Vulnerability Exposed DJI Customer Data and Drone Flight Logs, Photos and Videos Generated During Drone Flights
In August 2017 the U.S. Immigration and Customs Enforcement agency (ICE) issued an intelligence bulletin warning that Da Jiang Innovations (DJI) — the world’s largest drone manufacturer — was “likely passing U.S. critical infrastructure and law enforcement data to [the] Chinese government.” DJI strenuously denied the accusation.
Now Check Point Research has published details of a DJI vulnerability that would allow the Chinese government — or anybody else in the world — to simply take that data without any involvement from DJI. The vulnerability could provide full access to a drone user’s DJI account. A successful attacker would be able to obtain cloud-based flight records, stored photographs, user PII including credit card details — and a real-time view from the drone’s camera and microphone.
The vulnerability, providing access to users’ personal details, would be attractive to cybercriminals around the world. The flight records could also be used to track delivery drones to determine where deliveries are made in order to intercept and steal them.
The live camera view would be attractive to nation-state actors involved in critical infrastructure reconnaissance. Indeed, last year’s ICE bulletin notes that the Los Angeles Sheriff’s Office had announced its intention to deploy DJI drones for “barricaded suspects, hostage situations and other high-risk tactical operations, hazardous materials incidents, and fire related incidents.”
It also notes that the contractor building a DHS National Bio and Agro-Defense Facility in Manhattan, Kansas, is using DJI drones “to assist with construction layout and provide security during construction.”
The business and facility use of drones is growing rapidly. Check Point describes the potential espionage value in more detail. “For those looking to target critical infrastructure facilities such as energy plants or water dams,” the researchers write, “analyzing intricate details and images of such facilities could easily reveal information that would prove highly useful in a future attack.”
It points out that threat actors would be able to home in on various technologies to find out which vendor of CCTV cameras or biometric/electronic door locks an enterprise may be using. These products and suppliers could then be investigated to find the correct tools that could bypass them. “Indeed,” says the Check Point report, “having a detailed view of sensitive areas could reveal to criminals and potential terrorists where security gaps in general may lie, and pave the path to exploiting those gaps.”
This vulnerability, Oded Vanunu, head of products vulnerability research at Check Point, told SecurityWeek, “is a unique opportunity for malicious actors to gain priceless information — you have an eye in the sky. Organizations are moving towards automated flights, sometimes with dozens of drones patrolling across sensitive facilities. With this vulnerability you could take over the accounts and see and hear everything that the drones see or hear. This is a huge opportunity for malicious actors.”
It would be attractive to general criminals to gain PII and use or resell it, and for criminals and state actors to use “in targeted attacks against cities or sensitive facilities.”
The vulnerability itself involves a loophole in DJI’s customer identification. By attacking the token used to identify registered users across the various DJI services, Check Point gained access to all the DJI platforms. It required registering an account within the DJI user forum and then posting an XSS attack. “Unlike most account takeovers, though, that rely on social engineering methods to fool the target victim into sending the attacker their login credentials,” note the researchers, “our team simply collected the user’s identifying token via a regular looking link posted in DJI’s forum to essentially hack into the victim’s account across all platforms.”
Once the identifying token is acquired, an attacker would be able to hijack the account, log in and gain access to the flight and personal data registered to the user’s drone.
Check Point reported the vulnerability to DJI, and it was fixed on September 28, 2018.
A statement from DJI sent to SecurityWeek confirms the problem. “Check Point’s researchers discovered that DJI’s platforms used a token to identify registered users across different aspects of the customer experience, making it a target for potential hackers looking for ways to access accounts. DJI users who had manually uploaded photos, videos or flight logs to DJI’s cloud servers could have seen that data become vulnerable to hacking. It could have also allowed access to some customer information, and users on the DJI FlightHub fleet management system could have had live flight information accessed as well.”
DJI engineers subsequently classified the vulnerability as high risk, but low probability. The high risk is clear; but the low probability is explained as the necessity for “a complicated set of preconditions to be successfully exploited: The user would have to be logged into their DJI account while clicking on a specially-planted malicious link in the DJI Forum.”
There is, adds the DJI statement, “no evidence it was ever exploited.” It is worth noting, however, Check Point’s closing comment: “the admin would not receive any notification that an attacker has accessed their account. Meanwhile, the attacker would have completely uninhibited access to login and view the drone’s camera during live operations of any flights currently in progress, or download records of previously recorded flights that had been uploaded to the FlightHub platform.”