X

DJI fixes vulnerability that let potential hackers spy on drones

A security flaw let attackers peek at the real-time camera on users' drones, researchers said.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
3 min read
DJI Mavic 2 Pro and Zoom

The security flaw let potential hackers steal access tokens from DJI's forums and use it to log into a person's account. 

Joshua Goldman/CNET

Hey DJI, your fly was open.

Security researchers from Check Point said in March they found a vulnerability that allowed potential hackers to log into accounts for the consumer drone maker without needing a password. DJI said it fixed the flaw in September. 

Once you have access to a DJI account, you're able to view sensitive information like live view from FlightHub of the drone's camera and location, the last four digits of credit card numbers and photos taken from flights, researchers said.

If the accessed account was using DJI's FlightHub tool, the attacker would also be able to control multiple drones and set routes, said Oded Vanunu, Check Point's head of products vulnerability research.

"It gave you the ability to give missions to multiple drones," Vanunu said. "You could connect 100 drones and give them missions and control them automatically."

image003

Security researchers used an opening on DJI's forums to access accounts.

Check Point

The flaw stemmed from DJI's password-protected forums, in combination with how the company authenticated accounts. Check Point researchers found an opening in DJI.com's code, which allowed them to enter their own JavaScript.

From there, they were able to create their own malicious link that would take data meant to go to DJI and send it to their own servers. The script siphoned access tokens -- which aren't your password, but allow for logins.

Because DJI uses the same authentication for its forums and apps, an attacker could use the stolen access tokens to log into accounts on all platforms, Vanunu said. Because it's using the access tokens, it would bypass security measures like two-factor authentication, and affected users would not be aware.

image004

Data that a potential attacker could access includes flight patterns from drones.

Check Point

When hackers accessed 30 million Facebook accounts, they also did it through stolen access tokens. While access tokens make authentication much easier and more convenient, it also presents an opening for hackers. Check Point's research shows that even if your devices -- in this case, DJI's drones -- are secure from hacks, there is always another way for attackers to take over.

"With the ecosystem that we live in today, tokens are the language that you are speaking when you are connecting to software components," Vanunu said.

A DJI spokesman said Check Point reported the vulnerability through the company's bug bounty program, and that the flaw was "unlikely to have ever been exploited in real life." DJI would have paid a bounty of "several thousand dollars" but Check Point did not request for payment, the spokesman said.

"DJI engineers reviewed the report submitted by Check Point and, in accordance with its Bug Bounty Policy, marked it as high risk -- low probability," the company said in a statement.

DJI took six months to fix the flaws, Vanunu said. The process took half a year because the flaw required DJI to fix the issue across all its infrastructure, the security researcher said.

"We applaud the expertise Check Point researchers demonstrated through the responsible disclosure of a potentially critical vulnerability," Mario Rebello, DJI's vice president for North America, said in a statement. 

Security:  Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night. 

Follow the Money: This is how digital cash is changing the way we save, shop and work.