DJI Drone Vulnerability Due to DJI Forum’s Weakness, Patched by its Vendor

Just like personal computers, smartphones and tablets, new smart devices such as the highly viral remote quadcopters (AKA drones) are powered by an operating system. As part of the territory, these systems need to be regularly updated, patched to close vulnerabilities as issues become known.

That basically what happened with DJI drones, when they recently patched a serious vulnerability that enables a threat actor to take over the drone’s information reports like flight logs, manipulate pictures and recorded videos.

The Checkpoint Research report highlighted the vulnerability of the vendor-supplied forum for DJI drones in connection with authenticating DJI user accounts, which can be taken advantage of by the unknown third parties. “It gave you the ability to give missions to multiple drones. You could connect 100 drones and give them missions and control them automatically. (Using FlightHub software, a DJI-supplied tool),” emphasized Oded Vanunu, Product Vulnerability Research Head of CheckPoint Research.

DJI has acted immediately and issued a patch; they also scored the very low probability that the exploit can be used in real life scenarios, especially when the drone is currently flying. “DJI engineers reviewed the report submitted by Check Point and, in accordance with its Bug Bounty Policy, marked it as high risk — low probability. DJI engineers efficiently and effectively patched this vulnerability after being notified by Check Point Research. There is no evidence it was ever exploited. The vulnerability required a complicated set of preconditions to be successfully exploited: the user would have to be logged into their DJI account while clicking on a specially-planted malicious link in the DJI Forum.” explained DJI’s spokesperson.

The drone company promised that users didn’t need to get out of their way to maintain privacy, as the fix was applied by DJI seamlessly. As part of their sincerity of helping DJI drones to remain secure, a bounty reward of $30,000 was offered to Checkpoint, but the security research firm humbly declined the reward money.

The very limitation of the vulnerability was the DJI drone user needed to be logged-in in the forum and clicked a compromised link that effectively steals the session ID of the user. This enables authentication for the unauthorized 3rd party to receive access privileges to the device.

DJI and other drone makers are being scrutinized by various governments in the world, as it is a new market which is considered as off-limits to civilians before – access to airspace in a private manner. One of the most vocal against the civilians’ use of quadcopters equipped with video cameras in the U.S. Armed Forces, they see civilian drones as counterproductive to their missions. An incident like a U.S. Army chopper colliding with a civilian drone has been recorded last year, September 21, 2017, in Staten Island, New York City. Incidents and accidents similar to it are bound to happen more frequently, as the cost of a drone that can fly for at least 100 meters above the ground has become more affordable as technology in drone technology improves.