European drone group, Parrot reports that the results of an independent data-privacy and security audit of its FreeFlight 6 mobile application for the ANAFI series of drones.
The extensive audit was conducted by Bishop Fox, one of the most recognised private offensive-security professional services companies, in order to scrutinise and objectivise potential security vulnerabilities and privacy issues in the FreeFlight 6 app.
Bishop Fox’s deep assessment of the FreeFlight 6 mobile application for iOS and Android, as well as FreeFlight 6’s API web services, showed that the app delivers on Parrot’s promise of exceptional data security, protection and transparency. No user data is shared by the app unless the user explicitly chooses to share the information. The Bishop Fox team performed automated vulnerability scanning, source code review, and manual penetration testing in order to assess FreeFlight 6’s data-privacy protections and vulnerability to real-world exploits and attacks.
“The Bishop Fox team did not discover any functions in the source code to transmit flight data to Parrot-controlled storage outside of user-approved drone flight logs. Additionally, the team did not observe any transmission of drone- or application-captured media (photos, videos, audio clips) other than user-initiated sharing to social media.”
The Bishop Fox security and privacy audit for the Parrot FreeFlight 6 app confirmed the following key findings:
- The FreeFlight 6 mobile application available via the Apple App Store and Google Play matched the provided source code. The source code for the FreeFlight 6 app did not exhibit obfuscation techniques, and Bishop Fox did not identify any code or functionality that deviated from the stated design and purpose of the application.
- The Bishop Fox assessment team did not find any mechanisms to update or augment the FreeFlight 6 application outside of platform-released updates. Drone firmware updates are prompted to the user and are not initiated without the user’s permission.
- In reviewing permissions granted by FreeFlight 6 against the behaviors and actions exhibited by the app, the Bishop Fox team identified no suspicious activity that would indicate undisclosed data collection or sharing beyond the permissions explicitly granted by the user.
- The Bishop Fox assessment team was unable to gain unauthenticated access to any saved user data. Furthermore, the team verified that user data saved into cloud storage was purged upon user request.
- In reviewing interactions between the drones, mobile applications, and back-end API web services in the source code, Bishop Fox did not discover any transmission of flight data to Parrot-controlled storage outside of user-approved drone flight logs. The team did not observe any transmission of drone- or app-captured photos, videos, or audio clips unless it was explicitly initiated by the user.
Victor Vuillard, chief security officer and chief technology officer of cybersecurity at Parrot applauds these results: “Parrot teams are fully committed to providing products designed to meet the highest level of security and personal data protection requirements. Bishop Fox’s assessment proves the high level of security and privacy that Parrot reached for all of its users’ benefits. We are proud to offer the most secure UAVs.”
As part of Bishop Fox’s comprehensive assessment, two medium-risk vulnerabilities and three low-risk vulnerabilities were identified in the FreeFlight 6 mobile app. The Bishop Fox team found that none of the vulnerabilities would impact user privacy or security.
Parrot’s upcoming software update will further strengthen two minor issues identified related to configuration encryption. Following an internal review and based on user feedback, Parrot accepts the risk associated with the remaining medium- and low-risk vulnerabilities related to authorisation token expirations, root and jailbreak detection and certificate pinning, as the benefits to both user experience and transparency, far outweigh the low-risks.
Follow us and Comment on Twitter @TheEE_io