Popular drone maker DJI exposed user accounts to unauthorized access along with information that passes through the vendor’s digital infrastructure; this includes flight logs, videos and images captured by the devices, live camera and microphone feed, and flight map.
This was possible because of a flaw in DJI’s process for logging users into their web account, online forum, mobile app Go and Go 4, and the DJI FlightHub web app that allows enterprise users to manage live drone operations.
An attack on the cookie jar
Security researchers Dikla Barda and Roman Zaikin of Check Point discovered that DJI used the same cookie to identify and offer access to several of its platforms. Stealing this cookie allowed an attacker to hijack user accounts and handle them as if they were the legitimate owner.
After further prodding, the duo found a way to obtain the cookie that unlocked access to user and drone data via a cross-site scripting (XSS) attack on the weakest link: the DJI discussion forum.
“To trigger this XSS attack all the attacker need do is to write a simple post in the DJI forum which would contain the link to the payload,” the researchers wrote in a research paper published today.
Making victims click on the link and thus have their login cookies stolen would have been a simple matter of creating the proper bait.
“Furthermore, as there are hundreds of thousands of users communicating DJI’s forum the attacker would not even need to share the malicious link as this would be done by the users themselves as they forward on the message and link,” the researchers added.
Check Point experts reported the security lapses to DJI privately in March, allowing the company to solve the problem across its infrastructure before publishing the technical details.
Following the assessment of the vulnerabilities, the drone maker concluded that they presented a high risk, albeit unlikely to occur.
“We applaud the expertise Check Point researchers demonstrated through the responsible disclosure of a potentially critical vulnerability,” said Mario Rebello, Vice President and Country Manager, North America at DJI.
Check Point made a demo video for the attack, showing the type of information an attacker could have accessed.
By synchronizing the flight records in the DJI cloud with their phone, an attacker could browse flight logs locally, and view maps where videos and photos were taken.
FlightHub web app is intended for handling a fleet of at least five drones and it offers automatic flight log synchronization, fleet management options, and real-time video feed if the subscription plan allows it.
To stay ahead of the attackers, DJI launched a bug bounty program this year, offering security enthusiasts and researchers the possibility to earn some money by poking around for vulnerabilities and a way to exploit them.