Yongpeng Sun-Tastaufen
BANNED
- Joined
- Oct 15, 2017
- Messages
- 28,401
- Reaction score
- -82
- Country
- Location
https://www.abc.net.au/news/2018-11-14/dji-drones-were-exposed-to-security-flaw/10491150
The world's largest drone manufacturer has had to patch a security vulnerability that left users' photos, videos, and data wide open to hackers.
Chinese drone giant Da-Jiang Innovations (DJI) commands more than 70 per cent of the global market, supplying products for personal, commercial, and even military use.
But there have been major concerns about drone security and privacy issues, particularly surrounding the possibility of criminal data hacking and Chinese government surveillance.
Now, DJI has had to fix a large vulnerability in their services following a report from security firm Check Point that pointed out that an attacker could easily access a user's account and all their personal data without the user being aware.
"Spying on enterprises — not to mention hundreds of thousands of private individuals — could well have been possible," Check Point said on their website in revealing their report.
Effectively, Check Point researchers found that they were able to exploit a loophole in DJI's user identification process, which uses identification tokens and cookies to allow a user to log in seamlessly across different platforms.
Check Point said that a hacker could steal a cookie by tricking a DJI user to click on a malicious link posted in a drone forum, and then replace a user's DJI identification token with their own and gain access to all areas of the user's DJI Mobile App, web account, or DJI FlightHub.
According to Oded Vanunu, head of Check Point's threat prevention team who conducted the research, the hacker would then have access to flight logs, photos, and videos taken by the drone as well as live camera video if the user was flying the drone at the time.
The hacker would also have access to all personal and profile information, which could include a user's credit card details, Mr Vanunu said.
In a blog outlining their report, Check Point said in the worst case scenario, the information taken from hacking an account could reveal gaps in an organisation or military base security, leaving it vulnerable to criminals and potential terrorists.
"In general, the surveillance capabilities that hacked drones — or their connected customer accounts — can offer provide a rich resource of information for threat actors," Check Point wrote.
"And of course, if this data is not directly useful to one threat actor, it is not hard to find another on the Dark Web to whom it is and could be sold."
Check Point initially raised the concern in March through DJI's Bug Bounty Program — which rewards anyone who provides valuable information on security vulnerabilities — and DJI engineers investigated, deeming the issue a high security risk, but a low probability.
"This is because the vulnerability required a complicated set of preconditions to be successfully exploited," DJI said in a statement explaining their actions in patching the vulnerability.
"The user would have to be logged into their DJI account while clicking on a specially-planted, malicious link in the DJI Forum."
They added that there is no evidence that the vulnerability was ever exploited, and reasserted DJI's commitment to security and privacy.
Drones have become extremely popular worldwide, with estimates that in Australia alone there are up to 150,000 of them.
Police and defence using vulnerable Chinese drones
The news of this vulnerability is the latest in concerns about the Chinese drone company's products, particularly in relation to use in military and security scenarios.
The US Army issued a ban on the devices last year due to "increased awareness of cyber vulnerabilities", and the Australian military quickly followed suit.
Yet despite the ban and growing security concerns, an ABC investigation earlier this year found that there are dozens of DJI drones within the Australian defence setup, as well as throughout state and federal police teams.
All the groups told the ABC at the time that they put in place measures to ensure the drones are secure.
There have been growing concerns about the spread of Chinese technology in Australia and the possibility that data could be fed to the Chinese Government.
Chinese law requires organisations and citizens to support, assist, and cooperate with intelligence work, which analysts say can make Chinese technology companies like DJI a tool for espionage.
In August, the Australian Government blocked Chinese companies Huawei and ZTE from providing components for the development of next generation 5G networks.
Beijing has denied that the law would be used to spy on other nations.
The world's largest drone manufacturer has had to patch a security vulnerability that left users' photos, videos, and data wide open to hackers.
Chinese drone giant Da-Jiang Innovations (DJI) commands more than 70 per cent of the global market, supplying products for personal, commercial, and even military use.
But there have been major concerns about drone security and privacy issues, particularly surrounding the possibility of criminal data hacking and Chinese government surveillance.
Now, DJI has had to fix a large vulnerability in their services following a report from security firm Check Point that pointed out that an attacker could easily access a user's account and all their personal data without the user being aware.
"Spying on enterprises — not to mention hundreds of thousands of private individuals — could well have been possible," Check Point said on their website in revealing their report.
Effectively, Check Point researchers found that they were able to exploit a loophole in DJI's user identification process, which uses identification tokens and cookies to allow a user to log in seamlessly across different platforms.
Check Point said that a hacker could steal a cookie by tricking a DJI user to click on a malicious link posted in a drone forum, and then replace a user's DJI identification token with their own and gain access to all areas of the user's DJI Mobile App, web account, or DJI FlightHub.
According to Oded Vanunu, head of Check Point's threat prevention team who conducted the research, the hacker would then have access to flight logs, photos, and videos taken by the drone as well as live camera video if the user was flying the drone at the time.
The hacker would also have access to all personal and profile information, which could include a user's credit card details, Mr Vanunu said.
In a blog outlining their report, Check Point said in the worst case scenario, the information taken from hacking an account could reveal gaps in an organisation or military base security, leaving it vulnerable to criminals and potential terrorists.
"In general, the surveillance capabilities that hacked drones — or their connected customer accounts — can offer provide a rich resource of information for threat actors," Check Point wrote.
"And of course, if this data is not directly useful to one threat actor, it is not hard to find another on the Dark Web to whom it is and could be sold."
Check Point initially raised the concern in March through DJI's Bug Bounty Program — which rewards anyone who provides valuable information on security vulnerabilities — and DJI engineers investigated, deeming the issue a high security risk, but a low probability.
"This is because the vulnerability required a complicated set of preconditions to be successfully exploited," DJI said in a statement explaining their actions in patching the vulnerability.
"The user would have to be logged into their DJI account while clicking on a specially-planted, malicious link in the DJI Forum."
They added that there is no evidence that the vulnerability was ever exploited, and reasserted DJI's commitment to security and privacy.
Drones have become extremely popular worldwide, with estimates that in Australia alone there are up to 150,000 of them.
Police and defence using vulnerable Chinese drones
The news of this vulnerability is the latest in concerns about the Chinese drone company's products, particularly in relation to use in military and security scenarios.
The US Army issued a ban on the devices last year due to "increased awareness of cyber vulnerabilities", and the Australian military quickly followed suit.
Yet despite the ban and growing security concerns, an ABC investigation earlier this year found that there are dozens of DJI drones within the Australian defence setup, as well as throughout state and federal police teams.
All the groups told the ABC at the time that they put in place measures to ensure the drones are secure.
There have been growing concerns about the spread of Chinese technology in Australia and the possibility that data could be fed to the Chinese Government.
Chinese law requires organisations and citizens to support, assist, and cooperate with intelligence work, which analysts say can make Chinese technology companies like DJI a tool for espionage.
In August, the Australian Government blocked Chinese companies Huawei and ZTE from providing components for the development of next generation 5G networks.
Beijing has denied that the law would be used to spy on other nations.