The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Drone vulnerabilities add to U.S.-China spying tensions

with Tonya Riley

Researchers are warning about cybersecurity vulnerabilities in an Android app that powers a popular Chinese-made drone they say could help the Chinese government scoop up reams of information. 

The accusation comes amid a diplomatic clash between Washington and Beijing over everything from trade to the search for a coronavirus vaccine and it's sure to worsen U.S. distrust of a broad range of consumer technology. 

That distrust has embroiled everything from the telecom giant Huawei to the video app TikTok. The concerns have deepened during the coronavirus pandemic and are threatening to create a permanent fissure between Western and Chinese technology.

The vulnerability could allow DJI, the world’s largest drone maker, or someone with access to its computer systems, to grab information from the microphones, cameras, contacts and even locations of hundreds of thousands of drone owners worldwide, the cybersecurity firms Grimm and Synacktiv found. 

The company is also able to send automatic updates to the apps without Google or the drone owner consenting or even necessarily knowing the app is being updated, researchers found. Theoretically that update function could be used to load the phones with malware that could send troves of data back to China, they said. 

The feature is only present in Android apps used by consumer drone owners, not in the version used by companies and government agencies. It's also not present in the iPhone version of the app. 

Yet the alarm comes as DJI is already under intense scrutiny by China hawks and some U.S. officials. The Pentagon banned the company’s drones in 2017 over spying concerns and the Interior Department grounded its fleet of about 800 DJI drones in January. Lawmakers are seeking to ban them across the rest of the federal government and to root them out from state and local governments as well. DJI has said those bans are about politics, not security.

The new reports don’t include smoking-gun evidence against DJI. 

There’s no proof the app has been used to steal any information so far or to hand anything over to Beijing. 

A DJI spokesman told the New York Times the auto update feature is there to ensure drone hobbyists don’t hack the system so they can break government rules about where they can fly drones and how high. “If a hacked version is detected, users are prompted to download the official version from our website,” spokesman Brendan Schulman said. 

DJI’s ability to directly update the Android app may also be a workaround because of policies that block Google inside China, the Times’s Paul Mozur, Julian E. Barnes and Aaron Krolik report. 

But the absence of evidence of Chinese spying shouldn’t be taken as proof it’s not happening, U.S. officials warn. 

Indeed, they frequently argue Chinese companies are effectively arms of the government and would be powerless to refuse an order from Beijing to turn over sensitive data. 

Every Chinese technology company is required by Chinese law to provide information they obtain, or information stored on their networks, to Chinese authorities if requested to do so,” William R. Evanina, director of the National Counterintelligence and Security Center, told the Times. “All Americans should be concerned that their images, biometrics, locational and other data stored on Chinese apps must be turned over to China’s state security apparatus.”

That’s effectively the same argument U.S. officials made to justify a slew of harsh restrictions against Huawei, including banning it from government computer networks and next-generation 5G phone and Internet systems. It also has proved somewhat effective in a U.S. diplomatic campaign urging allies to similarly restrict the company. 

U.S. officials are ramping up their warnings about the threat of major cyberattacks from adversary nations. 

The Department of Homeland Security and the National Security Agency issued a joint alert warning adversaries are eager to attack the Internet-connected components of critical industries such as energy plants and defense contractors. 

“As we’ve said many times, our adversaries are capable, imaginative and aim to disrupt essential services, so it is important that we make sure we are staying ahead of them." Bryan Ware, assistant director of DHS’s cybersecurity division, said. 

The keys

The Senate passed a major defense bill that includes $1 billion to help U.S. firms compete with Huawei.

The Senate version of the defense policy bill also includes:

  • More federal money to help the United States compete with China's computer chip industry.
  • An amendment requiring DHS to establish a cybersecurity state coordinator position in every state.
  • Provisions recommended by the Cyberspace Solarium Commission requiring defense contractors to participate in cyberthreat intelligence-sharing programs and that give greater powers to DHS's cybersecurity division.
  • A provision that gives DHS legal power to uncover the identities of companies being targeted by cyberattacks so it can warn them and recommend better protections.

