09 Nov 2018

A dangerous vulnerability has been found in the DJI Drone web app which could have permitted the hackers to access user accounts and the sensitive information within it which includes flight records, location, live video camera feed, and photos taken during a flight.

The flaw has been discovered by the Cybersecurity researchers at Check Point and they have reported it to the DJI security team which is the popular China-based drone manufacturing company in March and they have fixed the issue in September.

This attack exploits three vulnerabilities in the DJI infrastructure which inclues a Secure Cookie bug in the DJI identification process, a cross-site scripting (XSS) flaw in its Forum and an SSL Pinning issue in its mobile app

The first vulnerability, i.e. not having the “secure” and “httponly” cookie flag enabled, permitted the hackers to steal login cookies of a user. In order to activate this the attacker has to just insert a malicious JavaScript into the simple post in the DJI forum using the XSS vulnerability. When a user logs into DJI Forum and clicks a specially-planted malicious link, then their login credentials will be stolen to allow access to other DJI online assets.

Once captured, the login cookies, which include authentication tokens, can then be re-used to take complete control over the user’s DJI Web Account, the DJI GO/4/pilot Mobile Applications and account on its centralized drone operations management platform called DJI Flighthub.

In order to access the compromised account on the DJI mobile apps, attackers have to first intercept the Mobile application traffic after bypassing its implementation of SSL pinning by performing man-in-the-middle (MitM) attack to the DJI server using Burp Suite.

This vulnerability has been categorized as high risk – low probability because successful exploitation of the flaw required a user to be logged into their DJI account while clicking on a specially-planted malicious link in the DJI Forum. However, no evidence has been found regarding exploiting this flaw in the wild.

The researchers have reported the vulnerability to the DJI through its bug bounty program.

DJI has been facing scrutiny in the United States after the Department of Homeland Security (DHS) released a memo late last year accusing the company of sending sensitive information about the U.S. infrastructure to China through its commercial drones and software. However, they have denied the allegations.

Technical Writer,  Blogger,

Leave your thought

This site uses Akismet to reduce spam. Learn how your comment data is processed.