Be they hobbyists or surveillance specialists, DJI drone owners could’ve had their live video feeds spied on by hackers, according to researchers who uncovered a weakness in the Chinese company’s tech.
The vulnerability, which has been patched and which DJI said was never actually exploited by malicious hackers, was resident not in the manufacturer’s drones, but on its website. If exploited, the weakness would’ve allowed a snoop to gain full access to a DJI users account, said researchers from Israeli cybersecurity firm Check Point.
Within they could’ve harvested flight logs showing where the drone had traveled, as well as photos and videos if a DJI user had synced them with the Chinese firm’s cloud servers. And if the DJI customer was running the FlightHub tool, the hacker could’ve gained access to the live camera view and map view during flights. (DJI contacted Forbes after publication to say that only a handful of professionals used the FlightHub tool compared to hobbyists).
The hack had some limitations, the most significant being that users could only be compromised when they were logged into the DJI Forum. From there, if they clicked on a malicious link, the tokens allowing them to login would have been stolen and their account would have been compromised.
“As there are hundreds of thousands of users communicating on DJI’s forum, the attacker would not even need to share the malicious link as this would be done by the users themselves as they forward on the message and link,” Check Point researchers wrote in a blog post release Thursday.
DJI has now closed off the vulnerability, having been warned back in March. “DJI engineers reviewed the report submitted by Check Point and, in accordance with its Bug Bounty Policy, marked it as high risk-low probability,” a spokesperson explained. “This is because the vulnerability required a complicated set of preconditions to be successfully exploited: the user would have to be logged into their DJI account while clicking on a specially-planted malicious link in the DJI Forum.
“DJI engineers efficiently and effectively patched this vulnerability after being notified by Check Point Research. There is no evidence it was ever exploited.”
DJI users won’t have to do anything themselves, as the problems resided on DJI’s own systems.
Check Point’s researchers were offered a financial reward as part of the DJI bug bounty program, but they declined. The bounty program offers up to $30,000 in rewards for single vulnerabilities.
DJI government worries
DJI has been keen to talk up its security credentials in recent months. Earlier this year it said it commissioned an independent study, which found the company didn’t access photos, videos or flight logs generated by those drones unless operators chose to share them.
The company has been facing scrutiny in the U.S. after the release of an apparent memo by the Department of Homeland Security raised concerns that DJI drones were sending sensitive data on American critical infrastructure back to China. DJI slammed the memo, claiming it was based on “false and misleading claims from an unidentified source.” The DHS declined to comment on the veracity of that report.
Not that the U.S. government appears overly worried. Federal government contract records show that among buyers of DJI drones this year are the FBI, the State Department (via embassies in Mexico and Peru) and the U.S. Army.