Drones have been gaining steady altitude in their popularity—used for military purposes, surveillance, commercial photography and, increasingly, as an expensive toy for robotics enthusiasts. But as an eye in the sky, drones have great potential to compromise privacy and security. So, when researchers uncovered a vulnerability with a major drone vendor that could expose data and allow account takeovers, it was noteworthy.

One of the leaders in civilian drone manufacturing is a company called Dà-Jiāng Innovations (DJI). Its global customer base includes consumers and corporate entities that span critical infrastructure, manufacturing, agriculture, construction, and emergency-management sectors. As a result, DJI drones capture data and images from a wide range of viewpoints across a large spectrum of subject matter.

According to researchers from Check Point Software, a critical vulnerability was accessed through DJI’s online discussion forum. Authentication tokens and cookies were the underlying elements.

To start with, some of DJI’s sites rely on OAuth, an open-standard authentication process that allows single sign-on, and usage by third-party services without revealing the password. Through this setup, researchers showed that a hacker could make a query to find and replace a target’s authentication token with his/her own credentials.

Wired notes, “Similar to the issue that resulted in this fall’s massive Facebook breach, the researchers found that they could compromise the authentication tokens that allow DJI’s users to move seamlessly between the company’s various cloud offerings and stay logged in. In this setup—known as a single sign-on scheme—an active token is essentially the key to a user’s entire account.”

Once in, an attacker could then plant a malicious but legitimate-looking link that could lure people into clicking, which would then snag victims’ authentication cookies.

Check Point Research explains that DJI uses cookies to complete the authentication process. “DJI uses a cookie that the attacker can obtain to identify a user and create tokens, or tickets, to access their platforms. Through the use of this cookie, an attacker is able to simply hijack any user’s account and take complete control over any of the user’s DJI Mobile Apps, Web Account or DJI FlightHub account.”

The researchers believe that if the bug were to be exploited, hackers could have access to:

  • Flight logs, photos and videos generated during drone flights (flight logs indicate the exact location of a drone during its entire flight, as well as previews of photos and videos taken during the flight)
  • A live camera view and map view during drone flights
  • Information associated with a DJI user’s account, including user profile information

Oded Vanunu, Head of Products Vulnerability Research at Check Point cautions, “It is important for organizations to understand that sensitive information can be used between all platforms and, if exposed on one platform, can lead to compromise of global infrastructure.”

Get the full story at Check Point Research.