The lack of security in commercial drones has been well documented, but one Chinese manufacturer is working to fix that by incentivizing researchers who can poke holes in the software its drones run on.
One of the largest unmanned aerial vehicle manufacturers, Dà-Jiāng Innovations Science and Technology (DJI), announced Monday it is launching a bug bounty program to reward researchers who find vulnerabilities in its drones.
The company makes a number of consumer drones, including the Phantom line of quadcopters and the Flame Wheel line of multirotor aircraft.
DJI is still drafting rules around the program but says it will pay between $100 and $30,000 for issues, “depending on the potential impact of the threat.”
The company is planning on launching a website with the program’s terms and a standardized form for reporting issues. Until then researchers interested in submitting a bug report can send an email directly to the company. DJI said it will entertain all vulnerabilities reported, regardless of whether the bugs are related to its servers, apps or hardware.
The company says it hopes the program can fix issues that could wind up disclosing the private data of users, like photos, videos, or flight logs. It says it also wants information on bugs that could lead to app crashes or affect flight safety, “such as DJI’s geofencing restrictions, flight altitude limits and power warnings.”
“We want to engage with the research community and respond to their reasonable concerns with a common goal of cooperation and improvement,” Walter Stockwell, DJI’s director of technical standards said Monday. “We value input from researchers into our products who believe in our mission to enable customers to use DJI products that are stable, reliable and trustworthy.”
The announcement came the same day DJI announced that it had removed a third-party plugin from its drones after its researchers discovered the plugin was gathering too much information about users. In particular the plugin, JPush, was spotted collecting the names of apps installed on users’ Android devices and forwarding that information to JPush’s server.
“DJI did not authorize or condone either the collection or transmission of this data, and DJI never accessed this data,” the company said in a statement, “JPush has been removed from our apps, and DJI will develop new methods for providing app status updates that better protect our customers’ data.”
The company said it also removed two “hot-patching” plugins, jsPatch for iOS and Tinker for Android that enabled the company to update elements in its apps. The company admits the plugins were hastily installed and that going forward it will ensure all app updates undergo thorough screening before being installed.
DJI’s drones were the subject of an internal U.S. Army memo that was circulated earlier this month. According to the memo, which sUAS News – a drone news site obtained, the U.S. Army Research Lab and U.S. Navy asked departments to halt the use of drones manufactured by the company, “due to increased awareness of cyber vulnerabilities.”
The drone company said it was unhappy with the leaked memo.
“We are surprised and disappointed to read reports of the U.S. Army’s unprompted restriction on DJI drones as we were not consulted during their decision. We are happy to work directly with any organization, including the U.S. Army, that has concerns about our management of cyber issues,” a DJI spokesman told sUAS News at the time.
The United States Computer Emergency Readiness Team (US-CERT) warned about vulnerabilities in one drone model, the DBPOWER U818A WiFi quadcopter, in April earlier this year. The bugs, which wound up existing in multiple drone models, could have let an attacker obtain read and write permissions to the drone’s filesystem and modify its root password in addition to crashing the device.