Was YOUR drone hacked? Flaw in DJI website exposed user data and gave hackers access to live feeds
- Check Point security researchers found a flaw in DJI's cloud infrastructure
- It allowed hackers to take over users' accounts and access private data like drone logs with location data, maps, account information and photos or videos
- Vulnerability came from a malicious link being shared by hackers on DJI forms
- DJI became aware of the vulnerability in March and has since patched the flaw
A worrying vulnerability in DJI drones gave hackers complete access to a user's account without them realizing it.
Security researchers from Check Point in March discovered a flaw in DJI's cloud infrastructure that allowed attackers to take over users' accounts and access private data like drone logs with location data, maps, account information and photos or videos taken during flight.
However, DJI said it patched the vulnerability in September.
Scroll down for video
A worrying vulnerability in DJI drones gave hackers complete access to a user's account. DJI said it patched the flaw, which affected its cloud infrastructure, in September
Users fell prey to the attack by clicking on a malicious link shared through DJI Forum, an online forum the firm runs for user discussions about its products.
Any user who clicked on a 'specially-planted malicious link,' could have had his or her login information stolen, giving the hacker access to cloud data, account information, store, forum and other data.
It also gave them access to user data from FlightHub, DJI's fleet management system that stores live feed footage.
The vulnerability stemmed from hackers taking advantage of authentication tokens. This lets users move between various DJI sites without having to sign in every time.
Hackers took advantage of this feature in Facebook's most recent data breach in September, which resulted in 50 million user accounts being compromised.
'This is a very deep vulnerability,' Oded Vanunu, head of products vulnerability research at Check Point, told WIRED.
'We're drone fans and fans of DJI, but we want to bring awareness about account takeover vulnerabilities in big vendors' systems.
The vulnerability stemmed from hackers taking advantage of authentication tokens. This lets users move between various DJI sites without having to sign in every time
'In order to let users access different services without having to enter a username and password all the time, companies use one-time authentication to make a user token that's valid across everything.
'But that means we're living in an era where a targeted attack can become an extensive compromise,' Vanunu added.
DJI said Check Point reported the flaw through its bug bounty program and the firm has since thoroughly examined its software and hardware to make sure the attack can't be replicated.
Ultimately, DJI engineers marked the vulnerability as 'high risk - low probability,' because it would hard to carry out in real life.
'This is because the vulnerability required a complicated set of preconditions to be successfully exploited: The user would have to be logged into their DJI account while clicking on a specially-planted malicious link in the DJI Forum,' a DJI spokesperson said in a statement.
Hackers were able to take over users' accounts and access private data like drone logs with location data, maps (pictured), account information and photos or videos taken during flight
It also gave them access to user data from FlightHub, DJI's fleet management system that stores live feed footage. The vulnerability stemmed from users clicking on malicious forum link
'DJI engineers efficiently and effectively patched this vulnerability after being notified by Check Point Research. There is no evidence it was ever exploited.'
Check Point detailed how attackers were able to gain access to users' accounts. The link posted in the forums included an extra chunk of software code.
When users clicked on it, it silently triggered a script to run in the background, collecting 'cookies' that contained the users' access tokens.
By using the access tokens, it allowed hackers to bypass extra security layers like two-factor authentication, meaning that users wouldn't know if their account had been compromised.
'This case was alarming because drones have a lot of private information and this was something that could be taken easily,' Vanunu told Wired.
'Giant platforms need to be more careful about account takeovers.'
Most watched News videos
- Dramatic moment police arrest man after shooting partner in the head
- Moment children scream during crush at school gate in Bristol
- Terrifying moment driver overtakes van and narrowly avoids crash
- Moscow terror suspect screams as he is captured by Russian forces
- Dramatic moment police arrest man after shooting partner in the head
- Moments after Baltimore bridge struck by a container vessel
- British man fighting for Putin posts video from Russia online
- Sally Nugent hilariously finds out 'hedgehog' is a hat bobble
- Hilarious moment King's Guard shout 'make way' at pigeons in London
- King Charles seen near Windsor Castle as he is driven to London
- Suspect clings to moving car during police chase before being shot
- Tourist is filmed napping in his tent on the beach with a crocodile