Security researchers spot major bug in market-leading DJI drone tech

8 Nov 2018

Image: © ValentinValkov/Stock.adobe.com

Security firm Check Point alerted drone company DJI to a large vulnerability that could have impacted its infrastructure if exploited.

Check Point, a security firm, and DJI, a world-leading company in civilian drone and aerial imaging tech, have today (8 November) shared details of a potential bug that could have allowed attackers to gain access to user accounts belonging to the latter.

Platform vulnerability

Researchers at Check Point submitted details of the bug to DJI’s bug bounty programme, outlining how an attacker could have potentially accessed user accounts through an issue in the user identification process within DJI Forum, an online forum about proprietary products sponsored by the firm.

Check Point discovered that the company’s platforms used a particular token to identify registered users across different consumer experience aspects, making it a prime target for hackers seeking account access.

Customers who had synced flight records including photos, video and flight logs to DJI’s cloud servers could have become vulnerable. DJI’s corporate users who used FlightHub software, including a live camera, audio and map view, could have also been affected.

DJI bug bounty programme success

The vulnerability has since been patched. Mario Rebello, vice-president and country manager for North America at DJI, said: “We applaud the expertise Check Point researchers demonstrated through the responsible disclosure of a potentially critical vulnerability.

“This is exactly the reason DJI established our bug bounty programme in the first place. All technology companies understand that bolstering cybersecurity is a continual process that never ends.”

Oded Vanunu, head of product vulnerability research at Check Point, applauded the swift patching of the flaw by DJI. He added: “Following this discovery, it is important for organisations to understand that sensitive information can be used between all platforms and, if exposed on one platform, can lead to compromise of global infrastructure.”

Through the use of a cookie by the platform, an attacker would be able to hijack any user’s account and take control over the user’s DJI mobile apps, web account or FlightHub account. If a user clicked on a planted malicious link, it could have resulted in stolen credentials.

Engineers at the drone firm reviewed the report submitted by Check Point and marked it as high-risk/low-probability, due to a set of pre-conditions that need to be met before a potential attacker could exploit it. Both companies advised all users to remain vigilant whenever exchanging information digitally.

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects

editorial@siliconrepublic.com