Researchers at security firm CheckPoint identified a vulnerability in the website and apps of the popular consumer drone manufacturer DJI. The vulnerability was revealed on Thursday after DJI managed to fix the flaw. Though, it took DJI around six months to fully address the security flaw.
If exploited, the attacker could have gained free access to any drone account owner’s cloud data storage including video footages, maps, drone logs and even the live feed via DJI’s fleet management system FlightHub. All of this could have happened without alerting the actual user. However, now that the flaw has been fixed by DJI, CheckPoint has revealed details of the dangerous vulnerability in DJI’s Drone web app.
Furthermore, attackers could have easily synced sensitive data including flight and location records. CheckPoint identified the flaw in March 2018 and notified DJI about it without publicly disclosing the issue, as per the norm followed by all security firms. The Chinese consumer drone maker fixed it in September.
See: Palestinian Engineer Jailed for Hacking Israeli CCTVs & Drones
The attacker could have also launched an account takeover attack by exploiting the three vulnerabilities identified by CheckPoint in the DJI infrastructure. This includes a Secure Cookie bug, which was discovered in the DJI identification process, an SSL Pinning issue in the company’s mobile app, and a Cross-Site Scripting (XSS) flaw in the company’s online forum.
The Secure Cookie bug could let attackers steal login cookies by inserting a malicious JavaScript into the DJI Forum website via the XSS vulnerability. After capturing login cookies, which could have included authentication tokens, these can be used again for gaining full access and control of the DJI Web Account of a user. Moreover, an attacker could easily access the DJI GO/4/pilot Mobile Applications and DJI Flighthub’s centralized drone operations.
The attackers could have compromised the mobile apps only after intercepting the Mobile application traffic. This would have needed them to bypass the SSL pinning implementation through man-in-the-middle attack launched against the DJI server using the Burp Suite.
Further research revealed that by “parsing flight logs files” an attacker could have obtained more information about the angle and location of the picture taken during the drone’s flight including “the drone’s home location, last known location and more,” researchers added.
The vulnerability was eventually classified by DJI as a high-risk and low-probability flaw since to exploit it successfully, a user was required to log into the DJI account after clicking on a specially designed malicious link posted on the DJI forum. DJI claims that there is no indication of the flaw being exploited by anyone out in the wild.
“To trigger this XSS attack all the attacker need do is to write a simple post in the DJI forum which would contain the link to the payload,” said the report.
The vulnerability was reported by CheckPoint researchers under the bug bounty program launched by the DJI. However, the company didn’t reveal the financial reward DJI offered to researchers. Usually, we have observed that for single vulnerabilities DJI offers up to $30,000 in its bug bounty programs. CheckPoint’s products vulnerability research head Oded Vanunu said that it is very important to address such “potentially critical” flaws “quickly and effectively.”
Mario Rebello, the North America chief at DJI, appreciated the efforts of CheckPoint for showing a highly responsible behavior by choosing to not disclose the flaw. “We applaud the expertise CheckPoint researchers demonstrated through the responsible disclosure of a potentially critical vulnerability,” Rebello said.