SECURITY
SECURITY
SECURITY
DJI vulnerability could have allowed hackers to steal drone data
A vulnerability on a website for drone company Dà-Jiāng Innovations Science and Technology Co. Ltd. or DJI could have allowed hackers to steal customer data including confidential information, according to a newly published report.
The vulnerability, revealed Thursday by security researchers at Check Point Software Technologies Ltd., involves access to a forum DJI runs for discussions about its products. Users logged into the forum, then tricked into clicking on a malicious link, could have had their login credentials stolen to allow access to other DJI online assets.
Those assets include flight logs, photos and videos generated during drone flights if a DJI user had synced them with DJI’s cloud servers; a live camera view and map view during drone flights, if a DJI user were using DJI’s FlightHub flight management software; and information associated with a DJI user’s account, including user profile information.
Obviously a privacy concern, the vulnerability may have also been a national security concern. DJI has an estimated 74 percent market share of the drone market and is popular among all market segments, including government and private businesses.
“Drones are increasingly used in the corporate landscape, with customers coming from the critical infrastructure, manufacturing, agricultural, construction, emergency management, government agencies, military and other sectors,” Check Point said in a separate blog post. “Whereas previous concerns regarding the security of drones … focused on the hijacking of the drone itself, often referred to as ‘dronejacking,’ or using these unmanned aerial vehicles (UAVs) to fly over sensitive locations such as the White House, our research uncovered a simpler and perhaps more serious threat to an organization’s data – a customer account takeover.”
Check Point discovered the vulnerability in March and reported it to DJI via its bug bounty program. After classifying it as high-risk but low-probability, the vulnerability was patched. DJI said it could find no evidence that the vulnerability was exploited.
Photo: Pixabay
Since you’re here …
… We’d like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.
If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.
