DJI said it is working to improve the security of its drone apps after a flaw put the privacy of its users at risk.
The company’s official apps for iOS and Android, which are used to control drones like the Spark and the DJI Phantom 4 Pro, could previously be ‘hotpatched’, allowing code to be downloaded and run whenever a device is connected to the internet.
This means new code does not need to go through the typical approval processes of Apple and Google’s app stores, and can potentially allow attackers to install malware.
“We have updated the apps to remove the suspect code… We are going through all the code now to see if there’s anything else we didn’t know about,” DJI spokesman Adman Lisberg told Reuters.
In addition, DJI announced last week it was introducing a ‘bug bounty’ program to reward people who discover and report software issues to the company.
“Security researchers, academic scholars and independent experts often provide a valuable service by analyzing the code in DJI’s apps and other software products and bringing concerns to public attention,” said DJI director of technical standards Walter Stockwell.
“DJI wants to learn from their experiences as we constantly strive to improve our products, and we are willing to pay rewards for the discoveries they make,” Stockwell said.
Rewards will range from US$100 to US$30,000 “depending on the potential impact of the threat”.
DJI recognised it had “not previously offered formal lines of communication about software issues to security researchers, many of whom have raised their concerns on social media or other forums when they could not determine how best to bring these issues to DJI’s attention”.