DJI – one of the world’s most popular drone makers, spent close to half a year to fix security flaws on its website and apps. A vulnerability that could have given potential hackers access to accounts of drone owners if was exploited effectively.
Researchers from security firm Check Point assessed the DJI vulnerability situation. Check Point revealed that DJI security flaws were first noticed in March and it would have allowed hackers to gain total access to cloud-stored data of every DJI user. The flaws could have also allowed them to log in to the company’s fleet management system (FlightHub) and access drone logs, maps, video footage as well as live feed footage without any password being required. The hackers could have been able to also view very sensitive information such as locations of drone’s camera as well as every photo taken with the camera from flights. In fact, the access when gained could allow hackers to give missions to multiple drones and also control them automatically.
“Given the popularity of DJI drones, it is important that potentially critical vulnerabilities like this are addressed quickly and effectively,” said Check Point’s head of products vulnerability research Oded Vanunu. DJI, however, confirmed that this challenge was fixed in September. Vanunu explained that the process took DJI about six months to fix because of the drone company’s need to fix a challenge across its entire infrastructure.
DJI engineers referred to this security lapses as “high risk” but “low probability.” The reason being that it requires a simple click for attackers to take advantage of the situation, however, to get to that click were numerous hoops to jump through first. This was confirmed also by Check Point as they tried in practice to launch a potential attack.
The good news for every DJI user is that the possibility of any individual noticing and taking advantage of the vulnerabilities was unlikely. Even though both DJI themselves and Check Point agreed that it would be difficult to be absolutely sure about that. DJI spokesperson Adam Lisberg said that “While no one can ever prove a negative, we have seen no evidence that this vulnerability was ever exploited.”
Actually, according to DJI, the vulnerabilities were fixed by the company’s bug bounty program that was set up a year ago. When Check Point noticed the vulnerability, they reported to DJI through the bounty program. The report on the vulnerability that was submitted by Check Point was first reviewed by DJI engineers. After which, they in accordance with the company’s Bug Bounty Policy marked it as a high risk — low probability situation (reasons explained earlier).
A bounty of several thousands of dollars could have been paid by DJI to Check Point, however, Check Point didn’t request for it. “We applaud the expertise Check Point researchers demonstrated through the responsible disclosure of a potentially critical vulnerability,” said DJI’s North America vice president Mario Rebello.