A dangerous vulnerability has been found in the DJI Drone web app which could have permitted the hackers to access user accounts and the sensitive information within it which includes flight records, location, live video camera feed, and photos taken during a flight.
The flaw has been discovered by the Cybersecurity researchers at Check Point and they have reported it to the DJI security team which is the popular China-based drone manufacturing company in March and they have fixed the issue in September.
This attack exploits three vulnerabilities in the DJI infrastructure which inclues a Secure Cookie bug in the DJI identification process, a cross-site scripting (XSS) flaw in its Forum and an SSL Pinning issue in its mobile app
Once captured, the login cookies, which include authentication tokens, can then be re-used to take complete control over the user’s DJI Web Account, the DJI GO/4/pilot Mobile Applications and account on its centralized drone operations management platform called DJI Flighthub.
In order to access the compromised account on the DJI mobile apps, attackers have to first intercept the Mobile application traffic after bypassing its implementation of SSL pinning by performing man-in-the-middle (MitM) attack to the DJI server using Burp Suite.
This vulnerability has been categorized as high risk – low probability because successful exploitation of the flaw required a user to be logged into their DJI account while clicking on a specially-planted malicious link in the DJI Forum. However, no evidence has been found regarding exploiting this flaw in the wild.
The researchers have reported the vulnerability to the DJI through its bug bounty program.
DJI has been facing scrutiny in the United States after the Department of Homeland Security (DHS) released a memo late last year accusing the company of sending sensitive information about the U.S. infrastructure to China through its commercial drones and software. However, they have denied the allegations.