Now-Resolved DJI Security Flaw Jeopardized User’s Drone Data, Photos, and Videos

Cybersecurity firm Check Point notified DJI of the flaw, which could’ve allowed hackers to commandeer a drone and access private user data in March.

byMarco Margaritoff|
Now-Resolved DJI Security Flaw Jeopardized User’s Drone Data, Photos, and Videos

Cybersecurity firm Check Point reported a vulnerability flaw in DJI’s cloud infrastructure that could’ve allowed hackers to commandeer drones in real-time, view their camera feeds, and access private user data such as flight logs, photos, and videos, Wired reports. 

Check Point notified the world’s leading drone manufacturer of this disconcerting discovery in March through DJI’s bug bounty program, with the Shenzhen-based company since patching and resolving the problem. 

In simple terms, the bug facilitated the faking of the software’s authentication tokens, which allow users to remain logged in as they toggle between DJI’s various cloud-based portals and websites. By offering a single sign-on feature, one active token is practically all a nefarious attacker would need to take over an account. 

“This is a very deep vulnerability,” said Oded Vanunu, Check Point’s head of products vulnerability. “We’re drone fans and fans of DJI, but we want to bring awareness about account takeover vulnerabilities in big vendors’ systems. In order to let users access different services without having to enter a username and password all the time, companies use one-time authentication to make a user token that’s valid across everything. But that means we’re living in an era where a targeted attack can become an extensive compromise.”

Check Point researchers located two bugs working in tandem as the primary weak point in DJI’s system. First, the single sign-on method made garnering a user’s information and hence, their authentication token, far too easy. Even so, a hacker would still require a cookie to use that info to fully take over an account. Secondly, DJI’s customer forums platform made it relatively simple to create a fake but functional DJI link that automatically stole a user’s authentication cookies. Since this is the world’s largest hobby drone manufacturer, Check Point argued that the forum’s popularity made completion of this process fairly easy.

DJI’s statement in response to these findings said Check Points discoveries “understandably raised several questions about DJI’s data security,” but that the bugs were largely a “high risk—low probability” issue, because “the user would have to be logged into their DJI account while clicking on a specially-planted malicious link in the DJI forum.” Though the drone company said it hadn’t found any evidence that a single user’s account had been exploited, it seems like it would’ve been a mere matter of time. 

In reaction, DJI didn’t just rewrite a few lines of code here and there to solve the issue. According to Check Point, DJI reworked trust and authentication elements of its system from the ground up over the course of several months. 

The bug bounty program responsible for allowing Check Point to notify DJI of this issue in the first place was established in August 2017, on the heels several privacy issues affecting DJI’s reputation as a trustworthy manufacturer. Perhaps most famously, the Pentagon issued a ban on any DJI products being implemented in fears of potential data breaches in U.S. armed forces. As it stands, DJI has paid out nearly $75,000 through this program to 87 researchers for their findings.

“This case was alarming because drones have a lot of private information and this was something that could be taken easily,” said Vanunu. “Giant platforms need to be careful about account takeovers.” 

In the end, Vanunu said Check Point’s relationship with DJI is a positive one, with this collaboration concluding positively and efficiently. The security firm didn’t even accept a reward for its discoveries.