Tuesday, 20 November 2018

DJI Drone Web App Security Flaw Could Let Attackers Take Over Drones

Researchers have discovered a serious problem that threatens the security of business enterprises as well as individuals. They have found security vulnerabilities in DJI drone web app which could trigger remote hacks. Exploiting this vulnerability could let an attacker gain access to users’ accounts and pilfer the data.

Security Vulnerability Discovered In The DJI Drone Web App

Reportedly, Check Point Research recently discovered a security vulnerability targeting DJI drones. The flaw existed in the DJI drone web app. Exploiting this vulnerability could allow an attacker to gain access to the victim’s DJI account with no alert. They have shared their findings in a separate report.
As discovered by the researchers, the vulnerability resided in the DJI identification process, allowing an attacker to hack a target account. As explained by CPR,
“DJI uses a cookie that the attacker can obtain to identify a user and create tokens, or tickets, to access their platforms. Through the use of this cookie, an attacker is able to simply hijack any user’s account and take complete control over any of the user’s DJI Mobile Apps, Web Account or DJI FlightHub account.”
Exploiting the bug required no special tactics. Rather a user could fall victim to a potential attacker by simply clicking on a malicious link shared in the attacker’s post on the DJI forum.  This would eventually result in a cross-site scripting (XSS) attack, letting the attacker access victim’s account.
The hack could expose sensitive data to the hackers, such as photos and videos taken by the drone, drone’s flight logs, live map and camera view, and the victim’s profile information.

DJI Released Patch

Check Point Researchers first discovered the vulnerability in March. They then informed DJI of their findings immediately. However, since the vendors took about six months to patch the flaw, the researchers did not disclose their findings until recently.
According to CPR, DJI adequately responded to their report. However, while they acknowledged the high-risk factor of the bug, they deemed it a low probability flaw owing to the trickiness of the exploit methods.
Moreover, DJI confirmed that the flaw remained unexploited.
Take your time to comment on this article.

No comments:

Post a Comment