Drone Security – DJI Fixed a Major Security Flaw

Drone Security – DJI Fixed a Major Security Flaw

November 14, 2018 8 By Scott Hinkle

Drone security is quickly becoming a hot topic as drones are not all just fun and games. They are used in many facets of life from Agriculture to Infrastructure. As such, they are potential targets for hacking. The US Department of Defense recently banned the purchase of drones made by various companies, including DJI due to security concerns. DJI fixed a major security flaw, discovered by researchers at Check Point, that allowed potential hackers to log into accounts without the need for a password.

THIS POST MAY CONTAIN AFFILIATE LINKS. PLEASE SEE OUR AFFILIATE DISCLOSURE FOR MORE INFORMATION.

Major Security FlawWhat Was the Major Security Flaw?

Back in March 2018, security researchers said they found a vulnerability, actually comprised of two bugs, that allowed potential hackers to log into accounts without the need for a password. The flaw involved an opening in dji.com’s code, allowing them to inject their own JavaScript that would take advantage of how DJI authenticated accounts in association with their password-protected forums.

Once the code was inserted, the researchers were able to create malicious links that would redirect data, destined to DJI, to their own servers instead. The script basically captured access tokens that are used for logging into DJI services. Since DJI uses the same authentication methods for its apps and forums, these stolen tokens can be used to log into accounts on all of DJI’s platforms. What’s worse is it bypasses other security options like two-factor authentication and the actual user would be unaware of what was happening. This is the same type of token based access that hit several million Facebook accounts not long ago.

Although the bug was reported to DJI back in March, it took them six months to patch it which was done in September 2018. The reason it took so long was because it had to be fixed across all of DJI’s services. It would have been faster if it only affected one of them such as the password protected forums but, since it was a wide-spread issue, it took much longer.

Drone FleetWhat Could a Potential Hacker Gain Access to and/or Do?

Basically, a hacker with these tokens can access any services that the compromised account would have access to. Once in, the attacker could view sensitive information ranging from accessing the live view of the done’s camera, it’s location information and photos/videos taken to the last four digits of the credit card associated with the account.

As if all that wasn’t enough, if the compromised account was using DJI’s FlightHub solution, the hackers could even control multiple drones, give them missions and set routes! Can you imagine 100 or more drones taking off to who knows where automatically? You’d might think some bug or external factor (solar flares, etc.) was in play, and you’d be partly right. That external factor was just a hacker and could leave you on the hook for damages if used maliciously.

Hacker DataWhat Could a Potential Hacker Do With the Data?

Although I’d be more concerned with control of my drone(s), access to the video/images can prove to be both a security and privacy issue. You probably don’t have risque images on our drone like you might on your phone, a potential for blackmail.

Access to location information can be used to track your movements and routines. Another possible use would be to provide access to your account(s) to others for profit. Who knows what motives would be behind that?

EvidenceWas There Any Evidence of an Account Being Compromised?

DJI engineers reviewed the findings and deemed the vulnerability as “High risk, low probability”. Even the researchers that discovered the issue said that it was “unlikely to be exploited in real life”.

Conclusion

Drone security is being looked at with more scrutiny as more drones are flooding the market. It’s a good thing that DJI fixed a major security flaw and that security researchers are identifying them. I’d much rather have a flaw pointed out by the “good guys” vs being exploited by the “bad guys”, after the fact, as was the case with Facebook.

I was blissfully unaware of any security issues with my account and, chances are, it was never compromised. Since the attack doesn’t actually grab your credential information, there’s no need to change your account passwords. That said, it’s not a bad idea to change your passwords from time to time but, any security event makes it a good time to do so.

Drones are a wonder tool (or toy) but, as with most things this day, they’re susceptible to hacking and misuse. As I suggest to all of my IT based clients; change your passwords from time to time and make sure it’s not something simple (I actually recommend password solutions like 1Password), keep everything updated and patched and be aware of what’s going on with your accounts. If you stay vigilant, chances are you’ll experience little, if any, issues.

One possible step you can take to protect yourself from such an attack is to use a different app to control your drone, maybe one that’s not widely used or well known. I don’t know if it will actually make a difference because I think you still have to login with your DJI credentials in some of them, but not all and I don’t know if there’s an app out there that will do what you want it to with your particular drone.  That said, check out my DJI Mavic Pro Apps – My Top Picks post for some of my favorites like Autopilot and Litchi.

Do you have anything to add to this post? Did I miss something or get something wrong? Were you compromised? Feel free to comment below. I read and respond to each one.

Thank you,

Scott Hinkle

MavicManiacs.com

Share