‘Bug bounty’ for DJI’s drone platform yields vulnerabilities — Check Point

HACK yourselves first!

One CEO of a Philippine IT company providing software development and systems solutions once told SDN — Scitech and Digital News about this.

What he meant was that before they release any of their software solutions, they themselves make a point to hack their software to see if there are any vulnerabilities.

Pixabay drone

Image: Pixabay. Flying a drone over the sea.

And that’s so before outsiders could hack them and wreak havoc in their network.

In a related vein, China-based DJI (or Da-Jiang Innovations) in August 2017 launched what it called the DJI Threat Identification Reward Program as  part of its “expanded commitment to work with researchers and others to responsibly discover, disclose and remediate issues that could affect the security of DJI’s software.”

The Shenzhen-based company’s objective related to remediating any vulnerabilities that maybe found in its drones software.

Here’s the result of the bug bounty research as shared by Check Point Software Technologies.

Finding vulnerabilities

SINGAPORE — Researchers at Check Point® Software Technologies Ltd. (NASDAQ: CHKP), a leading provider of cyber security solutions globally, and DJI, the world’s leader in civilian drones and aerial imaging technology, today shared details of a potential vulnerability that could have impacted DJI’s infrastructure, if exploited.

In a report submitted in accordance with DJI’s Bug Bounty Program, Check Point Research outlined the process in which an attacker could have potentially gained access to a user’s account through a vulnerability discovered in the user identification process within DJI Forum, a DJI-sponsored online forum about DJI products. Check Point’s researchers discovered that DJI’s platforms used a token to identify registered users across different aspects of the customer experience, making it a target for hackers looking for ways to access accounts.

DJI Multicopter drone on PixabayImage: DJI multicopter drone via Pixabay.

DJI consumer users who had synced their flight records, including photos, videos and flight logs to DJI’s cloud servers, and DJI corporate users who used DJI FlightHub software, which includes a live camera, audio and map view, could have become vulnerable. This vulnerability has since been patched and there is no evidence it was ever exploited.

Check Point researchers’ discovery

“We applaud the expertise Check Point researchers demonstrated through the responsible disclosure of a potentially critical vulnerability,” said Mario Rebello, vice president and country manager, North America at DJI.

“This is exactly the reason DJI established our Bug Bounty Program in the first place. All technology companies understand that bolstering cyber security is a continual process that never ends. Protecting the integrity of our users’ information is a top priority for DJI, and we are committed to continued collaboration with responsible security researchers such as Check Point.”

“Given the popularity of DJI drones, it is important that potentially critical vulnerabilities like this are addressed quickly and effectively, and we applaud DJI for doing just that,” said Oded Vanunu, head of Products Vulnerability Research at Check Point.

“Following this discovery, it is important for organizations to understand that sensitive information can be used between all platforms and, if exposed on one platform, can lead to compromise of global infrastructure.”

DJI engineers reviewed the report submitted by Check Point and, in accordance with its Bug Bounty Policy, marked it as high risk/low probability. This is due to a set of preconditions that need to be met before a potential attacker could exploit it. DJI customers should always use the most current version of the DJI GO or GO 4 pilot apps.

Check Point and DJI advise all users to remain vigilant whenever exchanging information digitally. Always practice safe cyber habits when engaging with others online, and question the legitimacy of links to information seen on user forums and websites. (Check Point)

Note: Check Point’s full technical analysis of this vulnerability is available from its research blog: https://research.checkpoint.com/dji-drone-vulnerability/

Don't be shy, comments are welcome! Thank you.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: