Security errors in DJI's website and apps exposed accounts for hackers and drone live feeds – TechCrunch
It took about six months for popular consumer drone maker DJI to fix a vulnerability across the website and the apps, which if exploited could have given an attacker unhindered access to a drone owner's account.
Vulnerability, revealed Thursday by researchers at the Check Point security company, would have given an attacker complete access to a DJI user's cloud-stored data, including drone logs, maps, stills or video footage – and live feed footage through FlightHub, the company's fleet management system – without the user's knowledge.
Benefiting from the error was surprisingly simple – requires a victim to click on a specially designed link. But in practice, Check Point used a lot of time to find the precise way to start a potential attack ̵[ads1]1; and none of them were particularly simple.
Therefore, DJI called vulnerability "high risk", but "low probability" the many hoops to jump through first to exploit the error.
"Given the popularity of DJI drones, it is important that potentially critical vulnerabilities like this are handled quickly and efficiently," said Oded Vanunu, Check Point, chief of product safety research.
A victim would have had to click on a malicious link from the DJI Forum, where customers and hobbyists talk about their drones and activities. By stealing the user's account access token, an attacker may have swung to access the user's main account. If you click on the malicious link, you can use an error across webpages (XSS) on the forum, essentially taking the user's account tag and using it on the DJI account login page.
The researchers also found errors in DJI's applications and its online FlightHub page.
By exploiting the vulnerability, the attacker can take over the victim's account and access all of his synchronized registered flights, drone photos, and more. (Picture: Checkpoint)
Checkpoint reached in March, when DJI resolved the XSS error on its part.
"Since then, we have gone product for product through all the elements of our hardware and software where the login process could have been compromised to ensure that this is no longer a readily replicable hack," said DJ Lisens rapporteur Adam Lisberg.
But it took the company to September to roll out repairs across applications and FlightHub.
The good news is that it is unlikely that anyone independently detected and exploited some of the vulnerabilities, but both Check Point and DJI admit it would be difficult to know for sure.
"While nobody can ever turn out to be a negative, we have not seen any evidence that this vulnerability was ever taken advantage of," said Lisberg.
DJI claimed to fix vulnerability as a victory for its bug fix, as it arose just over a year ago. Its bug-bounty had a rocky start after months later, the company threatened a security researcher who "went away from $ 30,000" after revealing a number of e-mails from the company, which in turn threatened him , after finding sensitive access keys for the company's Amazon Web Services instances.
This time, nothing but praise for the bug found.
"We applaud Expert Check Point researchers demonstrated through responsible disclosure of potentially critical vulnerability "said DJI's North American boss Mario Rebello. [19659002] Good to see things have changed.
