View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
November 8, 2018

DJI Drone Hack Opens Up Flight and Video Records to Threat Actors

“Attacker would have completely uninhibited access to login and view the drone’s camera during live operations of any flights currently in progress"

By CBR Staff Writer

The research team at cybersecurity firm Check Point discovered a vulnerability which allowed hackers to gain access to the flight logs and videos capture by DJI drone operators.

Headquartered in China, DJI is one of the world’s largest producer of drones and quadcopters for the consumer market.

Check Point researchers Oded Vanun, Dikla Barda and Roman Zaikin discovered that an attacker could gain access to DJI customer accounts without the account holder being aware that the saved flight paths and footage from their drones were accessible.

The vulnerability in DJI’s system lies within the identification process for account holders. The researchers note in a blog laying out their research that: “DJI uses a cookie that the attacker can obtain to identify a user and create tokens, or tickets, to access their platforms.”

“Through the use of this cookie, an attacker is able to simply hijack any user’s account and take complete control over any of the user’s DJI Mobile Apps, Web Account or DJI FlightHub account.”

Second Bug

Check Point discovered a second bug in DJI’s architecture that allowed them to obtain the cookie required for identification in attacking accounts.

In order to get this cookie the team orchestrated a cross-site scripting attack (XSS) after discovering a GET request in the forum section of the website.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

DJI Drone Hack

They constructed this XSS payload:

\’ alert(document.cookie); function updateDownImageList (data) {} <!–

The researchers note that: “An attacker could then create a payload that would send that meta-key cookie to his website. This kind of XSS would not be blocked by any XSS Auditor because it resides in the JavaScript itself and not consist of scripts or events.”


DJI Drone Hack

In order to trigger this attack all the threat actor then needed to do was to post in the DJI forum a message that contained the link to the payload.

“As our XSS resides in the forum itself we were able to bypass the link restriction. Furthermore, as there are hundreds of thousands of users communicating DJI’s forum the attacker would not even need to share the malicious link as this would be done by the users themselves as they forward on the message and link,” Check Point team stated.

From this point is was just a few more steps before they had access to user accounts on DJI’s website. From here they could synchronise their devices so that they received all the flight records and video logs of drone flights operated by DJI customers.

DJI Drone Hack

A key factor in the hack is that the admin or account holder would receive no notification or signs that a threat actor has complete access to their account.

As Check Point note, the “Attacker would have completely uninhibited access to login and view the drone’s camera during live operations of any flights currently in progress, or download records of previously recorded flights that had been uploaded to the FlightHub platform.”

See Also: Autonomous Drones Proposed for Search and Rescue in Forested Areas

DJI were informed of the vulnerability within their architecture back in March by Check Point and have since carried out a patch of the system. DJI classified the vulnerability as a high risk, but one with little chance of occurring. To date they have no evidence that anyone other than Check Point were aware of or used the vulnerability.

Topics in this article : , ,
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.