Drone Security – DJI Fixed a Major Security Flaw
November 14, 2018Drone security is quickly becoming a hot topic as drones are not all just fun and games. They are used in many facets of life from Agriculture to Infrastructure. As such, they are potential targets for hacking. The US Department of Defense recently banned the purchase of drones made by various companies, including DJI due to security concerns. DJI fixed a major security flaw, discovered by researchers at Check Point, that allowed potential hackers to log into accounts without the need for a password.
THIS POST MAY CONTAIN AFFILIATE LINKS. PLEASE SEE OUR AFFILIATE DISCLOSURE FOR MORE INFORMATION.
Table of Contents
What Was the Major Security Flaw?
Back in March 2018, security researchers said they found a vulnerability, actually comprised of two bugs, that allowed potential hackers to log into accounts without the need for a password. The flaw involved an opening in dji.com’s code, allowing them to inject their own JavaScript that would take advantage of how DJI authenticated accounts in association with their password-protected forums.
Once the code was inserted, the researchers were able to create malicious links that would redirect data, destined to DJI, to their own servers instead. The script basically captured access tokens that are used for logging into DJI services. Since DJI uses the same authentication methods for its apps and forums, these stolen tokens can be used to log into accounts on all of DJI’s platforms. What’s worse is it bypasses other security options like two-factor authentication and the actual user would be unaware of what was happening. This is the same type of token based access that hit several million Facebook accounts not long ago.
Although the bug was reported to DJI back in March, it took them six months to patch it which was done in September 2018. The reason it took so long was because it had to be fixed across all of DJI’s services. It would have been faster if it only affected one of them such as the password protected forums but, since it was a wide-spread issue, it took much longer.
What Could a Potential Hacker Gain Access to and/or Do?
Basically, a hacker with these tokens can access any services that the compromised account would have access to. Once in, the attacker could view sensitive information ranging from accessing the live view of the done’s camera, it’s location information and photos/videos taken to the last four digits of the credit card associated with the account.
As if all that wasn’t enough, if the compromised account was using DJI’s FlightHub solution, the hackers could even control multiple drones, give them missions and set routes! Can you imagine 100 or more drones taking off to who knows where automatically? You’d might think some bug or external factor (solar flares, etc.) was in play, and you’d be partly right. That external factor was just a hacker and could leave you on the hook for damages if used maliciously.
What Could a Potential Hacker Do With the Data?
Although I’d be more concerned with control of my drone(s), access to the video/images can prove to be both a security and privacy issue. You probably don’t have risque images on our drone like you might on your phone, a potential for blackmail.
Access to location information can be used to track your movements and routines. Another possible use would be to provide access to your account(s) to others for profit. Who knows what motives would be behind that?
Was There Any Evidence of an Account Being Compromised?
DJI engineers reviewed the findings and deemed the vulnerability as “High risk, low probability”. Even the researchers that discovered the issue said that it was “unlikely to be exploited in real life”.
Conclusion
Drone security is being looked at with more scrutiny as more drones are flooding the market. It’s a good thing that DJI fixed a major security flaw and that security researchers are identifying them. I’d much rather have a flaw pointed out by the “good guys” vs being exploited by the “bad guys”, after the fact, as was the case with Facebook.
I was blissfully unaware of any security issues with my account and, chances are, it was never compromised. Since the attack doesn’t actually grab your credential information, there’s no need to change your account passwords. That said, it’s not a bad idea to change your passwords from time to time but, any security event makes it a good time to do so.
Drones are a wonder tool (or toy) but, as with most things this day, they’re susceptible to hacking and misuse. As I suggest to all of my IT based clients; change your passwords from time to time and make sure it’s not something simple (I actually recommend password solutions like 1Password), keep everything updated and patched and be aware of what’s going on with your accounts. If you stay vigilant, chances are you’ll experience little, if any, issues.
One possible step you can take to protect yourself from such an attack is to use a different app to control your drone, maybe one that’s not widely used or well known. I don’t know if it will actually make a difference because I think you still have to login with your DJI credentials in some of them, but not all and I don’t know if there’s an app out there that will do what you want it to with your particular drone. That said, check out my DJI Mavic Pro Apps – My Top Picks post for some of my favorites like Autopilot and Litchi.
Do you have anything to add to this post? Did I miss something or get something wrong? Were you compromised? Feel free to comment below. I read and respond to each one.
Thank you,
Scott Hinkle
MavicManiacs.com
This is interesting, I wont say I know very much about the ins and outs of hacking but I do know that drones have become a popular interest with many poor unsuspecting people who would not consider their drones could be at risk of being hacked. Its such a shame we cannot trust anythings safety nowadays and have to be on our guard.
It’s good to hear that DJI fixed a major flaw and thanks to you for making us all aware.
I was actually impressed with how the vulnerability was handled. DJI didn’t just throw a patch at it. They took the time to redesign how their system works in order to make it more secure.
Thanks for commenting.
What with many jumping on the bandwagon of using drones to their work for them, they should make sure no security hazards are in the drone. The thing with hackers is they hack away until they get to their destination. hopefully this security will prevent that from happening. Amazon is using drones for delivery and such, imagine all the account information one drone holds.
I agree. That said, this security vulnerability was not in the drones themselves but rather the authentication system to DJI’s services including software that controls the drones. Many times services are built on standards that are not developed by the companies using them in their products. Vulnerabilities may lie dormant for long periods. It’s only through companies like Check Point, white hat hackers or detected breaches that they are discovered and patched.
Sadly this is just the way it is. At least people are working to find and patch them before they are used maliciously.
Thanks for commenting.
Thank you for this article Scott.
It just goes to show that hackers are everywhere. Unfortunately, these companies don’t find out the flaws in time to save people the frustration of being hacked.
My face book account was hacked several months ago. To this date, I have not been able to retrieve that account. Even after reporting it and having my friends report it, Face book still has not taken down that site. The scammers actually had the nerve to say I could get my page back for $400.00. I declined.
With the DJI attack, the seriousness of what could have happened, like the remote control of drones, is mind-boggling.
It just means we all have to be vigilant with all our online endeavors.
Thanks again,
Karen
Hello Karen,
I’m sorry to hear about your Facebook account. It’s definitely a frustrating situation. I’m just glad that no one has reported any issues with their drones based on this vulnerability. Because of this issue and the Facebook one, I suspect more companies will be evaluating their authentication processes to make sure they, too, aren’t vulnerable to the same or a similar attack.
I can only imagine how a fleet of 100 or more drones could have been used maliciously.
Thanks for commenting.
Hi Scott,
You did a very good job in explaining this issue to us. I never knew drones can also have such potential security issues which will make them vulnerable to attackers. But I will first of all congrats that US US Department of Defense for their hard work and investing their time into doing this security research. They have saved many people from potential attacks from these bad hackers who’re always looking for ways to get into people’s privacy and steal sensitive information.
I can’t just imagine what would have happened if this security flaw was not discovered by the researches which prompted DJI to work on fixing issues. I know what hackers can aim for. Just getting access to your location can be very bad for you especially if they manage to get sensitive information such as access to your Emails which may contain some sensitive information and it will even get worse if they are successful in getting your credit card information.
So, it was very good they have discovered this issue and fixed it. even though it took sometime before getting the problem fixed, the effort is certainly worth it. Thanks for letting us know about this update.
Stephen.
Although the DoD If a great institution and does a lot to safeguard our citizens, I just want to be clear that security researchers from Check Point discovered and reported this issue to DJI. DoD simply banned the purchase of commercial-over-the-shelf UAS, including DJI drones for most (if not all) departments Due to security concerns.
Misuse of drones by unscrupulous entities would be a dire thing indeed. Luckily this vulnerability was discovered and patched before any harm was done.
Thank you for taking the time to comment.