Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security Privacy Technology

Vulnerability Could Make DJI Drones a Spy In the Sky (securityweek.com) 18

wiredmikey writes from a report via SecurityWeek: A vulnerability in systems operated by Da Jiang Innovations (DJI) -- the world's largest drone manufacturer -- allowed anybody in the world to have full access to a drone user's DJI account. A successful attacker would be able to obtain cloud-based flight records, stored photographs, user PII including credit card details -- and a real-time view from the drone's camera and microphone. Check Point Researchers (who discovered and reported the vulnerability) told SecurityWeek, "The vulnerability is a unique opportunity for malicious actors to gain priceless information -- you have an eye in the sky. Organizations are moving towards automated flights, sometimes with dozens of drones patrolling across sensitive facilities. With this vulnerability you could take over the accounts and see and hear everything that the drones see or hear. This is a huge opportunity for malicious actors."
This discussion has been archived. No new comments can be posted.

Vulnerability Could Make DJI Drones a Spy In the Sky

Comments Filter:
  • by youngone ( 975102 ) on Thursday November 08, 2018 @06:34PM (#57614854)
    I was given a DJI Spark as a present, and found it can't be flown without creating a DJI account.
    My first assumption was that any data I created would be insecure in some form.
    I don't use mine as anything other than a toy, and you shouldn't either.
    • by FrankSchwab ( 675585 ) on Thursday November 08, 2018 @07:01PM (#57614966) Journal

      How about that the app you need to install on your phone creates multiple, always-connected links to Chinese servers even when you're not flying?

      • I don't have an app on my phone.

        I have an app on the tablet I use when flying, which is turned off when I'm not flying. Or the network is turned off. Either way.

        It's pretty well known that the flight data goes back to DJI. There's at least one site that converts the encrypted or encoded data back to usable form. It's a reasonable defense against people who do something stupid while flying and the device runs away from them, and then claim it is DJI's fault. For example, if you fly before the home point is

    • Re:Not secure (Score:5, Interesting)

      by H-S.he29 ( 1997952 ) on Thursday November 08, 2018 @08:47PM (#57615360)

      I got the DJI Spark about a year ago (also "for free") and while the hardware seems pretty good, I expected much more from the software department, considering they are the 'largest drone manufacturer'.

      Not only it requires the DJI account, as you mentioned, but it also needs a smartphone to work properly: I have an old-ish device with not enough RAM to run their app reliably, so I thought I would use my tablet instead.

      Nope. In order to use the app, you must be connected to the drone using WiFi. But before you can take off, the app demands Internet connection to update the no-fly zone or something. So you switch networks and return to the app.. only to find out it refuses to proceed because the drone is now disconnected. No shit, Sherlock! Maybe download it to the tablet first, no?

      A few weeks later, I forgot my password and went for a reset. The password reset page I ended up on did not bear any resemblance to the DJI website and there was no indication it was even in any way affiliated with DJI. Also not something that instills a lot of confidence in me.

      Really, I can't say the reported vulnerability comes to me as a surprise..

      (Although I eventually managed to get the drone working, controlling it using touch screen is really quite underwhelming experience, compared to a proper RC transmitter. While they do offer a proprietary (model-specific) RC controller, I didn't feel like spending money on something that a) becomes useless to me if I fly into a wall and b) can simply stop working at any time if they feel like it, since it STILL requires the smartphone app (and thus mandatory updates).

      On the bright side, the whole experience was a great reminder to avoid all those "smart" and "always connected" devices like the plague.)

      • by rtb61 ( 674572 )

        Locally served is likely to make a shift from the grocery store to the data world. The bigger the cloud, heh heh, the worse the security storm. Locally served and when they fuck it up, you knock on the door screaming, right before calling the authorities and you want to audit security and you want you government auditing that security and even then, locally served on your own server, in your office, in a special safe for digital equipment. It seems,well, just like the namesakes, clouds leak all over the pla

  • by Anonymous Coward

    "able to obtain cloud-based flight records"

  • by Anonymous Coward

    "With this vulnerability you could take over the accounts and see and hear everything that the drones see or hear."

    I don't think I've even seen a drone video where you could hear anything other than BZZZZZZzzzzzzZZZZZzzzzzZZzzzz. At least we don't have viable microphones flying around our skies. :p

The 11 is for people with the pride of a 10 and the pocketbook of an 8. -- R.B. Greenberg [referring to PDPs?]

Working...