Potential Vulnerability Discovered in DJI Drone Web App: Implications for User Security
Cybersecurity researchers from Check Point have unveiled details about a significant vulnerability in the DJI Drone web application that posed risks to user accounts and sensitive data. This flaw potentially allowed attackers to access information such as flight records, location data, live video feeds, and images captured during drone flights, compromising user privacy and security.
Discovered and responsibly reported to DJI’s security team in March of this year, the issue remained unaddressed for nearly six months, only being fixed in September. The vulnerability is rooted in a combination of three weaknesses in DJI’s infrastructure. These include an insecure cookie flag in the identification process, a cross-site scripting (XSS) flaw on its forum, and an SSL pinning issue within its mobile application.
The primary concern arises from the absence of “secure” and “httponly” cookie flags, which allowed attackers to hijack user login cookies through a malicious JavaScript injection. By exploiting the XSS vulnerability, attackers could craft a simple post linking to harmful payloads on the DJI Forum. Users who clicked on this link while logged into their accounts could inadvertently expose their login credentials, granting attackers access to additional DJI online services.
Once in possession of the login cookies—containing authentication tokens—attackers could gain complete control over a user’s DJI web account as well as access the DJI GO, DJI 4, and DJI Pilot mobile applications. Furthermore, an advanced attack could involve intercepting mobile application traffic via a man-in-the-middle (MitM) method. This would necessitate bypassing the mobile app’s SSL pinning by utilizing tools like Burp Suite to connect to DJI servers, enabling further exploitation of the compromised account.
Researchers at Check Point conducted extensive analysis and determined that examining flight log files could yield sensitive data, including detailed information about the drone’s location, angle of photographs taken, and other operational details. Given the nature of these vulnerabilities, DJI classified the risk as “high risk—low probability.” Successful exploitation hinges on user interaction with a malicious link, raising the bar for potential attacks.
DJI has stated that no evidence exists to indicate the exploitation of this vulnerability in active attacks. Check Point’s vulnerability disclosure was facilitated through DJI’s bug bounty program, which offers rewards of up to $30,000 for significant vulnerabilities, although the specific amount awarded to Check Point has not been disclosed.
The drone manufacturer faces increased scrutiny in the United States following a memo from the Department of Homeland Security last year. This document accused DJI of transmitting sensitive information regarding U.S. infrastructure back to China via its drones and software. DJI has categorically denied these allegations, claiming that the assertions were based on erroneous and misleading claims.
For business owners, the implications of these vulnerabilities highlight the critical importance of robust cybersecurity measures. The potential for exploitation underscores the need for comprehensive risk assessments and incident response strategies. Understanding adversary tactics and techniques within the MITRE ATT&CK framework can enhance awareness and preparedness against similar cybersecurity threats, emphasizing the ongoing necessity to safeguard user accounts against unauthorized access.