Glaring Vulnerabilities Make Many Commercial Drones 'Insecure by Design'

Slashdot reader msm1267 quotes ThreatPost: Drones, many readily available on ecommerce shops such as Amazon, are plagued by vulnerabilities that could give attackers full root access, read or delete files, or crash the device. The United States Computer Emergency Readiness Team (US-CERT) published a warning about one model, the DBPOWER U818A WiFi quadcopter, last month, but according to the researcher who reported the vulnerabilities, multiple drone models -- manufactured by the same company but sold under different names -- are also vulnerable.

They contain two appealing attack vectors: an open access point and a misconfigured FTP server. If an attacker was within WiFi range of the drone they could easily obtain read and write permissions to the drone's filesystem and modify its root password... Like any attack dependent on Wi-Fi, an attacker would need to be in close proximity to the drone to carry out an attack, but an attacker could connect their computer to the drone access point, essentially treating it as a proxy to spy on the device's live feed or the drone's open ports.

Commercial?

[ColdWetDog]

TFA makes a big deal about vulnerabilities in 'commercial' UAVs but then goes on about obtaining root in an obvious 'toy' quadcopter. Not the $60,000 big boys that might be fun (or lucrative) to steal or, more threateningly, drop on somebody's head. A half kilogram plastic thing that might poke your eye out if you tried hard enough.

Hell, I (and a whole bunch of others) would love for somebody to root the DJI quads. Then we can get rid of some of the more recent 'improvements' in the firmware.

Really, I'm not seeing this. Somebody pops the innards of a cheap, Chinese toy.

Woot!