A DJI Bug Exposed Drone Photos and User Data


DJI makes some of the most popular quadcopters on the market, but its products have repeatedly drawn scrutiny from the United States government over privacy and security concerns. Most recently, the Department of Defense in May banned the purchase of consumer drones made by a handful of vendors, including DJI.

Now DJI has patched a problematic vulnerability in its cloud infrastructure that could have allowed an attacker to take over users’ accounts and access private data like photos and videos taken during drone flights, a user’s personal account information, and flight logs that include location data. A hacker could have even potentially accessed real-time drone location and a live camera feed during a flight.

The security firm Check Point discovered the issue and reported it in March through DJI’s bug bounty program. Similar to the issue that resulted in this fall’s massive Facebook breach, the researchers found that they could compromise the authentication tokens that allow DJI’s users to move seamlessly between the company’s various cloud offerings and stay logged in. In this setup—known as a single sign-on scheme—an active token is essentially the key to a user’s entire account.

“This is a very deep vulnerability,” says Oded Vanunu, head of products vulnerability research at Check Point. “We’re drone fans and fans of DJI, but we want to bring awareness about account takeover vulnerabilities in big vendors’ systems. In order to let users access different services without having to enter a username and password all the time, companies use one-time authentication to make a user token that’s valid across everything. But that means we’re living in an era where a targeted attack can become an extensive compromise.”

Vanunu says that many of DJI’s product security protections are very strong, but its ecosystem of services and third-party apps—meant to expand the functionality of its drones—left room for potential intrusions.

“We’re drone fans and fans of DJI, but we want to bring awareness about account takeover vulnerabilities in big vendors’ systems.”

Oded Vanunu, Check Point

The Check Point researchers found two bugs that worked together to create the account takeover vulnerability. First, some DJI sites implemented the single sign-on scheme OAuth in a way that could allow an attacker to easily query for information about a user and their authentication token. But an attacker would still need a special cookie to use this for full account takeovers. Enter the second flaw, in DJI’s customer forums platform, which would allow an attacker to craft a malicious but legitimate DJI link that could automatically steal victims’ authentication cookies. And since DJI’s customer forums are very popular and active, the researchers say it wouldn’t be difficult to distribute one of the malicious links through the forums and trick people into clicking.

Using these issues in tandem, an attacker could identify victims and gain information about them, steal the cookie needed to complete the authentication, log into their own DJI account, and then swap in a victim’s token and cookie values so the attacker takes on the persona of the victim and suddenly has full access to their account.

DJI said in a statement that the findings “understandably raised several questions about DJI’s data security.” The company noted, though, that it classifies the flaw as “high risk—low probability,” because “the user would have to be logged into their DJI account while clicking on a specially-planted malicious link in the DJI Forum.” DJI says it doesn’t see evidence that the flaw was ever exploited.

It took months for DJI to resolve the issues, and the researchers say that the company didn’t just push simple fixes. Instead, Check Point’s testing shows that DJI fundamentally reworked some elements of how its systems manage trust and user authentication to fix the bugs the researchers found, while also improving security more deeply.

In light of its problems with…

…[read more]

Visit Source link Wired

Wired Security



Set in some of the world's most beautiful places. Book now or browse the entire collection of luxury vacation rentals!

Thailand. Bangrak. This impressive 5 Bedroom Seaview Villa With Private Pool. Covered, first floor veranda overlooking pool with outdoor dining and stunning panoramic views..

Thailand. Bophut. Spectacular 2 Bedroom Option Seaview Villa With Private Pool. In-villa Thai chef available. 5 Minute drive to Bophut Fishermans Village, bars, restaurants, souvenir shops..

Thailand. Plai Laem. Excellent 3 Bedroom Beachfront Villa With Private Pool. Bophut's colourful shop houses, bars, restaurants and the vibrant nightlife of Chaweng are just 15 minutes away..

Asia - Thailand - Koh Samui - Choeng Mon - Plai Laem - Bop Hut - Bangrak

Private villas you won't ever want to leave.

Home - United States - Asia - Europe
Thailand - Caribbean - Barbados - Jamaica
France - Paris

Stay at Thailands best villas

Leave a Reply