Slashdot Mirror

← Back to Stories (view on slashdot.org)

Vulnerability Could Make DJI Drones a Spy In the Sky (securityweek.com)

Posted by BeauHD on from the eye-in-the-sky dept.

wiredmikey writes from a report via SecurityWeek: A vulnerability in systems operated by Da Jiang Innovations (DJI) -- the world's largest drone manufacturer -- allowed anybody in the world to have full access to a drone user's DJI account. A successful attacker would be able to obtain cloud-based flight records, stored photographs, user PII including credit card details -- and a real-time view from the drone's camera and microphone. Check Point Researchers (who discovered and reported the vulnerability) told SecurityWeek, "The vulnerability is a unique opportunity for malicious actors to gain priceless information -- you have an eye in the sky. Organizations are moving towards automated flights, sometimes with dozens of drones patrolling across sensitive facilities. With this vulnerability you could take over the accounts and see and hear everything that the drones see or hear. This is a huge opportunity for malicious actors."

18 comments

  1. Not secure by youngone · · Score: 2

    I was given a DJI Spark as a present, and found it can't be flown without creating a DJI account.
    My first assumption was that any data I created would be insecure in some form.
    I don't use mine as anything other than a toy, and you shouldn't either.

    1. Re:Not secure by FrankSchwab · · Score: 3

      How about that the app you need to install on your phone creates multiple, always-connected links to Chinese servers even when you're not flying?

      --
      And the worms ate into his brain.
    2. Re:Not secure by H-S.he29 · · Score: 5, Interesting

      I got the DJI Spark about a year ago (also "for free") and while the hardware seems pretty good, I expected much more from the software department, considering they are the 'largest drone manufacturer'.

      Not only it requires the DJI account, as you mentioned, but it also needs a smartphone to work properly: I have an old-ish device with not enough RAM to run their app reliably, so I thought I would use my tablet instead.

      Nope. In order to use the app, you must be connected to the drone using WiFi. But before you can take off, the app demands Internet connection to update the no-fly zone or something. So you switch networks and return to the app.. only to find out it refuses to proceed because the drone is now disconnected. No shit, Sherlock! Maybe download it to the tablet first, no?

      A few weeks later, I forgot my password and went for a reset. The password reset page I ended up on did not bear any resemblance to the DJI website and there was no indication it was even in any way affiliated with DJI. Also not something that instills a lot of confidence in me.

      Really, I can't say the reported vulnerability comes to me as a surprise..

      (Although I eventually managed to get the drone working, controlling it using touch screen is really quite underwhelming experience, compared to a proper RC transmitter. While they do offer a proprietary (model-specific) RC controller, I didn't feel like spending money on something that a) becomes useless to me if I fly into a wall and b) can simply stop working at any time if they feel like it, since it STILL requires the smartphone app (and thus mandatory updates).

      On the bright side, the whole experience was a great reminder to avoid all those "smart" and "always connected" devices like the plague.)

    3. Re:Not secure by rtb61 · · Score: 1

      Locally served is likely to make a shift from the grocery store to the data world. The bigger the cloud, heh heh, the worse the security storm. Locally served and when they fuck it up, you knock on the door screaming, right before calling the authorities and you want to audit security and you want you government auditing that security and even then, locally served on your own server, in your office, in a special safe for digital equipment. It seems,well, just like the namesakes, clouds leak all over the place.

      --
      Chaos - everything, everywhere, everywhen
    4. Re:Not secure by Obfuscant · · Score: 1
      I don't have an app on my phone.

      I have an app on the tablet I use when flying, which is turned off when I'm not flying. Or the network is turned off. Either way.

      It's pretty well known that the flight data goes back to DJI. There's at least one site that converts the encrypted or encoded data back to usable form. It's a reasonable defense against people who do something stupid while flying and the device runs away from them, and then claim it is DJI's fault. For example, if you fly before the home point is set, and then hit a limit that triggers "go home", the aircraft will happily fly off towards someplace else. That's not DJI's fault.

    5. Re:Not secure by Anonymous Coward · · Score: 0

      The home point is set when GPS lock is achieved at powerup. This is automatic, for just the reason you described.

    6. Re:Not secure by Anonymous Coward · · Score: 0

      I have a Mavic and once it told me if I didn't upgrade the software it wouldn't fly more the 50' away.

    7. Re:Not secure by Obfuscant · · Score: 1

      The home point is set when GPS lock is achieved at powerup. This is automatic, for just the reason you described.

      The home point is set only AFTER the GPS position is valid. Before the GPS position is determined, the home point is invalid. Taking off before the home point is set prevents the home point from being set, and if "go home" is activated the aircraft will attempt to "go home" wherever home says. Which may be 10,000 miles away.

  2. The Dow Jones Industrial has a drone? by Anonymous Coward · · Score: 0

    Why would a stock thing have a drone thing?

  3. Aren't they all spies in the sky? by Anonymous Coward · · Score: 0

    So the drone could be made to feed video to an unintended voyeur in addition to the appropriate voyeur.

    1. Re:Aren't they all spies in the sky? by BlueStrat · · Score: 1

      Aren't they all spies in the sky?

      Yes, my redundancy meter asploded.

      It now detects no redunds at all whatsoever

      Strat :)

      --
      Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
  4. huge opportunity by Anonymous Coward · · Score: 0

    Hey, C'mon! Capitalism, babe! We all gotta make a living somehow...

  5. Re:Not secure but it is by Anonymous Coward · · Score: 0

    Can you read chinese? No! Can chinese read american? No! Fear not, grasshopper.

  6. Chinese have nothing on Alexia by Anonymous Coward · · Score: 0

    Amazon gets you to put a listening device in your home and then even pay a monthly fee to use it (if you have prime).

    So why is a Chinese drone maker any different?

    anyone using android or IOS is in the same boat

  7. What about fair weather flight records? by Anonymous Coward · · Score: 1

    "able to obtain cloud-based flight records"

  8. Q: What do drones hear? by Anonymous Coward · · Score: 1

    "With this vulnerability you could take over the accounts and see and hear everything that the drones see or hear."

    I don't think I've even seen a drone video where you could hear anything other than BZZZZZZzzzzzzZZZZZzzzzzZZzzzz. At least we don't have viable microphones flying around our skies. :p

  9. Re:Not secure but it is by Anonymous Coward · · Score: 0

    Chinese is not a language.

  10. All security cameras are suspect, including Jooan by Anonymous Coward · · Score: 0

    To reset the password on Jooan security camera DVR , you have to email chinese customer service for their "changes daily" password reset. This gives them the basic area that your security cameras are located. They get you to pay for their hardware, so they can spy on you. This is Chinese innovation, cheating stealing and tricking. The Amazon reviews have all been deleted, yet the product is still for sale.