DJI, a manufacturer of some of the most popular quadcopter drones in the market, inadvertently exposed users data, including flight records, user account information, camera, microphone, and live feed reveals to a report from security firm Check Point.
DJI has since patched the vulnerability in its systems that could have revealed user’s real-time drone location and a live camera feed while the drone was in flight.
Before this report, DJI set up a bug bounty program, which it launched in August 2017, offering rewards to researchers who disclose potential vulnerabilities to their properties in order to improve their security reputation.
Check Point discovered this particular vulnerability and reported it to the dedicated bug bounty program but did not accept a reward for finding the vulnerability.
Their researchers discovered if a user signed in to any one of the three DJI cloud-based platforms — the web platform, GO/4/pilot mobile application, or Flighthug — the DJI backend used that identifier token to provide access to all three platforms to the user.
However, a hacker would still require a special cookie in order to completely take over an account.
Unfortunately, Check Point uncovered the second issue in DJI’s popular customer forums platform which researchers believe wouldn’t be difficult to post malicious links and trick people into clicking.
Using these issues together, a potential attacker could identify users and learn their information, steal the cookie needed to complete the authentication, log into their own DJI account, and then swap in a victim’s token and cookies so the hacker takes on the identity of the victim and has full access to their account.
DJI did their due diligence in resolving the issues. Check Point’s testing reveals that DJI completely reworked their system’s processes to fix the bugs and furthermore improved their security.
Whether this will assure current users or potential new users is uncertain.