Slashdot Mirror

← Back to Stories (view on slashdot.org)

Vulnerability Could Make DJI Drones a Spy In the Sky (securityweek.com)

Posted by BeauHD on from the eye-in-the-sky dept.

wiredmikey writes from a report via SecurityWeek: A vulnerability in systems operated by Da Jiang Innovations (DJI) -- the world's largest drone manufacturer -- allowed anybody in the world to have full access to a drone user's DJI account. A successful attacker would be able to obtain cloud-based flight records, stored photographs, user PII including credit card details -- and a real-time view from the drone's camera and microphone. Check Point Researchers (who discovered and reported the vulnerability) told SecurityWeek, "The vulnerability is a unique opportunity for malicious actors to gain priceless information -- you have an eye in the sky. Organizations are moving towards automated flights, sometimes with dozens of drones patrolling across sensitive facilities. With this vulnerability you could take over the accounts and see and hear everything that the drones see or hear. This is a huge opportunity for malicious actors."

3 of 18 comments (clear)

  1. Not secure by youngone · · Score: 2

    I was given a DJI Spark as a present, and found it can't be flown without creating a DJI account.
    My first assumption was that any data I created would be insecure in some form.
    I don't use mine as anything other than a toy, and you shouldn't either.

    1. Re:Not secure by FrankSchwab · · Score: 3

      How about that the app you need to install on your phone creates multiple, always-connected links to Chinese servers even when you're not flying?

      --
      And the worms ate into his brain.
    2. Re:Not secure by H-S.he29 · · Score: 5, Interesting

      I got the DJI Spark about a year ago (also "for free") and while the hardware seems pretty good, I expected much more from the software department, considering they are the 'largest drone manufacturer'.

      Not only it requires the DJI account, as you mentioned, but it also needs a smartphone to work properly: I have an old-ish device with not enough RAM to run their app reliably, so I thought I would use my tablet instead.

      Nope. In order to use the app, you must be connected to the drone using WiFi. But before you can take off, the app demands Internet connection to update the no-fly zone or something. So you switch networks and return to the app.. only to find out it refuses to proceed because the drone is now disconnected. No shit, Sherlock! Maybe download it to the tablet first, no?

      A few weeks later, I forgot my password and went for a reset. The password reset page I ended up on did not bear any resemblance to the DJI website and there was no indication it was even in any way affiliated with DJI. Also not something that instills a lot of confidence in me.

      Really, I can't say the reported vulnerability comes to me as a surprise..

      (Although I eventually managed to get the drone working, controlling it using touch screen is really quite underwhelming experience, compared to a proper RC transmitter. While they do offer a proprietary (model-specific) RC controller, I didn't feel like spending money on something that a) becomes useless to me if I fly into a wall and b) can simply stop working at any time if they feel like it, since it STILL requires the smartphone app (and thus mandatory updates).

      On the bright side, the whole experience was a great reminder to avoid all those "smart" and "always connected" devices like the plague.)