DJI fixes security flaw that potentially could have given hackers access to user data
- The vulnerability, if exploited, would have allowed hackers to steal drone users’ DJI account, allowing access to other online assets such as flight logs
Cybersecurity researchers found a security flaw in drone maker DJI that could have given hackers access to owners’ data, which the Chinese manufacturer has fixed.
The vulnerability was discovered in the user identification process within DJI Forum, a company-sponsored online forum about its products, researchers at Israeli firm Check Point Software Technologies said on Thursday. They said the vulnerability, if exploited, could have granted a hacker access to drone user’s DJI account without being aware of it.
The vulnerability, which was flagged by Check Point’s researchers to DJI in March this year, would have allowed a hacker to plant a malicious link in the forum. Once a user logged into the DJI Forum and clicks on that link, the user’s login credentials would be stolen to allow access to other DJI online assets.
That would have included user profiles and flight logs, which indicate the exact location of a drone during its entire flight, as well as photos and videos generated during those flights.
“Given the popularity of DJI drones, it is important that potentially critical vulnerabilities like this are addressed quickly and effectively,” Oded Vanunu, head of products vulnerability research at Check Point, said in a statement.
“Following this discovery, it is important for organisations to understand that sensitive information can be used between all platforms and, if exposed on one platform, can lead to compromise of global infrastructure.”