Researchers at Israeli cybersecurity firm Check Point Software Technologies Ltd. and Chinese consumer and civilian drone-maker DJI said they identified and corrected a vulnerability that could have been used by hackers to gain access to the personal accounts of the drone operators, giving them entry to the drones’ cameras and the information they record.
The vulnerability could have allowed hackers to access data including film footage and flight paths, the companies said in a joint statement and a video, explaining the vulnerability.
DJI sells its drones to more than 100 countries and holds a 70 percent global market share. Its drones are used by critical infrastructure firms, security and defense institutions, police forces, media, agricultural and construction enterprises, emergency and entertainment services. The civilian drone and aerial imaging technology industry is now worth some $127 billion, Check Point researchers said in a blog post, reporting the vulnerability.
“Used by so many customers worldwide, both consumer and corporate, drone vendors are actually a massive data collecting machine, obtaining images and other sensitive information from a large range of subject matter,” Check Point researchers said in the blog post. “Information provided by drones, such as flight paths, photos, aerial video footage and maps, offers a threat actor key information for the first stage of any cyber or physical attack – reconnaissance.”
“For those looking to target critical infrastructure facilities such as energy plants or water dams, for example, analyzing intricate details and images of such facilities could easily reveal information that would prove highly useful in a future attack,” the blog said.
The researchers reported the vulnerability to the Chinese firm in March, leading to steps to tap the weakness.
In a report, researchers at Check Point outlined a process in which an attacker could have potentially gained access to a user’s account through a vulnerability discovered in the user identification process within a DJI-sponsored online forum about its products.
Check Point’s researchers discovered that DJI’s platforms used a token to identify registered customers, making it a target for hackers looking for ways to access accounts.
DJI consumers who had synced their flight records, including photos, videos and flight logs, to DJI’s cloud servers, and DJI corporate users who used DJI FlightHub software, which includes a live camera, audio and map view, could have become vulnerable, Check Point said in its report.
This vulnerability has since been patched and there is no evidence it was ever exploited, the firms said.
“We applaud the expertise Check Point researchers demonstrated through the responsible disclosure of a potentially critical vulnerability,” said Mario Rebello, vice president and country manager, North America at DJI. “All technology companies understand that bolstering cyber security is a continual process that never ends. Protecting the integrity of our users’ information is a top priority for DJI, and we are committed to continued collaboration with responsible security researchers such as Check Point.”
“Given the popularity of DJI drones, it is important that potentially critical vulnerabilities like this are addressed quickly and effectively, and we applaud DJI for doing just that,” said Oded Vanunu, head of Products Vulnerability Research at Check Point. “Following this discovery, it is important for organizations to understand that sensitive information can be used between all platforms and, if exposed on one platform, can lead to compromise of global infrastructure.”
Check Point and DJI said all users should remain “vigilant” whenever exchanging information digitally. “Always practice safe cyber habits when engaging with others online, and question the legitimacy of links to information seen on user forums and websites,” the statement said.