Critical authentication flaw in DJI drone web app fixed

Check Point researcher finds vulnerability that could have allowed attackers to spy on drone fleets in real time.

Credit: Sorry imKirk

Attackers could have spied in real time on drone fleets used in critical infrastructure, including both flight path data and real-time video and audio feeds, according to research by Check Point, and confirmed by drone maker DJI in a statement. The security flaw, reported by Check Point in March of this year, has since been patched.

Popular among consumer drone enthusiasts, DJI drones are also widely used in industry, manufacturing, agriculture, and critical infrastructure, and among emergency response personnel, including police and fire departments.

"The worst thing is that there is an app called FlightHub that is a very sophisticated app, basically an application that provides management capabilities between two drones or hundreds of drones, some running automated missions," Oded Vanunu, head of products vulnerability research at Check Point, tells CSO. "And this is being used by a lot of law enforcement, fire departments, police departments, government facilities, to map their environment."

"Users on the DJI FlightHub fleet management system could have had live flight information accessed," DJI wrote in a statement.

Drone data syncs unencrypted with DJI's cloud infrastructure, and DJI does not offer cloud storage with user-controlled encryption. The drone maker does offer a local data mode that turns off cloud sync, DJI said.

Flaw gave access to DJI app, web store, and cloud server data

The researchers at Check Point found a vulnerability in the user authentication process that would have let an attacker hijack user accounts and gain access to DJI's web store, synced cloud server data, and FlightHub. "The vulnerability was accessed through DJI Forum, an online forum DJI runs for discussions about its products," the researchers concluded in their report. "A user who logged into DJI Forum, then clicked a specially planted malicious link, could have had his or her login credentials stolen to allow access to other DJI online assets."

The researchers at Check Point were able to hijack user accounts because of a broken authentication process between the DJI user forum, forum.dji.com, and the main authentication server.

"The vulnerability resides in the DJI identification process," Check Point reports. "DJI uses a cookie that the attacker can obtain to identify a user and create tokens, or tickets, to access their platforms. Through the use of this cookie, an attacker is able to simply hijack any user's account and take complete control over any of the user's DJI Mobile Apps, Web Account or DJI FlightHub account."

A social engineering attack on the DJI forum would have been enough to compromise thousands of drones. The active DJI forum contains hundreds of thousands of drone enthusiast users who will happily click on links, believing them to be safe.

"Once we managed to execute the code, we started to review the business logic of the forum," Vanunu says. "It's a very large user community, hundreds of thousands of events every day. It's a very active forum and it's also a form for sharing videos."

"Today we know that social engineering is the main attack vector in every space," he adds. "So, this is the perfect ground for a fake user to just put a fake URL. 'I have new parts for DJI Pro available for sale, here's a link.'"

Hacking the DJI mobile app took a little bit more work, but eventually that, too, fell. After a fair bit of jujitsu to reverse engineer the mobile app to break DJI's certificate pinning, the researchers were able to man-in-the-middle (MitM) traffic to the DJI server using Burp Suite.

DJI trying to move on from past security issues 

DJI has struggled with security issues of late. Last year the United States Department of Defense told the Army to stop using DJI drones because of security concerns. “Cease all use, uninstall all DJI applications, remove all batteries/storage media from devices, and secure equipment for follow on direction,” Lt. Gen. Joseph H. Anderson, the Army’s deputy chief of staff for plans and operations, wrote in a memo released under FOIA. The memo says this is because of “increased awareness of cyber vulnerabilities associated with DJI products.”

The drone maker also bungled its bug bounty launch, prompting one researcher to walk away from a $30,000 bounty. DJI appears to have learned from that misstep and welcomed the Check Point research. "We applaud the expertise Check Point researchers demonstrated through the responsible disclosure of a potentially critical vulnerability,” DJI's Mario Rebello, vice president and country manager, wrote in a statement. “This is exactly the reason DJI established our bug bounty program in the first place."

Show Comments