• Skip to main content
  • Skip to secondary menu
  • Skip to primary sidebar
  • Skip to secondary sidebar
  • Skip to footer
  • DroneRacingLife
  • DroneFlyers
  • Newsletter
DroneLife

DRONELIFE

Stay up to date on all the latest Drone News

  • News
  • Products
  • Industries
    • Agriculture
    • Construction
    • Delivery
    • Dual Use
    • Inspection
    • Public Safety
    • Surveying
  • Enthusiasts
  • Regulations
  • Business
  • Video
  • Podcasts

Cybersecurity Firm Reveals Vulnerability in DJI’s Infrastructure (It’s Patched Now)

November 8, 2018 by Malek Murison 5 Comments

Researchers at cybersecurity company Check Point have today shared details of a vulnerability in DJI’s infrastructure that could have given hackers access to consumer and corporate user accounts, personal data, flight logs, photos, videos, and – if the user was flying with DJI’s FlightHub application – a live camera feed and map during missions.

Check Point submitted a report to DJI’s Bug Bounty Program, highlighting a process in which an attacker could have gained access to a user’s account through a vulnerability discovered in the user identification process within DJI Forum.

Check Point’s researchers found that DJI’s various platforms used a token to identify registered users across different aspects of the customer experience. Hackers could plant malicious links that would compromise accounts within that framework.

In a blog post outlining their investigation, Check Point explained the process of a possible exploit:

The vulnerability was accessed through DJI Forum, an online forum DJI runs for discussions about its products. A user who logged into DJI Forum, then clicked a specially-planted malicious link, could have had his or her login credentials stolen to allow access to other DJI online assets:

  • DJI’s web platform (account, store, forum)
  • Cloud server data synced from DJI’s GO or GO 4 pilot apps
  • DJI’s FlightHub (centralized drone operations management platform)

We notified DJI about this vulnerability in March 2018 and DJI responded responsibly. The vulnerability has since been patched. DJI classified this vulnerability as high risk but low probability, and indicated there is no evidence this vulnerability was ever exploited by anyone other than Check Point researchers.

Check Point even made a Mission Impossible-style trailer for their findings, which is… interesting.

More data security issues for DJI?

Earlier this year DJI released the findings from an independent study into the company’s data security practices. The aim was to ease anxiety among the manufacturer’s commercial customers after concerns were raised by the US Army, among others, in 2017.

In the past, DJI has had some (since rectified) suspicious code within the DJI Go application. It’s important to note here that the vulnerability discovered by Check Point is different in nature. Rather than a suspicious line of code that could be harnessed by an insider intent on mischief, these discoveries appear to be accidental vulnerabilities.

DJI engineers reviewed the report submitted by Check Point and declared it to be ‘high risk/low probability’. The hoops an attacker and the victim would have to jump through creates a long set of preconditions that need to be met before a potential attacker could do anything harmful.

DJI says there is no evidence to suggest that the flaw was ever exploited.

According to Check Point, DJI took several months to resolve the issues that were highlighted. But rather than a sign of negligence, the researchers point out that the company chose not to push out simple fixes. Instead, the Chinese manufacturer made more fundamental changes to how trust and user authentication works behind the scenes to improve security for the long term.

dji ditches airmap for precisionhawk and updates GEO

A bug bounty success story?

It doesn’t look great for DJI, who will have hoped that the whole drone data security saga had come to an end. But at least these vulnerabilities were dealt with in a professional manner by everyone involved and the bug bounty program served its purpose on this occasion.

It’s also proof that DJI is responding responsibly, as any technology company should, to the ongoing process of keeping customer data secure.

“We applaud the expertise Check Point researchers demonstrated through the responsible disclosure of a potentially critical vulnerability,” said Mario Rebello, Vice President and Country Manager, North America at DJI.

“This is exactly the reason DJI established our Bug Bounty Program in the first place. All technology companies understand that bolstering cybersecurity is a continual process that never ends. Protecting the integrity of our users’ information is a top priority for DJI, and we are committed to continued collaboration with responsible security researchers such as Check Point.”

“Given the popularity of DJI drones, it is important that potentially critical vulnerabilities like this are addressed quickly and effectively, and we applaud DJI for doing just that,” said Oded Vanunu, Head of Products Vulnerability Research at Check Point.

“Following this discovery, it is important for organizations to understand that sensitive information can be used between all platforms and, if exposed on one platform, can lead to compromise of global infrastructure.”

Malek Murison
Malek Murison

Malek Murison is a freelance writer and editor with a passion for tech trends and innovation. He handles product reviews, major releases and keeps an eye on the enthusiast market for DroneLife.
Email Malek
Twitter:@malekmurison

Subscribe to DroneLife here.

