• Attackers could have accessed cloud-based flight records, stored photographs and a real-time view from drones’ cameras and microphones.
  • The breach was caused by a flaw that existed in DJI’s online assets.

A critical flaw in DJI (Da Jiang Innovations) - a China-based drone maker - may have allowed attackers to obtain Personally Identifiable Information (PII) including credit card details of customers. The flaw exposed user accounts and could also potentially lead to attackers taking control of fleets of drones.

Security researchers Dikla Barda and Roman Zaikin at Check Point have published a detailed analysisof a DJI vulnerability, that could provide full access to a drone user’s DJI account. Attackers could have accessed cloud-based flight records, stored photographs and a real-time view from drones’ cameras and microphones.

"Check Point's researchers discovered that DJI's platforms used a token to identify registered users across different aspects of the customer experience, making it a target for potential hackers looking for ways to access accounts. DJI users who had manually uploaded photos, videos or flight logs to DJI's cloud servers could have seen that data become vulnerable to hacking. It could have also allowed access to some customer information, and users on the DJI FlightHub fleet management system could have had live flight information accessed as well,” DJI said in a statement, SecurityWeek reported.

Modus operandi

The breach was caused by a flaw which existed in DJI’s online assets, like the web account, cloud server data synced from DJI’s GO or GO 4 pilot apps and DJI’s FlightHub.

Researchers observered that DJI used the same cookies across most of its platforms. Stealing these cookies could allow attackers to hijack user accounts and manipulate them without any hassle. These cookies could be accessed via a cross-site scripting (XSS) attack.

“To trigger this XSS attack all the attacker need do is to write a simple post in the DJI forum which would contain the link to the payload. After all, DJI limits links to content that reside in the forum itself and so in this way it is impossible to send a link to a malicious website,” said Barda and Zaikin in the report. “Furthermore, as there are hundreds of thousands of users communicating DJI’s forum the attacker would not even need to share the malicious link as this would be done by the users themselves as they forward on the message and link.”

The researchers explained that the firm was notified about this vulnerability in March 2018, following which, it took appropriate actions and issued a patch. DJI said that there was no evidence of any customer data stolen.

“We notified DJI about this vulnerability in March 2018 and DJI responded responsibly. The vulnerability has since been patched. DJI classified this vulnerability as high risk but low probability, and indicated there is no evidence this vulnerability was ever exploited by anyone other than Check Point researchers,” Check Point researchers said.

Cyware Publisher