DJI Drone Security Hole Patched - Threatwire Cross-post

By Shannon Morse

In a recently publicized report, security firm Check Point disclosed a major vulnerability in DJI’s online cloud platform, which could disclose account data, including visuals, to an attacker. The vulnerability could let an attacker access private photos and videos from drone flights, if a user had synced them with DJI’s cloud servers, user account information, flight logs including location data, and even real-time data including drone location, drone microphone and a live camera feed. Potentially, an attacker could even take over a users account. They could possibly see the last four digits for the accounts credit card, and if a user was using the DJI FlightHub tool, they could control multiple drones and set routes as well. A user would not know if this was happening.

Check Point Research responsibly disclosed this to DJI, and DJI fixed it, while also stating that the attack had low probability, and they had no evidence of this ever occurring in the wild. With that said, it was still classified as a high risk vulnerability.

The problem occurred in DJI’s cloud infrastructure, which would allow a user to stay logged in seamlessly across all of DJI’s platforms. This is called single sign on, and enables an active token on a user’s account so they don’t have to plug in their log in information each time they move from one app or platform to another. 

Check Point found a DJI.com issue that allowed them to enter in their own JavaScript to query data using a cross site scripting issue. They then found a vulnerability on the forums, which would then allow them to create a malicious link that would steal user cookies and send that data from DJI to their own server. The stolen information, access tokens and the user cookie, allowed for users to stay logged in across platforms. The access token bypasses two factor authentication, so the attacker could move in without causing red flags. Lastly, Check Point also gained access to user accounts via the mobile app by using a man in the middle attack and a security program called Burp Suite, which would attack an SSL Pinning issue in the app. According to a DJI spokesman, this vulnerability was disclosed through their bug bounty program and as such, Check Point could receive several thousand dollars as reward, but Check Point did not request payment.

While the DJI drones are consumer friendly, their diverse ecosystem and third party integrations allowed for this kind of vulnerability. DJI fixed the issue in September, and users do not need to take any steps for their own account security. Check Point Research advises IT admins and network admins to use segmentation as a policy, to ensure that vulnerabilities like this are contained and limited.