Researchers at Check Point Software Technologies, an Israeli-founded leading provider of cybersecurity solutions, and Chinese drone-maker DJI (Dà-Jiāng Innovations), a world leader in civilian drones and aerial imaging technology, recently revealed a bug that would have impacted DJI’s infrastructure and exposed user data, photos, and videos.
The researchers – Oded Vanunu, Dikla Barda, and Roman Zaikin – shared details of the potential vulnerability discovered in the user identification process within the DJI Forum, a DJI-sponsored online forum about the company’s products, that could have compromised users’ flight logs, photos, videos, audio, map views, and profile information, if exploited.
Get our weekly newsletter directly in your inbox!Sign up
Check Point said its researchers discovered that DJI’s platforms used a token to identify registered users across different aspects of the customer experience, making it a target for hackers looking for ways to access accounts.
If a user clicked on a specially-planted malicious link, the stolen credentials could then allow access to DJI’s web platform (account, store, forum), cloud server data synced from DJI’s GO or GO 4 pilot apps, and DJI’s FlightHub, a centralized drone operations management platform.
The researchers said that users would not receive any notification that a hacker accessed their account, while the attacker would have “completely uninhibited access to login and view the drone’s camera during live operations of any flights currently in progress, or download records of previously recorded flights that had been uploaded to the FlightHub platform.”
DIJ makes popular consumer drone, specifically quadcopters, with a 74 percent global market share, according to a September report.
The company was notified of the vulnerability in March and has since patched it. DJI said in a statement that the Check Point report “understandably raised several questions about DJI’s data security,” but that the vulnerability was classified as “high risk /low probability” because it “required a complicated set of preconditions to be successfully exploited: The user would have to be logged into their DJI account while clicking on a specially-planted malicious link in the DJI Forum.”
DIJ said there was no evidence the vulnerability was ever exploited except by the researchers.
Check Point shared its findings through DJI’s Bug Bounty Program, which encourages security researchers to report issues with DJI’s products by offering monetary rewards.
“We applaud the expertise Check Point researchers demonstrated through the responsible disclosure of a potentially critical vulnerability,” said Mario Rebello, vice president and country manager, North America at DJI. “This is exactly the reason DJI established our Bug Bounty Program in the first place. All technology companies understand that bolstering cybersecurity is a continual process that never ends. Protecting the integrity of our users’ information is a top priority for DJI, and we are committed to continued collaboration with responsible security researchers such as Check Point.”
“Given the popularity of DJI drones, it is important that potentially critical vulnerabilities like this are addressed quickly and effectively, and we applaud DJI for doing just that,” said Vanunu, Head of Products Vulnerability Research at Check Point, in a statement. “Following this discovery, it is important for organizations to understand that sensitive information can be used between all platforms and, if exposed on one platform, can lead to a compromise of global infrastructure.”