DJI Firmware Hacking Removes Drone Flight Restrictions


Drones have been taking over the world, everyone with a passing interest in making videos has one and DJI firmware hacking gives you the ability to remove all restrictions (no-fly zones, height and distance) which under most jurisdictions is illegal (mostly EU and FAA for the US).

DJI Firmware Hacking Removes Drone Flight Restrictions

It’s an interesting subject, and also a controversial one as people are worried that it could cause a drone to collide with a passenger plane (although in all honestly, I’m not sure how much damage a 1kg drone would do – some geese are much heavier).

Drone hackers in the UK are busy at work exploiting the application security shortcomings of a major manufacturer to circumvent restrictions, including flight elevation limits. DJI says it has pushed out a firmware update to nip the problem in the bud, but one expert The Register spoke to maintains that hacking is still possible.

The potential for drone hacking can be traced back to a mistake made by DJI in leaving development debug code in its Assistant 2 application. Changes could be made by commenting out one line in a file and setting the debug flag from false to true. The shortcoming exposed a full range of parameters that enabled hackers to turn off safeguards.

“It’s looks like ‪#DJI‬’s ‪#Spark‬ was jailbroken due to poor app security? Leaving dev code & passwords in the app was probably not a good idea,” UAVHive, a UK-based drone enthusiast community, said in a Twitter update.

Other DJI products – including the Phantom and Inspire 2 – have had the same jailbreak proven.


It seems DJI have left debugging code in the production app which enables hackers to change parameters via the DJI Assistant 2 application.

It’s also an act of hackers against DJI for limiting the behaviour of their drones, with many complaints of false positives on no-fly zones and the height restrictions being overly cautious.

DJI has been warned repeatedly since at least April, if not before, by Kevin Finisterre, a drone security expert, among others. Despite this, critics say DJI failed to act.

Concerns centre on the application security risks posed by the presence of DJI debug code in publicly released applications, something that creates a backdoor for hackers to meddle with the technology.

Recently numerous underground groups of drone users have sprung up and are collaborating on removing restrictions from their drones and even change performance parameters. For example, a Facebook group for drone enthusiasts included hackers in its ranks. A Slack group is even more active and seems to be where a lot of the actual effort is taking place, we’re told.

“The main focus of efforts is removing height restrictions with ongoing efforts to remove no-fly zones, there’s even secret groups of drone pilots now having height competitions to see who can push their drone’s performance the furthest,” a source told El Reg. “A lot of this extreme behaviour by DJI owners is a direct backlash at DJI for adding a range of restrictions including having to connect to their servers via the internet. Recently, for example, DJI’s infrastructure was down and users complained they were grounded as a result. The no-fly zone database has many false positives.”

With drones getting cheaper and more accessible (Like the DJI Spark), this is bound to happen more and more and I think there is a certain responsibility that lays with drone manufacturers to ensure their drones are safe from tampering.

What do you think? Yay or nay? Are the restrictions necessary, or can people generally make responsible decisions by themselves?

Source: The Register

Posted in: Exploits/Vulnerabilities, Hardware Hacking, Legal Issues


Latest Posts:


dSploit APK Download - Hacking & Security Toolkit For Android dSploit APK Download – Hacking & Security Toolkit For Android
dSploit APK Download is a Hacking & Security Toolkit For Android which can conduct network analysis and penetration testing activities.
Scallion - GPU Based Onion Hash Generator Scallion – GPU Based Onion Hash Generator
Scallion is a GPU-driven Onion Hash Generator written in C#, it lets you create vanity GPG keys and .onion addresses (for Tor's hidden services).
WiFi-Dumper - Dump WiFi Profiles and Cleartext Passwords WiFi-Dumper – Dump WiFi Profiles and Cleartext Passwords
WiFi-Dumper is an open-source Python-based tool to dump WiFi profiles and cleartext passwords of the connected access points on a Windows machine.
truffleHog - Search Git for High Entropy Strings with Commit History truffleHog – Search Git for High Entropy Strings with Commit History
truffleHog is a Python-based tool to search Git for high entropy strings, digging deep into commit history and branches. This is effective at finding secrets accidentally committed.
AIEngine - AI-driven Network Intrusion Detection System AIEngine – AI-driven Network Intrusion Detection System
AIEngine is a next-generation interactive/programmable Python/Ruby/Java/Lua and Go AI-driven Network Intrusion Detection System engine with many capabilities.
Sooty - SOC Analyst All-In-One CLI Tool Sooty – SOC Analyst All-In-One CLI Tool
Sooty is a tool developed with the task of aiding a SOC analyst to automate parts of their workflow and speed up their process.


Comments are closed.