Check Point Researchers and DJI shared information about a vulnerability that might have allowed third parties access to DJI users’ data and drone images through the DJI Forum. If the vulnerability were to be exploited, it would have allowed a third party to access to a user’s account, including information such as photos, video footage, flight paths, GPS data, and other information without the user ever realizing his account was hacked. DJI was first notified about this in March of 2018. It has since been patched.

DJI Mavic Pro

Major DJI security vulnerability

Researchers from Check Point notified DJI about the vulnerability that resides in the DJI identification process of the DJI Forum back in March of 2018 through the DJI Bug Bounty Program. According to the researchers, the world’s largest drone maker handled the matter responsibly.

“The attacker would have completely uninhibited access to login and view the drone’s camera during live operations of any flights currently in progress, or download records of previously recorded flights that had been uploaded to the FlightHub platform,” said Check Point Researchers.

According to Check Point Researchers, if the vulnerability were to be exploited an attacker would possibly have gained access to:

  • Flight logs, photos and videos generated during drone flights, if a DJI user had synced them with DJI’s cloud servers. (Flight logs indicate the exact location of a drone during its entire flight, as well as previews of photos and videos taken during the flight.)
  • A live camera view and map view during drone flights, if a DJI user were using DJI’s FlightHub flight management software.
  • Information associated with a DJI user’s account, including user profile information.

DJI classified the vulnerability as high risk but low probability and has since resolved the issue.

“We applaud the expertise Check Point researchers demonstrated through the responsible disclosure of a potentially critical vulnerability,” said Mario Rebello, Vice President and Country Manager, North America at DJI. “This is exactly the reason DJI established our Bug Bounty Program in the first place. All technology companies understand that bolstering cybersecurity is a continual process that never ends. Protecting the integrity of our users’ information is a top priority for DJI, and we are committed to continued collaboration with responsible security researchers such as Check Point.”

The vulnerability was reported through DJI’s Bug Bounty Program, which encourages security researchers to discover and report issues with DJI’s products by offering rewards of up to $30,000, depending on severity. To date, DJI has paid almost $75,000 to 87 researchers who have reported almost 200 vulnerabilities.

DJI customers should always use the most current version of the DJI GO or GO 4 pilot apps.

Read a detailed report of the bug here. Read DJI’s official response here.

STAY IN TOUCH!

If you’d like to stay up to date with all the latest drone news, scoops, rumors and reviews, then follow us on TwitterFacebookYouTubeInstagram or sign up for our email newsletter DroneRise, that goes out every weekday morning at 6 am.

Buy your next drone through directly from manufacturers, such as DJIParrotYuneec or retailers like AmazonB&HBestBuy or eBay. By using our links, we will make a small commission, but it will not cost you anything extra. Thank you for helping DroneDJ grow!

About the Author