Filed Under: Business and Finance, Drone News Feeds, Feature 1, Legal, News Tagged With: bug bounty, check point, cybersecurity, data security, DJI, FlightHub, hackers

Reader Interactions

Trackbacks

  1. DJI Aims to Ease Security Fears for Good with Government Edi… – UAV – DRONEENEWS.COM says:
    June 24, 2019 at 6:16 pm

    […] several steps in recent years to secure their reputation and their customer data. The company has patched security flaws found by researchers, established and developed a bug bounty program, commissioned a security audit of its app and […]

    Reply
  2. DJI Aims to Ease Security Fears for Good with Government Edition Solution - Angle News says:
    June 24, 2019 at 12:50 pm

    […] several steps in recent years to secure their reputation and their customer data. The company has patched security flaws found by researchers, established and developed a bug bounty program, commissioned a security audit of its app and […]

    Reply
  3. China's newest combat drones take the stage at the country's largest airshow | Drone "Ki" says:
    December 9, 2018 at 12:00 am

    […] Researchers at cybersecurity company Check Point have today shared details of a vulnerability in DJI’s infrastructure that could have given hackers access to consumer and corporate user accounts, personal data, flight logs, photos, videos, and – if the user was flying with DJI’s FlightHub application – a live camera feed and map during missions. Check […] The post Cybersecurity Firm Reveals Vulnerability in DJI’s Infrastructure (It’s Patched Now) appeared first on DRONELIFE. See Original Article […]

    Reply
  4. Cybersecurity Firm Reveals Vulnerability in DJI's Infrastructure (It's Patched Now) - Droneoo says:
    November 10, 2018 at 3:28 pm

    […] Source link […]

    Reply
  5. Cybersecurity Firm Reveals Vulnerability in DJI’s Infrastructure (It’s Patched Now) - Drones Crunch says:
    November 8, 2018 at 12:37 pm

    […] DRONELIFE […]

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

LATEST

Carbonix and CASA Certify First SAIL III Drone in Australia

Carbonix says it is the first company in Australia to receive SAIL III certification for a drone, clearing a path…

Continue Reading Carbonix and CASA Certify First SAIL III Drone in Australia

Ondas Acquires DZYNE Technologies for $875.8M

The Ondas DZYNE acquisition combines long-endurance ISR, counter-UAS, and autonomous effects under a new operating division for U.S. defense customers.…

Continue Reading Ondas Acquires DZYNE Technologies for $875.8M

FAA Data Shows Drone Sightings Near Airports Nearly Doubled in Second Quarter

After incidents, FAA warns against drones at airports By DRONELIFE Features Editor Jim Magill The number of reported close encounters…

Continue Reading FAA Data Shows Drone Sightings Near Airports Nearly Doubled in Second Quarter

University of Tokyo and Kubota Develop Drone Potato Yield Prediction Method

This article published in collaboration with JUIDA, the Japan UAS Industrial Development Association.     Researchers at the University of Tokyo…

Continue Reading University of Tokyo and Kubota Develop Drone Potato Yield Prediction Method

Department of War Creates Central Office to Oversee U.S. Military Unmanned Systems

New Direct Reporting Portfolio Manager will consolidate acquisition, standards, budgeting, and industry engagement for drone and autonomous programs The U.S.…

Continue Reading Department of War Creates Central Office to Oversee U.S. Military Unmanned Systems

FAA Investigating Reported Drone Encounter on JetBlue Flight Approaching JFK

The Federal Aviation Administration (FAA) is investigating after the crew of a JetBlue flight reported striking what they believed was…

Continue Reading FAA Investigating Reported Drone Encounter on JetBlue Flight Approaching JFK

Versaterm on the Drone Radio Show! Next Level Integration of Drones into Public Safety

Versaterm on the Drone Radio Show! In this episode, Ryan Bracken explains how Versaterm’s acquisition of DroneSense is helping agencies…

Continue Reading Versaterm on the Drone Radio Show! Next Level Integration of Drones into Public Safety

ANRA Technologies Surpasses 55,000 Commercial Drone Operations Per Month

ANRA says its Mission Manager X platform now supports more than 1,800 BVLOS commercial drone operations per day across delivery,…

Continue Reading ANRA Technologies Surpasses 55,000 Commercial Drone Operations Per Month

Comments Underscore Stakes of FAA’s Section 2209 Rule (CORRECTED)

Experts weigh in on extension of 2209 comment period By DRONELIFE Features Editor Jim Magill (Editor’s note: An earlier version…

Continue Reading Comments Underscore Stakes of FAA’s Section 2209 Rule (CORRECTED)

ND UAS Council Adds Grand Forks DDA to Strengthen Drone Ecosystem

The North Dakota UAS Council has added the Grand Forks Downtown Development Association as its newest member, linking the state’s…

Continue Reading ND UAS Council Adds Grand Forks DDA to Strengthen Drone Ecosystem

Secondary Sidebar

Footer

SPONSORED

Inspired Flight Gremsy IF800 VIO F1 drones geo week

What Will It Take to Strengthen U.S. Drone Manufacturing? A Conversation with Inspired Flight’s CEO

Global Mapper Mobile data collection

Collection Ground Control Points with Global Mapper Mobile

Military Drone Mapping Solutions

How SimActive’s Correlator3D™ is Revolutionizing Military Mapping: An Exclusive Interview with CEO Philippe Simard

Photogrammetry Accuracy Standards

SimActive Photogrammetry Software: Enabling Users to Meet Accuracy Standards for Over 20 Years

NACT Engineering Parrot ANAFI tether indoor shot

Smart Tether for Parrot ANAFI USA from NACT Engineering

Blue Marble, features global mapper, features Blue Marble

Check Out These New Features in Global Mapper v25 from Blue Marble

About Us | Contact Us | Advertise With Us | Write for Us | Privacy Policy | Terms of Service

The Trusted Source for the Business of Drones.

This website uses cookies and third party services. By clicking OK, you are agreeing to our privacy policy. ACCEPT

Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT