Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Cellphones Privacy Software

Ask Slashdot: Are My Drone Apps Phoning Home? 132

Slashdot reader bitwraith noticed something suspicious after flying "a few cheap, ready-to-fly quadcopters" with their smartphone apps, including drones from Odyssey and Eachine. I often turn off my phone's Wi-Fi support before plugging it in to charge at night, only to discover it has mysteriously turned on in the morning. After checking the Wi-Fi Control History on my S7, it appears as though the various cookie-cutter apps for these drones wake up to phone home in the night after they are opened, while the phone is charging. I tried contacting the publisher of the Odyssey VR app, with no reply.

I would uninstall the app, but then how would I fly my drone? Why did Google grant permission to control Wi-Fi state implicitly to all apps, including these abusers? Are the apps phoning home to report my flight history?

The original submission asks about similar experiences from other drone-owning Slashdot users -- so leave your best answers in the comments. What's making this phone wake up in the night?

Are the drone apps phoning home?
This discussion has been archived. No new comments can be posted.

Ask Slashdot: Are My Drone Apps Phoning Home?

Comments Filter:
  • Simple answer (Score:5, Informative)

    by Brett Buck ( 811747 ) on Sunday August 06, 2017 @11:52PM (#54954019)

    Yes. Recently, the military suspended the use of certain drone manufacturers products for the same reason.

    • Re:Simple answer (Score:5, Interesting)

      by Anonymous Coward on Monday August 07, 2017 @12:05AM (#54954055)

      Christ, it was even on Slashdot and they still downvote you.

      US Army Calls Halt On Use of Chinese-Made Drones By DJI [slashdot.org]

      Posted by BeauHD on Friday August 04, 2017 @05:40PM from the new-guidance dept.

      Due to "an increased awareness of cyber vulnerabilities with DJI products," the U.S. Army is asking all units to discontinue the use of DJI drones. The news comes from an internal memo obtained by the editor of SUAS News. It notes that the Army had issued over 300 separate releases authorizing the use of DJI products for Army missions, meaning a lot of hardware may have been in active use prior to the memo, which is dated August 2nd, 2017. The Verge reports:

      SUAS News published a piece back in May of this year that made a number of serious accusations about data gathered by DJI drones. Author Kevin Pomaski starts out writing, "Using a simple Google search the data mined by DJI from your provided flights (imagery, position and flight logs) and your audio can be accessed without your knowing consent." However, he never follows up with evidence to demonstrate how this data becomes public or can be found through a Google search. Pomaski also point out, correctly, that when DJI users elect to upload data to their SkyPixel accounts through the DJI app, this data can be stored on servers in the U.S., Hong Kong, and China. This data can include videos, photos, and audio recorded by your phone's microphone, and telemetry data detailing the height, distance, and position of your recent flights.

      DJI provided the following statement to The Verge: "People, businesses and governments around the world rely on DJI's products and technology for a variety of uses including sensitive and mission critical operations. The Department of the Army memo even reports that they have 'issued over 300 separate Airworthiness Releases for DJI products in support of multiple organizations with a variety of mission sets.' We are surprised and disappointed to read reports of the U.S. Army's unprompted restriction on DJI drones as we were not consulted during their decision. We are happy to work directly with any organization, including the U.S. Army, that has concerns about our management of cyber issues. We'll be reaching out to the U.S. Army to confirm the memo and to understand what is specifically meant by 'cyber vulnerabilities.' Until then, we ask everyone to refrain from undue speculation."

    • by AmiMoJo ( 196126 ) on Monday August 07, 2017 @03:00AM (#54954507) Homepage Journal

      No? The suspension was due to possibly justified paranoia.

      While it's possible that these apps are phoning home, there are legitimate reasons for doing so, e.g. updating no-fly zone maps that prevent the user from entering airport boundaries or flying over military installations. You know, the stuff that the government wants them to implement.

