from the post-secret-keys-and-you-get-forked dept.
Drone hackers/researchers can modify the firmware for DJI drones, thanks to rogue DJI developers and a fork of a public Github repo:
Github rejected a DMCA takedown request from Chinese drone-maker DJI after someone forked source code left in the open by a naughty DJI developer, The Register can reveal.
This included AES keys permitting decryption of flight control firmware, which could allow drone fliers with technical skills to remove geofencing from the flight control software: this software prevents DJI drones from flying in certain areas such as the approach paths for airports, or near government buildings deemed to be sensitive.
Though the released key is not for the latest firmware version, The Register has seen evidence (detailed below) that drone hackers are already incorporating it in modified firmware available for anyone to download and flash to their drones.
[...] In fact the people who posted the keys to DJI's kingdom, as well as source code for various projects, were DJI devs. The company said in a later statement that they were sacked.
The code was forked by drone researcher Kevin Finisterre, who submitted a successful rebuttal to the takedown request on the grounds that Github's terms and conditions explicitly permit forking of public repos.
[...] Drone hackers have already begun distributing modded firmware for DJI's popular Phantom drones, as we can see on – where else? – Github
Related: DJI introduced new software to stop its drones from flying in restricted airspace.
Skip the Complex Tracking Software, DJI Says, and Give Drones an "Invisible" License Plate
$500 DJI Spark Drone can Take Off and Land from Your Palm
DJI Will Ground Drones If They Don't Apply a Software Update
DJI Innovations, the leading manufacturer of drones, launched a beta version of its new "geofencing" system that should keep its drones from flying into restricted airspace. The new feature is called Geospatial Environment Online (GEO), and it will let users know about areas where drone flight is restricted, either due to regulations or because of safety issues.
GEO will stop DJI drones from taking off in restricted areas like airports, Washington D.C., and temporarily restricted areas such as places near forest fires or big stadium events. Sensitive areas around prisons and power plants will be off limits in the system as well.
DJI owners can temporarily opt out of GEO and unlock some of the flight restrictions, but there's a catch. They must have verified accounts with the company, with a credit card, debit card, or cellphone number on file. Users cannot turn off all the flight restrictions though; places like Washington D.C. will remain completely off limits.
Drones could someday have a sort of invisible license plate that allows local authorities to determine who the unmanned aerial system (UAS) belongs too. Pitched by Chinese drone manufacturer DJI, the concept for an electronic identification system for small drones is just one of many ideas as the Federal Aviation Administration looks into potential ways of identifying drone users.
DJI suggests drones should use the radio equipment already on board most systems to transmit a unique registration number. That number would identify the drone owner to law enforcement in the event of a complaint or flight through a restricted area. Areas with restricted drone flight, such as airports, could use radio equipment to read that number and report the ID number to the authorities. Since identifying the drone would require access to a database linking each number with a name, the invisible license plate approach would be less likely to be abused outside of law enforcement, DJI suggests.
"The best solution is usually the simplest," DJI wrote on Monday. "The focus of the primary method for remote identification should be on a way for anyone concerned about a drone flight in close proximity to report an identifier number to the authorities, who would then have the tools to investigate the complaint without infringing on operator privacy."
Source: Digital Trends
What's the non-soyvertisement angle for this drone? Uh... you can spy on people with it!
The drone starts at a surprisingly accessible $499. That was really going to be the big sticking point here — with most pundits considering anything under $1,000 a good play for the company's generally high-quality but high-priced products. It's still not cheap, exactly, giving the number of budget drones that have flooded the market in recent years, but with all of the functionality the company has jammed into the thing, the Spark could well be DJI's first truly mainstream drone.
[...] [Aside] from size (which let's be honest, is the most important thing here), the Spark's got some pretty impressive tricks up its sleeves. It can take off from the palm of your hands and land back in it with little hassle. The demo of the functionality went exactly as planned, which isn't always the case at these sorts of events, especially given the swamp of cell phone signals that is Grand Central Station.
Even more impressive is a gesture-based control, about which the assembled press made audibly excited mumbled comparisons to Star Wars. And yeah, there's a selfie function, too. Smiling with you arms folded will trigger the picture taking functionality.
It's only capable of recording 1080p! No 4K = useless!
In related news, DJI users will apparently need to login and register their drones to activate certain features.
[Ed note: From what I've read, it is generally suggested to keep all active drones away from any persons — including yourself. What makes this drone so different? --martyb]
DJI Spark drones will not fly after September 1 until users have applied a mandatory software update:
DJI Spark drones will not fly after 1 September unless owners apply a mandatory software update, the device's maker has warned. DJI said the update to the small drone's core software fixes some flight control issues suffered by the gadget.
The drone maker said it had warned owners about the deadline so they could avoid having their craft grounded. But the mandatory update has caused some owners to question the control DJI retains over their devices.
In a statement, DJI said the update would improve how the Spark manages power. It also helps it work with smart spectacles that give owners an immersive view of what the drone films. It added: "If the firmware of either the aircraft or the battery is not updated by September 1, Spark will not be able to take off."
A bug bounty hunter shared evidence; DJI called him a hacker and threatened with CFAA.
DJI, the Chinese company that manufactures the popular Phantom brand of consumer quadcopter drones, was informed in September that developers had left the private keys for both the "wildcard" certificate for all the company's Web domains and the keys to cloud storage accounts on Amazon Web Services exposed publicly in code posted to GitHub. Using the data, researcher Kevin Finisterre was able to access flight log data and images uploaded by DJI customers, including photos of government IDs, drivers licenses, and passports. Some of the data included flight logs from accounts associated with government and military domains.
Finisterre found the security error after beginning to probe DJI's systems under DJI's bug bounty program, which was announced in August. But as Finisterre worked to document the bug with the company, he got increasing pushback—including a threat of charges under the Computer Fraud and Abuse Act (CFAA). DJI refused to offer any protection against legal action in the company's "final offer" for the data. So Finisterre dropped out of the program and published his findings publicly yesterday, along with a narrative entitled, "Why I walked away from $30,000 of DJI bounty money."
-- submitted from IRC