Editor’s note: DJI (Da-Jiang) is a Chinese technology company, well known as a manufacturer of drones used for aerial photography and videography. Today DJI is very popular around the world. With the rapidly growing use of drones, drone forensics is also becoming a hot topic in the DFIR community.
A flaw that exposes user data of DJI drones.
A recent discovery shows that Popular drone maker DJI exposed user accounts to unauthorized access along with information that passes through the vendor’s digital infrastructure; this includes flight logs, videos, and images captured by the devices, live camera and microphone feed, and flight map.
This was possible because of a flaw in DJI’s process for logging users into their web account, online forum, mobile app Go and Go 4, and the DJI FlightHub web app that allows enterprise users to manage live drone operations.
An attack on the cookie jar.
Security researchers discovered that DJI used the same cookie to identify and offer access to several of its platforms. Stealing this cookie allowed an attacker to hijack user accounts and handle them as if they were the legitimate owner.
After further prodding, the duo found a way to obtain the cookie that unlocked access to user and drone data via a cross-site scripting (XSS) attack on the weakest link: the DJI discussion forum.
“To trigger this XSS attack all the attacker need do is to write a simple post in the DJI forum which would contain the link to the payload,” the researchers wrote in a research paper.
Making victims click on the link and thus have their login cookies stolen would have been a simple matter of creating the proper bait. “Furthermore, as there are hundreds of thousands of users communicating DJI’s forum the attacker would not even need to share the malicious link as this would be done by the users themselves as they forward on the message and link,” the researchers added.
It is reported the security lapses to DJI privately in March, allowing the company to solve the problem across its infrastructure before publishing the technical details. Following the assessment of the vulnerabilities, the drone maker concluded that they presented a high risk, albeit unlikely to occur. “We applaud the expertise Check Point researchers demonstrated through the responsible disclosure of a potentially critical vulnerability,” said Mario Rebello, Vice President and Country Manager, North America at DJI.
By synchronizing the flight records in the DJI cloud with their phone, an attacker could browse flight logs locally, and view maps where videos and photos were taken.
To stay ahead of the attackers, DJI launched a bug bounty program this year, offering security enthusiasts and researchers the possibility to earn some money by poking around for vulnerabilities and a way to exploit them.
Thanks for your time reading our blog post. If you are interested in our forensic solutions, come and check out our website for more information. You can also go to our resource page to download our forensic products for free. We welcome you to contact us and claim your free product trial!