DJI

DJI is a Chinese technology company headquartered in Shenzen. DJI manufactures commercial unmanned aerial vehicles (UAV or Drone) for aerial photography and videography. It also designs and manufactures camera systems, gimbal stabilizers, propulsion systems, enterprise software, aerial agriculture equipment, and flight control systems.

Some of DJI's devices require an initial connection to a proprietary app (typically DJI Mimo or DJI Ronin) in order to be usable, as well as to provide firmware updates. This application also requires various permissions to location and other privacy-impacting data which is then provided to and stored by DJI.

In particular, DJI drones have the following limits and caveats on their operation:

• They require persistent online reauthentication with a DJI account. Offline/signed-out operation is possible, however the account will sign out after a period of no internet connectivity (usually a few weeks). When signed out, flight altitude is limited to 30m, and flight distance is limited to 50m. From the DJI Mavic 3 manual: "For increased safety, flight is restricted to a height of 98.4 ft (30 m) and range of 164 ft (50 m) when not connected or logged into the app during flight. This applies to DJI Fly and all apps compatible with DJI aircraft".
• The DJI Fly app consistently checks for new firmware and No-Fly Zone (NFZ) updates, and if detected, can soft-brick the device (preventing takeoff) until the updates are installed, showing the error "Unable to take off. Update Fly Safe database/Fly Safe database requires update".
• The DJI Fly App, required to control and operate DJI consumer drones with a mobile device, was removed from the Google Play Store in 2021. DJI requires Android users to install an APK file provided on their website in order to control their drone.
• DJI drones send out unencrypted RemoteID/Aeroscope packets that can be captured by anyone, to follow the Remote ID law in the USA. They contain, amongst other things, the drone's serial number, camera information, pilot location, and Return-to-Home location. A patch is available to mitigate this feature on certain drone models and firmware versions.
• DJI firmware comes with many GPL components whose sources aren't disclosed, thus violating the GPL license. There is a limited disclosure page for their enterprise platforms, but it is very outdated and doesn't cover the GPL software in newer (post Mavic 2) consumer drones (whose OS is based on Android).
• While many drones support the DJI Mobile SDK, drones released from late 2021/2022 onwards have not yet received support. This significantly inhibits the consumer's ability to use their drone how they desire as it prevents the use of third party applications that often provide improved functionality and additional features. DJI Support has stated that the company intends to no longer make SDK support available for new consumer models (such as the Air 3+ family) and only for enterprise series drones. For mapping use cases, users can now only rely on a tedious manual workaround rather than use dedicated applications.
• DJI Drones can be permanently linked to users which turns them into e-waste if carelessly returned to online shops.
• DJI devices have hardware fuses that can be blown using software to prevent firmware downgrade to earlier versions.
• DJI Action and Pocket cameras require activation with the DJI Mimo app after a few uses or would fail to function.
• The Android version of the DJI Mimo application requests full filesystem access to the user's device each time a connection to a DJl camera is initiated. If a user denies this permission, the application will refuse to connect to the camera. If a user grants permission for access to only a specific folder or selection of media, the app will connect. However, on every subsequent connection, the app will again prompt for full filesystem access with the message: "DJI Mimo would like to access mobile device's storage, so that you can use features, including editing and downloading photos and videos from camera. Otherwise, related services will be restricted. Go to settings to grant permissions". To prevent the app from gaining access to all files on the device, the user must repeatedly select the "Don't select more" option in the Android permission prompt. This option is positioned directly below the "Allow all" selection, which necessitates user attention during each connection to maintain a restricted level of access.
• The DJI Mini 2 SE is almost identical to the Mini 2, but despite having a 4K camera, it is limited to 2.7K by its firmware. Users have found ways to rollback the firmware, flash it to the Mini 2 firmware, and then shoot in 4K. In later firmware versions, DJI implemented anti-rollback features, hence making it impossible to do this.
• The DJI RS 3 Mini requires the DJI Ronin app, downloaded directly from the DJI website for Android users, in order for the product to function after five "skips" of non-activation.

This is a list of all consumer-protection incidents this company is involved in. Any incidents not mentioned here can be found in the DJI category.

Due to insufficient security measures, DJI vacuum robots across the world could be controlled remotely by anyone in the world by simply extracting an authentication token from the control app and communicating with DJI's servers. This also caused floor maps and camera feeds to be publicly accessible, even before a robot is paired with the DJI app for the first time.

When confronted with the security researcher's results, DJI claimed they had already discovered and fixed the issue internally the previous month, temporarily disabled access to video feeds, and rolled out updates. However, at the time of writing, still not all issues were fixed. The company also did not respond to any of the security researcher's emails and only communicated in DMs described as robotic on X (formerly known as Twitter).^[1]

...

• DJI Osmo Action 5 Pro
• DJI Ronin RS4 Pro

• GoPro
• Insta360