Chinese drone maker DJI says it is hunting security flaws in apps

NEW YORK (Reuters) - Chinese manufacturer SZ DJI Technology Co Ltd, the world’s largest civilian drone maker, said on Wednesday it was hunting for security flaws in its flight-control software after coders found its apps could be “hot patched” to circumvent scrutiny by Apple Inc and Alphabet Inc.

The DJI Phantom 3, a consumer drone, takes flight after it was unveiled at a launch event in Manhattan, New York April 8, 2015. REUTERS/Adrees Latif

“We have updated the apps to remove the suspect code,” Adam Lisberg, spokesman for DJI, said of the hot-patching problem.

“We are going through all the code now to see if there’s anything else we didn’t know about.”

DJI’s camera-equipped drones, which range from palm-sized models that cost as little as $500 to those the size of a small outdoor grill, command about 70 percent of the global commercial and consumer drone market, Goldman Sachs and Oppenheimer estimated in 2016.

Their cameras are increasingly used in sensitive settings, such as making movies or inspecting industrial facilities. AT&T deployed about four dozen drones, including DJI models, to spot cell tower damage after Hurricane Harvey. Lisberg said DJI had sent drones and spare batteries to help with the recovery.

But as their popularity has grown, so have concerns about data privacy. DJI’s apps, which run on Apple IOS and Google Android, until recently allowed “hot patching” new code into an app any time a tablet or phone connected to the internet.

Such code can turn a phone into a listening device, or send out sensitive data, computer security experts said.

“App developers are finding ways to circumvent the controls that go into the app stores,” said Michael Murray, vice president of security intelligence at cyber firm Lookout, which researched hot patching.

DJI’s apps connected with more than two dozen websites while booting up, sending user and location data, said Andreas Makris, a coder in Germany familiar with the apps.

DJI’s Lisberg said problems stemmed from third-party plug-ins that help users share images on social media. But at least one was sending data DJI didn’t know about, he said. DJI stopped it and is looking for other problems.

DJI is offering a “bug bounty” of up to $30,000 for coders who find flaws. It plans to release this month a feature that lets users disconnect phones or tablets from the internet while flying to ensure data is not sent out.

The company stepped up effort tighten security after the U.S. Army in May ordered service members to stop using DJI drones because of “cyber vulnerabilities.”

Reporting by Alwyn Scott; Editing by David Gregorio