DJI Drone Vulnerability

A Critical DJI Drone Vulnerability allows attackers to compromise the DJI Drone account and access the sensitive information including Flight logs, photos, and videos if it’s synced with DJI’s cloud servers.

DJI, a Drone manufacturer and its Drone used by many individuals and corporate for personal and commercial purpose in various sector such as agricultural, manufacturing to help them to capture images and taking video in clear viewpoint for various reasons.

According to Check Point Research, the DJI Drone Vulnerability could be exploited without users being aware of it and an attacker can access the various sensitive Drone activities data.

DJI forum, Used to discuss the futures and its products is the place where the vulnerability was accessed by researchers.

An attacker can post a malicious link in the forum to let users click on it to steal their login credentials that used by users to access to other DJI online platform such as DJI’s web platform, Cloud server data, DJI’s FlightHub.

Also, this potential vulnerabilities can be exploited in all three DJI platforms including  Website, Mobile App and FlightHub.

Attack Flows

The Vulnerability provides an access to pretty sensitive Drones activities including the information associated with a DJI user’s account Flight logs, photos and videos during the Drone in the air along with living camera view and map.

DJI Drone Vulnerability Details

In order to access the Drone users accounts, Attacker mainly needs to obtain the user’s tokens, or tickets, cookies which then can be used to hijack the accounts & gain the complete control of users all the 3 platform.

The researcher found the way that attackers access via mobile platform via a request to the mobile.php URL give sensitive information such as username, member_uid, token and much more and finally they Analyzed cookies named ‘meta-key’ was the main reason to leak the user’s identification.

Later attacker sends the XSS payload that helps to send the meta-key cookie to the user’s website by just o write a simple post in the DJI forum which would contain the link to the payload.

According to Checkpoint research, Follow process are used to attacker hijacking the account.

  • First the attacker needs a meta-key and a token to replace with their own. So he sends the meta-key he wants to hack to mobile.php and receives a corresponding token.
  • The attacker then enters his credentials and a login request is sent.
  • Once a response from Step 2 is received, the attacker replaces the cookie_key value with the victim’s meta-key and his token with the token from Step 1.
  • The attacker now has full access to the victim’s account.

A Demo Video of the Attack

“Also In order to get access to the flight log files, all the attacker need do is synchronize the flight records with his phone and all flight logs which had been manually uploaded to DJI cloud servers would be saved locally on his phone. researchers said.”

Related Read

PortSmash – A New Side Channel Vulnerability in SMT/Hyper-Threading That Allows Attackers To Steal Sensitive Data

Hackers Exploit Cisco Zero Day Vulnerability in Wild Resulting in DoS Condition

Samsung & Crucial Storage Device Vulnerability Allow Attackers to Break the Password & Access the Entire Device Data