      Instead of asking Slashdot, this person needs to set up Wireshark to capture the packets. Might need to install a custom certificate on the phone in order to MITM the HTTPS stream too, if their security meets that basic level.

      • While it's possible that these apps are phoning home, there are legitimate reasons for doing so

        There is never a legitimate reason to do so without my knowledge and permission.

        • You're assuming that permission wasn't expressly given. You did read the EULA right?

          • Being in the EULA doesn't count as me giving permission.

            I understand that's not legally true, but it's certainly true in terms of common sense.

  • by Anonymous Coward on Monday August 07, 2017 @12:01AM (#54954039)

    Analytics. Telemetry. Whatever you want to call it, data is traversing the network without your explicit approval.

    • And the answer to the question in the last sentence is therefore: YES.

      What's in telemetry data is something that has to be investigated further.

      • What's in telemetry data is something that has to be investigated further.

        I've reached the point where I don't actually care what's in telemetry data anymore (in part because there's no such thing as "innocuous", "non-PII", or "anonymized" data). I'll do my best to stop it all regardless.

    • Indeed. A better question is, "Do I have any apps that are not phoning home?"

    • If data about me or my devices is being sent without my permission, I call that "spying".

  • by Anonymous Coward

    Ask Slashdot: What would we have called it if they never made ET?

    • by arth1 ( 260657 )

      An almost as common description not based on ET is "beaming back to the mothership".

  • some solutions.. (Score:5, Informative)

    by gl4ss ( 559668 ) on Monday August 07, 2017 @12:14AM (#54954091) Homepage Journal

    If you have a samsung and couple of hours I have a solution for you.. if you know a little bit of java.

    Samsung phones have firewall apis that you can access with a sdk from samsung and a license code. you can also turn off the wifi with same apis in a way that another app cant open it. also with same api's (and well, if you got admin rights somehow for your app on vanilla android too) you can enable/disable particular services and activities from within the app - this depends on the architecture of the app, but it is possible possibly to just turn off the phone home service.

    there are also other things you can do that work on all phones, there's an app on the play store for changing app permissions.

    (what it does is repackage the original .apk with different permissions. so you can remove the perm for wifi control from the apk - the app will still have permission for normal http connections though).

    now, you might ask why android doesn't give you as the device owner access to all these options just outright from opening the box: because fuck you peon, that's why.

    on vanilla android(without rooting) if you want to give admin rights to an app you have to do it BEFORE finishing the first start dialog flow and there isn't that many ways to do that except nfc on some models and a flawed otg auto-apk installer on some other models.

    so the samsung extra api's are a case where manufacturer additions to the firmware are actually pretty nice if you use them for yourself instead of someone using them against you.

    • by dargaud ( 518470 )

      (what it does is repackage the original .apk with different permissions. so you can remove the perm for wifi control from the apk - the app will still have permission for normal http connections though).

      You just have to remember to do that after every update of the app though. Kind of a drag.

      • No you don't. If the new update requires additional permissions, you'll be prompted for them.

    • by AmiMoJo ( 196126 )

      There are several firewall apps on Play and FDroid. They work by creating a local VPN connection which they can filter. As a bonus you get ad blocking too in some of them. I like DNS66.

    • I'd have a hard time trusting Samsung's firewall APIs without testing them rather extensively first.

  • by pgn674 ( 995941 ) on Monday August 07, 2017 @12:15AM (#54954099) Homepage
    Settings > Apps > tap the app (App info) > Advanced > Modify system settings > uncheck the Allow. That will disallow the app from enabling your WiFi.
    • by arth1 ( 260657 )

      Settings > Apps > tap the app (App info) > Advanced > Modify system settings > uncheck the Allow. That will disallow the app from enabling your WiFi.

      You lost me at "Advanced". There is no such setting in my particular Android version.

