DJI Firmware Hacking Removes Drone Flight Restrictions

Use Netsparker


Drones have been taking over the world, everyone with a passing interest in making videos has one and DJI firmware hacking gives you the ability to remove all restrictions (no-fly zones, height and distance) which under most jurisdictions is illegal (mostly EU and FAA for the US).

DJI Firmware Hacking Removes Drone Flight Restrictions

It’s an interesting subject, and also a controversial one as people are worried that it could cause a drone to collide with a passenger plane (although in all honestly, I’m not sure how much damage a 1kg drone would do – some geese are much heavier).

Drone hackers in the UK are busy at work exploiting the application security shortcomings of a major manufacturer to circumvent restrictions, including flight elevation limits. DJI says it has pushed out a firmware update to nip the problem in the bud, but one expert The Register spoke to maintains that hacking is still possible.

The potential for drone hacking can be traced back to a mistake made by DJI in leaving development debug code in its Assistant 2 application. Changes could be made by commenting out one line in a file and setting the debug flag from false to true. The shortcoming exposed a full range of parameters that enabled hackers to turn off safeguards.

“It’s looks like ‪#DJI‬’s ‪#Spark‬ was jailbroken due to poor app security? Leaving dev code & passwords in the app was probably not a good idea,” UAVHive, a UK-based drone enthusiast community, said in a Twitter update.

Other DJI products – including the Phantom and Inspire 2 – have had the same jailbreak proven.


It seems DJI have left debugging code in the production app which enables hackers to change parameters via the DJI Assistant 2 application.

It’s also an act of hackers against DJI for limiting the behaviour of their drones, with many complaints of false positives on no-fly zones and the height restrictions being overly cautious.

DJI has been warned repeatedly since at least April, if not before, by Kevin Finisterre, a drone security expert, among others. Despite this, critics say DJI failed to act.

Concerns centre on the application security risks posed by the presence of DJI debug code in publicly released applications, something that creates a backdoor for hackers to meddle with the technology.

Recently numerous underground groups of drone users have sprung up and are collaborating on removing restrictions from their drones and even change performance parameters. For example, a Facebook group for drone enthusiasts included hackers in its ranks. A Slack group is even more active and seems to be where a lot of the actual effort is taking place, we’re told.

“The main focus of efforts is removing height restrictions with ongoing efforts to remove no-fly zones, there’s even secret groups of drone pilots now having height competitions to see who can push their drone’s performance the furthest,” a source told El Reg. “A lot of this extreme behaviour by DJI owners is a direct backlash at DJI for adding a range of restrictions including having to connect to their servers via the internet. Recently, for example, DJI’s infrastructure was down and users complained they were grounded as a result. The no-fly zone database has many false positives.”

With drones getting cheaper and more accessible (Like the DJI Spark), this is bound to happen more and more and I think there is a certain responsibility that lays with drone manufacturers to ensure their drones are safe from tampering.

What do you think? Yay or nay? Are the restrictions necessary, or can people generally make responsible decisions by themselves?

Source: The Register

Posted in: Exploits/Vulnerabilities, Hardware Hacking, Legal Issues


Latest Posts:


StaCoAn - Mobile App Static Analysis Tool StaCoAn – Mobile App Static Analysis Tool
StaCoAn is a cross-platform tool which aids developers, bug bounty hunters and ethical hackers performing mobile app static analysis on the code of the application for both native Android and iOS applications.
snallygaster - Scan For Secret Files On HTTP Servers snallygaster – Scan For Secret Files On HTTP Servers
snallygaster is a Python-based tool that can help you to scan for secret files on HTTP servers, files that are accessible that shouldn't be public and can pose a s
Portspoof - Spoof All Ports Open & Emulate Valid Services Portspoof – Spoof All Ports Open & Emulate Valid Services
The primary goal of the Portspoof program is to enhance your system security through a set of new camouflage techniques which spoof all ports open and also emulate valid services on every port.
Cambridge Analytica Facebook Data Scandal Cambridge Analytica Facebook Data Scandal
One of the biggest stories of the year so far has been the scandal surrounding Cambridge Analytica that came out after a Channel 4 expose that demonstrated the depths they are willing to go to profile voters, manipulate elections and much more.
GetAltName - Discover Sub-Domains From SSL Certificates GetAltName – Discover Sub-Domains From SSL Certificates
GetAltName it's a little script to discover sub-domains that can extract Subject Alt Names for SSL Certificates directly from HTTPS websites which can provide you with DNS names or virtual servers.
Memcrashed - Memcached DDoS Exploit Tool Memcrashed – Memcached DDoS Exploit Tool
Memcrashed is a Memcached DDoS exploit tool written in Python that allows you to send forged UDP packets to a list of Memcached servers obtained from Shodan.


Comments are closed.