A cyber vulnerability was discovered at civilian drones and aerial imaging giant DJI - which cyber security firm Check Point says would have put users' personal data at risk
A new cyber vulnerability has been discovered – and since patched – that puts at risk the personal data of users of the world’s leader in civilian drones and aerial imaging.
If exploited, it would have allowed hackers to access DJI customers’ account information, video footage and photos taken by their drones – as well as flight paths and GPS locations – in complete secrecy.
Cyber security firm Check Point identified the vulnerability and demonstrated how hackers could perform the exploit through the token-based user identification process within DJI Forum, an official online forum about DJI products.
What is DJI and who would have been affected by the cyber vulnerability?
China-based DJI – short for Dà-Jiāng Innovations – is the market leader in consumer and corporate drones, with about 70% market share in the US, with global drone shipments in 2017 estimated to be 10 million, up from seven million in 2016.
DJI consumer users who had synced their flight records – including photos, videos and flight logs to DJI’s cloud servers would have become vulnerable.
Corporate customers who used DJI FlightHub software, which includes a live camera, audio and map view, would also have been vulnerable.
DJI vice-president and country manager for North America Mario Rebello said: “We applaud the expertise Check Point researchers demonstrated through the responsible disclosure of a potentially critical vulnerability.
“This is exactly the reason DJI established our Bug Bounty Program in the first place.
“All technology companies understand that bolstering cyber security is a continual process that never ends.
“Protecting the integrity of our users’ information is a top priority for DJI, and we are committed to continued collaboration with responsible security researchers such as Check Point.”
Check Point notified DJI upon discovery of the cyber vulnerability. It has since been patched and there is no evidence it was ever exploited.
Head of products vulnerability research Oded Vanunu added: “Given the popularity of DJI drones, it is important that potentially critical vulnerabilities like this are addressed quickly and effectively, and we applaud DJI for doing just that.
“Following this discovery, it is important for organisations to understand that sensitive information can be used between all platforms and, if exposed on one platform, can lead to compromise of global infrastructure.”