Multiple vulnerabilities have been discovered in several models of popular DJI drones that can be exploited to crash a drone mid-flight or even to find the exact location of a drone’s pilot.
Besides being some of the best drones available today, DJI’s drones are also quite popular since the company has been making them since 2013. However, a total of 16 different vulnerabilities were found in several DJI drones by a team led by Nico Schiller at the Horst Görtz Institute for IT Security at Ruhr University Bochum in Germany which has published a whitepaper (opens in new tab) (PDF) on the matter.
During their testing, the security researchers looked at the DJI Mini 2, the DJI Air 2 and the DJI Mavic 2. Fortunately, the researchers alerted DJI about the vulnerabilities which have all been patched at the time of writing.
Fuzzing for vulnerabilities
According to a blog post (opens in new tab) from Bitdefender, Schiller and the other researchers used a technique called “fuzzing” to look for vulnerabilities in DJI’s drones. This technique is quite popular among security researchers and it involves providing random types of input to discover ways to interfere with a device’s functionality.
The researchers created a dedicated algorithm to use when fuzzing DJI’s drones and in the process, they found critical flaws in their firmware that let them “gain elevated privileges on two different DJI drones and their remote controls,” according to CyberNews (opens in new tab). These vulnerabilities also made it possible to crash a DJI drone while in the air and 14 of the flaws can be triggered remotely using a pilot’s smartphone.
In order to keep an eye on its drones during operation, DJI has developed a tracking protocol called DroneID that is used to transmit the position of a drone and its pilot to both law enforcement and those operating critical infrastructures like airports. During their investigation, the researchers found that data sent back and forth from the company’s drones isn’t encrypted which means it was accessible to anyone. By exploiting this, an attacker could determine the exact location of a drone and its pilot.
Likewise, an attacker can also change the serial number or log data from a vulnerable DJI drone to disguise their identity. This could also allow them to fly over airports and other restricted areas.
How to update your DJI drone
If you own a DJI drone, you should update the firmware immediately as the company has patched all 16 vulnerabilities.
There are two ways to do so: through the DJI Fly App (opens in new tab) or using DJI Assistant 2 (opens in new tab). The first method requires a smartphone with the DJI Fly App installed, while the latter involves connecting your drone to a computer. Regardless of which method you choose, you want to make sure that your battery is charged to 50% or higher before you begin.
If you’re using the DJI Fly App, a firmware update alert will appear in the app. Follow the prompts and allow the app to download and install the new firmware which usually takes around 10 minutes. With DJI Assistant 2, you need to connect your drone to a computer and launch the DJI Assistant 2 app. After your drone is connected to the app, a firmware history page will appear. Select Update in the top right-hand corner to begin downloading and installing the latest firmware.
Just like with your smartphone and computer, keeping your drone updated and running the latest software is really important. While bug fixes are often delivered through firmware updates, so too are performance improvements that can improve how your drone flies and handles.