook for livestreaming, Bugly for reporting app crashes, and Alipay and Taobao for payment in the DJI Store.
The company has also launched an internal educational program for its developers, as well as a more rigorous code review and testing process, to reinforce the importance of software security when developing new features.
DJI GO 4 versions have been updated to 4.1.7 for iOS and 126.96.36.199 for Android. DJI GO versions have been updated to 3.1.15 for iOS and 3.1.11 for Android. DJI urges its customers to download the newest versions.