Now hackers can spy on you via DJI drone account

The vulnerability that could be used to spy on you is an old one; it was discovered and reported to the DJI security team in March this year, but the popular China-based drone manufacturing company fixed the issue after almost six months in September. So thanks a lot for caring for your users’ privacy and security DJI!

The potential dangerous vulnerability was found in DJI Drone web app; if exploited it could give to a hacker access to the user accounts and to the synced sensitive information within it which includes flight records, location, live video camera feed, and photos taken during a flight.
The account hijacks cyber attack is possible thanks to a total of three vulnerabilities in the DJI infrastructure: a Secure Cookie bug in the DJI identification process, a cross-site scripting (XSS) flaw in its Forum and an SSL Pinning issue in its mobile app.

The first vulnerability, exist because Secure Cookie does not have the “secure” and “httponly” cookie flag enabled; meaning that a hacker can steal login cookies of a user by injecting a malicious JavaScript into the DJI Forum website using the XSS vulnerability.

Once the login cookies are captured, they can be re-used to take complete control over the user’s DJI Web Account, the DJI GO/4/pilot Mobile Applications and account from the centralized drone operations management platform called DJI Flighthub.

In order to access the compromised account on the DJI mobile apps, a hacker has to use the last vulnerability. So to first intercept the Mobile application traffic must bypass its implementation of SSL pinning by performing man-in-the-middle (MitM) attack to the DJI server using Burp Suite.

Remember everything can be hacked. In order to stay away from any threats related to the cyber world, we recommend the install of antivirus for Windows or antivirus for Mac on every device that you own, depending on which OS your device is running. If you are a company, it is also recommended to hire every year a specialized cybersecurity company that will run annual tests on your company’s network. These tests include penetration testing and ethical hacking tests;

Good news is that DJI rated the vulnerability as “high risk—low probability,” because successful exploitation of the flaw requires a user to be logged into their DJI account while clicking on a specially-planted malicious link in the DJI Forum.
To this date, researchers did not find any evidence of the flaw being exploited in the wild.

Those aren’t the only problems for DJI; recently the company has been facing criticism in the United States after the Department of Homeland Security (DHS) released a memo accusing the company of sending sensitive information about the U.S. infrastructure to China through its commercial drones and software.
However, the drone manufacturer denied the allegations, saying that the memo from the US government office was based on “clearly false and misleading claims.”

Keep in mind that our modern society is dependent on computers, mobile devices, and the use of the internet always stay safe and secured.
We would continue to monitor this cybersecurity problem. Meanwhile, users should keep a keen eye out for any cyber attacks. Remember to use an antivirus for Windows or antivirus for Mac in every device that you own, depending on which OS your machine is running, If you are a company we recommend to hire every year a specialized cybersecurity company that will run annual tests on your company’s network, tests like this include: penetration testing and ethical hacking.