Researchers at cybersecurity company Check Point have today shared details of a vulnerability in DJI’s infrastructure that could have given hackers access to consumer and corporate user accounts, personal data, flight logs, photos, videos, and – if the user was flying with DJI’s FlightHub application – a live camera feed and map during missions.
Check Point submitted a report to DJI’s Bug Bounty Program, highlighting a process in which an attacker could have gained access to a user’s account through a vulnerability discovered in the user identification process within DJI Forum.
Check Point’s researchers found that DJI’s various platforms used a token to identify registered users across different aspects of the customer experience. Hackers could plant malicious links that would compromise accounts within that framework.
In a blog post outlining their investigation, Check Point explained the process of a possible exploit:
The vulnerability was accessed through DJI Forum, an online forum DJI runs for discussions about its products. A user who logged into DJI Forum, then clicked a specially-planted malicious link, could have had his or her login credentials stolen to allow access to other DJI online assets:
- DJI’s web platform (account, store, forum)
- Cloud server data synced from DJI’s GO or GO 4 pilot apps
- DJI’s FlightHub (centralized drone operations management platform)
We notified DJI about this vulnerability in March 2018 and DJI responded responsibly. The vulnerability has since been patched. DJI classified this vulnerability as high risk but low probability, and indicated there is no evidence this vulnerability was ever exploited by anyone other than Check Point researchers.
Check Point even made a Mission Impossible-style trailer for their findings, which is… interesting.
More data security issues for DJI?
Earlier this year DJI released the findings from an independent study into the company’s data security practices. The aim was to ease anxiety among the manufacturer’s commercial customers after concerns were raised by the US Army, among others, in 2017.
In the past, DJI has had some (since rectified) suspicious code within the DJI Go application. It’s important to note here that the vulnerability discovered by Check Point is different in nature. Rather than a suspicious line of code that could be harnessed by an insider intent on mischief, these discoveries appear to be accidental vulnerabilities.
DJI engineers reviewed the report submitted by Check Point and declared it to be ‘high risk/low probability’. The hoops an attacker and the victim would have to jump through creates a long set of preconditions that need to be met before a potential attacker could do anything harmful.
DJI says there is no evidence to suggest that the flaw was ever exploited.
According to Check Point, DJI took several months to resolve the issues that were highlighted. But rather than a sign of negligence, the researchers point out that the company chose not to push out simple fixes. Instead, the Chinese manufacturer made more fundamental changes to how trust and user authentication works behind the scenes to improve security for the long term.
A bug bounty success story?
It doesn’t look great for DJI, who will have hoped that the whole drone data security saga had come to an end. But at least these vulnerabilities were dealt with in a professional manner by everyone involved and the bug bounty program served its purpose on this occasion.
It’s also proof that DJI is responding responsibly, as any technology company should, to the ongoing process of keeping customer data secure.
“We applaud the expertise Check Point researchers demonstrated through the responsible disclosure of a potentially critical vulnerability,” said Mario Rebello, Vice President and Country Manager, North America at DJI.
“This is exactly the reason DJI established our Bug Bounty Program in the first place. All technology companies understand that bolstering cybersecurity is a continual process that never ends. Protecting the integrity of our users’ information is a top priority for DJI, and we are committed to continued collaboration with responsible security researchers such as Check Point.”
“Given the popularity of DJI drones, it is important that potentially critical vulnerabilities like this are addressed quickly and effectively, and we applaud DJI for doing just that,” said Oded Vanunu, Head of Products Vulnerability Research at Check Point.
“Following this discovery, it is important for organizations to understand that sensitive information can be used between all platforms and, if exposed on one platform, can lead to compromise of global infrastructure.”