      • Then if you can't update to Android 6.0, root the phone (it's not like you have anything to lose with an older device). Titanium Backup will allow you to freeze / unfreeze an app at will. AFWall+ will let you allow/block each app's ability to use WiFi for LAN access, WiFi for Internet access, and cellular data for Internet access. There are other apps which will do the same, but I haven't used them so can't vouch for them.
      • Not all apps have the advanced option, only ones that do things that would be modified by it. For example, most of my apps don't have it, but DJI GO (my drone's app) does, but the only option there is "Draw over other apps."
        • A more common app with the Advanced and Modify System Settings option is Amazon Kindle, so if it's not showing up on Kindle, then you know it's not available on your version of Android.
    • by Anonymous Coward

      On my Samsung Note4 (Android 6.0.1), if you go to Settings > Application Manager > 3-dot menu > Change System Settings you can toggle whether an app can change system settings ("such as turning Bluetooth on or off"), but these AREN'T in the normal apps permissions. Completely stupid that it's separate.

      But the real issue is the fight over better default security for the people who know what they're doing vs more convenience for the people who have no clue. Whatever side you go with, the other side w

    • by meglon ( 1001833 )

      Settings > Apps > tap the app (App info) > Advanced > Modify system settings > uncheck the Allow. That will disallow the app from enabling your WiFi.

      Almost correct, it's actually: Settings > Apps > tap the app (App info) > Advanced > Modify system settings > uncheck the SkynetLaunchJudgmentDay.

      • *whine* But when I disallow SkynetLaunchJudgementDay I don't get to see when the dishwasher is done. Do you really want me to go over to the kitchen all the time only to notice that I've wasted a minute of my valuable time walking around like an idiot only to find that it's still running?

    • Unless there is an vulnerability that is unreported (undiscovered or intentionally undisclosed)
  • Not just Android... (Score:3, Interesting)

    by Anonymous Coward on Monday August 07, 2017 @12:31AM (#54954139)

    I had a drone with iPhone app that called home too so its not just an android issue at all.

  • You can pretty much count on any "smart" thing these days to phone home some type of data to be collected and monetized by the creator of that thing, and yes all you iFanBoies out there, that includes you as well. Why else do you think your sous vide heater, meat thermometer, thermostat, stove, refrigerator, dishwasher, garage door opener, etc -- fucking damn near unlimited list of crap no one needs 27/7 access to -- each require their own app be installed?

  • by Drakonblayde ( 871676 ) on Monday August 07, 2017 @12:52AM (#54954183)

    I've found that using a Pi-hole and adding the domains they're trying to call to the blacklist to be useful.

  • by Paul Johnson ( 33553 ) on Monday August 07, 2017 @02:43AM (#54954465) Homepage
    Oh give me a drone, That phones home on its own, And uploads all that I've done, And when it has phoned, Little drone of my own, Its makers will see all my fun.
  • ... assume 'yes'.

  • Is it in their interest to gather your data? Yes.
    Is it possible to them to gather your data? Yes.
    Does it cut into their bottom line because people would avoid their products? No. 9 out of 10 don't give a shit and the 10th (you) notices after he bought it.

    Do I need to answer your question or can you find the answer yourself?

  • Wait... what...!

    I often turn off my phone's Wi-Fi support before plugging it in to charge at night, only to discover it has mysteriously turned on in the morning. After checking the Wi-Fi Control History on my S7, it appears as though the various cookie-cutter apps for these drones wake up to phone home in the night after they are opened, while the phone is charging.

    How is this even possible!?

    Although I have owned a few Android phones over the last few year, my primary smartphone has been an iPhone since th

  • Comment removed based on user account deletion
  • A firewall app will block this kind of thing. For example: https://play.google.com/store/... [google.com]
  • Have we learned nothing from the whole Snowden experience?

    You put your drone in the fridge overnight. A microwave oven would be even better, for some values of oven.

  • I know this question is outside of the main focus of the post, but why is the submitter disabling Wi-Fi overnight? I can't think of any logical reason to do it.

