Consumer and corporate customers were at risk
Vulnerabilities in the back-end technology supporting DJI drones offered a means for hackers to access users’ login credentials, enabling the stealing of images, video, and other information.
Security researchers at Check Point discovered that recently-resolved security loopholes meant hackers could have gained access to DJI (Dà-Jiāng Innovations) user accounts and some data that it held.
DJI consumer users who had synced their flight records including photos, videos and flight logs to DJI’s cloud servers, were left exposed by shortcomings in the vendor’s authentication.
Corporate users of DJI FlightHub software, which includes a live camera, audio and map view, were likewise left at risk.
Information associated with a DJI user’s account, including user profile data, might also have been exposed.
The security problem, which has since been patched, stemmed in part from a weak authentication process within the DJI online forum.
DJI uses a token to identify registered customers across different platforms, so that obtaining a token linked to the forum (better known as a meta-key cookie) could unlock more sensitive information elsewhere.
Check Point explained in a blog post: “A user who logged into DJI Forum, then clicked a specially-planted malicious link, could have had his or her login credentials stolen to allow access to other DJI online assets.”
This malicious link trick relies on a cross-site scripting-style vulnerability to work.
Check Point reported the flaws to DJI in March under the latter’s recently-instituted bug bounty program.
DJI accessed the vulnerability as ‘high risk/low probability’ due to a set of preconditions a potential hacker would have had to meet to stand any chance of pulling off an attack.
There’s no evidence the security loophole was ever exploited by anybody outside of Check Point’s team, which is just as well because the implications of an attack could have been nasty.
DJI is the market leader in consumer and corporate drones, with around two-thirds of the US market. Global drone shipments in 2017 were estimated at 10 million, up from seven million in 2016.
DJI recently patched to mitigate the risk. Customers should protect themselves by updating to the latest version of DJI GO or GO 4 pilot apps.
“Given the popularity of DJI drones, it is important that potentially critical vulnerabilities like this are addressed quickly and effectively, and we applaud DJI for doing just that‚” said Oded Vanunu, head of products vulnerability research at Check Point.
“Following this discovery, it is important for organizations to understand that sensitive information can be used between all platforms and, if exposed on one platform, can lead to compromise of global infrastructure.”