It took about six months for the consumer UAV manufacturer DJI to repair a security vulnerability on its website and applications, which, if operated, could have given an attacker unhindered access to the account of the owner of the drone.
The vulnerability, revealed Thursday by researchers from the security company Check Point, reportedly gave an attacker full access to data stored on the cloud of DJI users, including drone logs, maps, video footage or fixed and live footage via FlightHub. , the company's fleet management system – without the knowledge of the user.
It was amazingly simple to take advantage of the loophole – to force a victim to click on a link specifically designed for that purpose. But in practice, Check Point spent a lot of time figuring out the precise way to launch a potential attack – and none of them was particularly easy.
For this reason, DJI characterized the vulnerability as "high risk" but as "low probability", given the many hurdles that must be overcome to exploit the vulnerability.
"Given the popularity of DJI drones, it is important that potentially critical vulnerabilities such as this one are handled quickly and efficiently," said Oded Vanunu, Product Vulnerability Research Manager at Check Point.
A victim should have clicked on a malicious link from the DJI forum, where customers and fans talk about their drones and their activities. By stealing the access token from the user's account, an attacker could have pivoted to access the user's main account. A click on the malicious link would exploit an XSS flaw on the forum, essentially taking the cookie from the user's account and using it on the DJI account login page.
The researchers also discovered flaws in DJI's apps and its FlightHub website.
Check Point arrived in March, when DJI corrected the XSS flaw on its site.
"Since then, we have analyzed, product by product, all the elements of our hardware and software where the connection process could have been compromised, in order to ensure that it does not happen anymore. Easily reproducible hacking, "said DJI spokesman Adam Lisberg.
But it took until September to the company to deploy fixes in its applications and in FlightHub.
The good news is that it is unlikely that anyone will independently discover and exploit the vulnerabilities, but Check Point and DJI recognize that it would be difficult to know for sure.
"Although no one can ever prove a negative, we have not seen any evidence that this vulnerability has ever been exploited," Lisberg said.
DJI announced that vulnerability was considered a victory for the bug bonus it had created a little over a year ago . The reward of his insect had a difficult start, after the company threatened several months later a security researcher, who "was $ 30,000 away" after revealing a series of e-mails from the company allegedly threatened after finding sensitive access keys for the server. Amazon Web Services instances of the company.
This time, there was only praise for the insect detectors.
"We congratulate Check Point's researchers for their expertise in responsibly exposing a potentially critical vulnerability," said DJI North America's Mario Rebello.
It's nice to see that things have changed.