    • I do this all the time. There is this thing called "power" that gets "consumed" when devices are on.

      You may have heard of it.

      There are also people that try to pirate your wi-fi during hours when you are sleeping, since you won't notice, and they can then use it to run various things, like blade servers in their basement used for hack attacks on foreign banks. That way it all gets traced back to you, since they changed their CPU ids. You end up in jail instead of them.

    • I can think of a lot of reasons to do this, but I don't know which one(s) the commenter has.

      In general, though, there's a compelling security reason: if you aren't actively using a communications channel, best practice is to shut it off to minimize the attack surface.

  • You would have to assume that any devices made and software updated by international companies could be potentially co-opted by those states in time of war to spy on national activities - anything with a camera, microphone, and internet connection. That includes the bazillion security cameras, drones, TVs with cameras, phones and laptops. I uninstalled a firmware upgrade to my security camera when I saw they wanted to upload all data to their cloud when I have a perfectly good one at home. Same with the wi-fi smart router. Time to get out the tin foil hats.
  • I have a Samsung GT-E2550, no apps because it's a feature phone. I use it to talk to people and (from time to time) send an SMS. Younger members of my family usually gather by tradition during public holidays to mock me, but they're beginning to wake up now.

    Seriously, I don't want a load of badly coded, intrusionware on my phone or for it to declare my location to all and sundry. Of course, it's possible to triangulate with cell tower data, but my view is that this level of intrusion shouldn't be a) defa
    • Younger members of my family usually gather by tradition during public holidays to mock me, but they're beginning to wake up now.

      I won't mock you at all, but I will point out that it's entirely possible to use a smartphone in a way that doesn't leak any data more than a feature phone does.

      my view is that this level of intrusion shouldn't be a) default b) 'easy'.

      Then you should lose your feature phone, too. If it has been made in the last 10 years or so, then it almost certainly includes a GPS receiver (even if you don't get to access it yourself) and reports your location to the your carrier on demand. This is the easiest way for companies to comply with the E911 regulations.

      • by hughbar ( 579555 )
        Thanks, I'm in the UK though. I'll have a look at the settings. Actually, it's pretty good, small, stays charged for a long time and inexpensive, if lost.
  • Probably (Score:4, Insightful)

    by JohnFen ( 1641097 ) on Monday August 07, 2017 @10:28AM (#54956113)

    In this day and age, you have to assume that every piece of software you run on any platform will be phoning home.

    That's why I firewall all traffic, incoming and outgoing, these days, especially on my phone. It's also rather interesting examining the logs of what was blocked.

    In fact, as I was doing routine firewall maintenance over the weekend, it occurred to me that at some point I made a shift -- I now pay more attention to outgoing traffic than incoming!

    Industry trends have resulted in it becoming necessary to treat all devices and software, inside or out, as threats.

  • To stop this kind of exfiltration you can install a VPN Firewall application that allows you to explicitly allow/deny network access to any app on your phone. i currently use one called "NoRoot Firewall" and it also helps to block Adware apps from retrieving their adware info is the app itself doesn't need network access. It keeps a log of what applications connect to, and that can be used to permit or deny per app.

    The "Connects" app will let you see where all your apps are connecting too on a map and you

  • The only apps I install are open source and I firewall my phone with droidwall. The reason: I was once recruited (I turned it down) to create a database to organize the "telemtry" data collected by a number of apps. To quote one of the executives, "These people out there have no idea how much data is collected". The EULA's say data "may be "collected but don't specify what in most cases, and I don't have time to analyze the apps traffic packets. Banking apps are getting a bad rep in Canada too because of th
  • You can find out exactly what's being sent. Just run Android x86 or macOS (with iPhone emulator from Xcode) in a VM and capture the packets from the virtual NIC. Open the .pcap file in Wireshark and see exactly what's being sent.

news: gotcha

Working...