Wired magazine reports that a new bug discovered in DJI’s cloud infrastructure may have allowed hackers to take over user accounts and potential access photos, videos and other flight data.
The fault was uncovered by security firm, Check Point, through DJI’s bounty bug program. The program compensates users who uncover security concerns, awarding amounts up to $30,000 depending on the severity of the problem. To present, they have awarded $75,000 to 87 researchers who discovered 200 different security flaws.
What caused this glitch?
The security flaw idenifited by Check Point arises through DJI’s authentification token which allows a user to remain online and logged in as they transition between various online DJI applications. Generally speaking, when someone uses services such as Google or Facebook that offer multiple services, they will be prompted to re-enter their username and password details or security authentication as they go from service to service.
Head of products vulnerability research at Check Point, Oded Vanunu, said that his company was a fan of DJI products but they wished to draw attention to the security flaws for big vendors. He went on to say that while most DJI products had strong security protections, its ecosystem of services and third-party apps made potential intrusions possible.
If someone was to exploit the bug uncovered by Check Point, Wired wrote that an attacker could:
“Identify victims and gain information about them, steal the cookie needed to complete the authentication, log into their own DJI account, and then swap in a victim’s token and cookie values so the attacker takes on the persona of the victim and suddenly has full access to their account.”
DJI have responded by acknowledging the flaw but clarifying that the chance of someone’s info actually being compromised were low. The only way someone’s account could be compromised is if they clicked a malicious link on the DJI forums while logged into their account. DJI have now resolved the issue, completely revamping their online security.
Story continues on page 2
