DJI fixes security flaw that potentially could have given hackers access to user data
- The vulnerability, if exploited, would have allowed hackers to steal drone users’ DJI account, allowing access to other online assets such as flight logs
Cybersecurity researchers found a security flaw in drone maker DJI that could have given hackers access to owners’ data, which the Chinese manufacturer has fixed.
The vulnerability was discovered in the user identification process within DJI Forum, a company-sponsored online forum about its products, researchers at Israeli firm Check Point Software Technologies said on Thursday. They said the vulnerability, if exploited, could have granted a hacker access to drone user’s DJI account without being aware of it.
The vulnerability, which was flagged by Check Point’s researchers to DJI in March this year, would have allowed a hacker to plant a malicious link in the forum. Once a user logged into the DJI Forum and clicks on that link, the user’s login credentials would be stolen to allow access to other DJI online assets.
That would have included user profiles and flight logs, which indicate the exact location of a drone during its entire flight, as well as photos and videos generated during those flights.
“Given the popularity of DJI drones, it is important that potentially critical vulnerabilities like this are addressed quickly and effectively,” Oded Vanunu, head of products vulnerability research at Check Point, said in a statement.
“Following this discovery, it is important for organisations to understand that sensitive information can be used between all platforms and, if exposed on one platform, can lead to compromise of global infrastructure.”
It took DJI until September to roll out fixes across its website and apps, according to a TechCrunch report.
“We applaud the expertise Check Point researchers demonstrated through the responsible disclosure of a potentially critical vulnerability,” said Mario Rebello, vice-president and country manager for DJI North America, in a statement.
The discovery of the security exploit has again put to light the potential cybersecurity issues with remote-controlled drones, whether these are used for recreational, industrial or military purposes.
The Check Point report has come more than a year after the US Army banned use of drones from DJI because of security concerns.
DJI, the world’s largest maker of recreational drones, has increased efforts to get its data security practices validated after that debacle. In April, a report by San Francisco-based Kivu Consulting verified that DJI drone users have control over how their data is collected, stored and transmitted.
Shenzhen-based DJI has an estimated 74 per cent share of the global drone market, where it competes with 29 other brands, according to data published in September by Skylogic Research.
The discovery of the security exploit by Check Point was played up by DJI as a victory for its “Bug Bounty” programme, which was set up in August last year to encourage researchers to discover and report flaws in DJI products that may create security vulnerabilities, in exchange for up to US$30,000 in reward money.
“Protecting the integrity of our users’ information is a top priority for DJI,” Rebello said.