DJI does something the most popular quadcopters on the market, but its products have repeatedly checked the United States government regarding privacy and security concerns. Recently, the Ministry of Defense in May prohibited the purchase of consumer airports by a handful of sellers, including DJs.
Now the DJI has remedied the problematic vulnerability in its cloud infrastructure that could allow the attacker to take user accounts and access to private data, such as photos and videos recorded during spyware, personal account information and flight logs containing location information. Hacker could have even a potentially accessible location in real time and a live device during the flight.
Check Point detected a problem and reported it in March via the DJ's bounty bounty. Similar to the issue that led to the massive violation of Facebook in the autumn, researchers found that they could endanger authentication tokens that allow DJ users to continuously move between different cloud offers and stay logged in. In this setting, known as the single character – on the schema – the active token is essentially the key for the entire user account.
"This is a very profound vulnerability," says Oded Vanunu, Head of Product Vulnerability Research at Check Point. "We are fans and fans of the DJI, but we want to raise awareness about the vulnerability of accounts receipts in large reseller systems. In order to allow users to access different services without having to use their username and password all the time, companies use one-time authentication, to make a user token that is valid for everyone. But this means that we live in an age in which the target attack can become a vast compromise. "
Vanun says that many DJI's product security products are very powerful, but its third-party ecosystem of services and applications is designed to extend the functionality of its left-left room for potential invasions.
"We are fans and fans of DJI, but we want to raise awareness about the vulnerability of accounts receipts in large reseller systems."
Oded Vanunu, Check Point
Check Point researchers found two bugs that were involved in creating an account's vulnerability. Firstly, some DJs have implemented a single OAuth login scheme in a way that could allow the attacker to easily search for user information and their authentication tokens. But an attacker would still need a special cookie to use it for total account receipts. In another mistake, enter the DJ Forum's forum platform, which will allow the attacker to abuse the legitimate DJI link that could automatically steal cookies of the identity of the victims. And because user forums of DJI users are very popular and active, researchers say it would not be difficult to divide one of the malicious links through forums and redirect people to clicking.
By using these questions in a tandem, the attacker can identify the victims and obtain information about them, steal the cookie needed to complete the authentication, log into their DJI account, and then change the values of the tokens and cookies so that the attacker takes on the victim's persona and suddenly has full access to your account.
DJI stated in the statement that the findings "have been comprehensively raised by many DJI data security issues". The company has warned that this error is classified as a "high risk low probability" because "a user should be logged in to his DJI account while clicking on a specially planted malicious link in the DJI forum". DJI says he sees no evidence that the error was used.
To solve these problems, it took several months, and researchers said that the company did not just push simple fixes. Instead, Check Point testing shows that the DJI has basically redefined some of the elements of how its systems manage user trust and authentication to eliminate the bugs discovered by researchers while at the same time improving security more effectively.
Due to its problems with the US government and other entities, DJI has been contributing to strengthening its security reputation with initiatives such as the bugy bounty program launched in August 2017. The company says it has paid nearly $ 75,000 to 87 researchers for the discovery Nearly 200 vulnerabilities. Check Point also submitted its findings to this forum. The DJ Bugs Prize led to controversy early, although some researchers said the company was trying to agree to hide their findings and interactions with DJs in return for receiving the prize.
Vanun said that Check Point had a positive experience with the DJI and did not accept the prize to detect the vulnerability of taking over the account.
For those who are already skeptical about the DJI, vulnerability can add to the concerns. Other companies can clearly identify the company's willingness to provide extensive improvements. However, Vanun emphasizes a larger pattern of research on how large online services are running and managing single application logos in the ecosystem of internal and external applications that have user data.
"This case was alarming, because the drunkards have a lot of private data, and that was something that could be easily accepted," Vanunu says. "Great platforms need to be more careful when taking invoices."
More great WIRED stories