The bill did not include a provision that's in the House version and would have created a cyber director position at the White House. A provision from Sen. Mark R. Warner (D-Va.), which would have required campaigns to report foreign efforts to interfere in a presidential election, was also dropped from the bill. President Trump has said he might listen if other nations offered him dirt on his opponents.

The House and Senate must now craft a compromise version of the annual bill before sending it to the president. 

A victim of Twitter’s monumental breach says it might have exposed his private messages with political dissidents. 

Dutch Lawmaker Geert Wilders was among 130 people whose Twitter accounts were taken over by hackers. He was also among a smaller group informed by Twitter that hackers had accessed his direct messages, he told Toby Sterling at Reuters. The fiercely anti-Islamic politician said that his inbox contained private messages from dissidents in the Middle East who could be in danger if the messages were revealed.

I do hope they will not be in danger if their identity would be exposed because of this hack,” he said.

The story highlights the damage hackers could cause with such an attack if they had broad access to prominent people's private messages. Other accounts the hackers compromised belonged to Joe Biden, Barack Obama, Bill Gates and Elon Musk.

Twitter did not confirm that Wilders was among the 36 account owners whose messages hackers viewed but did say one of the accounts belonged to an elected official in the Netherlands.

Twitter CEO Jack Dorsey apologized for the hack on an earnings call yesterday, Rachel Lerman reports.

“Security doesn’t have an end point. It’s a constant iteration to stay steps ahead of adversaries, he said. We fell behind, both in our protections against social engineering of our employees and restrictions on our internal tools.”

New evidence suggests the company was unprepared for the attack, which involved conning employees to give up access to internal Twitter systems. More than 1,000 employees had access to those systems, Reuters reports

Meanwhile U.S. lawmakers are still seeking answers about the attack. The company probably will brief the Senate Commerce Committee in coming weeks, Martin Matishak and Eric Geller at Politico report.

Apple’s co-founder and a cryptocurrency company are suing YouTube for failing to crack down on hackers and scammers.

Steve Wozniak, co-founder of Apple, filed a lawsuit with 17 other victims against YouTube for failing to take down cryptocurrency scams that used their likenesses. The scams have similar technical details to the ones hackers spread on Twitter last week though it's not certain they're related, William Turton at Bloomberg News reports

In the scams, hackers take over accounts of users with lots of followers, then run live streams about a fake cryptocurrency giveaway, conning those followers into sending them hundreds of thousands of dollars.

The cryptocurrency company Ripple says it's reported over 300 scams to YouTube, including one impersonating its CEO. It’s pursuing a separate lawsuit against the company.

For every scam, giveaway, fake conspiracy that is taken down, multiple more pop up nearly immediately,” the company wrote in a blog post about the lawsuit.

YouTube notifies users when suspicious activity is detected, spokesman Alex Joseph told William. “If a user has reason to believe their account was compromised,” he said, “they can notify us to secure the account and regain control.”

Cyber insecurity

NSO Group was trying to sell its spyware to the Secret Service as recently as 2018.

The Israeli spyware company has been accused of helping authoritarian regimes use its spyware to crack down on dissidents and journalists. Emails pitching the phone-hacking product obtained by Motherboard specifically mentioned access to WhatsApp, Telegram and Signal. WhatsApp is suing NSO Group for allegedly aiding in the hacking more than 1,000 of its users. 

Motherboard also found NSO's U.S. branch, which is called Westbridge, pitched its hacking software to U.S. police departments.

More hacking news:

U.S. hatches plan to build a quantum Internet that might be unhackable (Jeanne Whalen)

Garmin services and production go down after ransomware attack (ZDNet)


The Senate Homeland Security regulatory affairs subcommittee will hold a hearing to examine modernizing telework, focusing on a review of private sector telework policies during the COVID-19 pandemic Tuesday at 2:30 p.m.

The Senate Commerce Subcommittee on Security will hold a hearing to examine the China challenge and how to build resiliency and competitiveness on Thursday at 10 a.m.

The Senate Armed Services Committee will hold a hearing on the findings and recommendations of the Cyberspace Solarium Commission on August 4 at 2:30 p.m.

Secure log off

Anthony Fauci threw out the first pitch on the Nationals' opening day: