SECURITY
SECURITY
SECURITY
DJI vulnerability could have allowed hackers to steal drone data
A vulnerability on a website for drone company Dà-Jiāng Innovations Science and Technology Co. Ltd. or DJI could have allowed hackers to steal customer data including confidential information, according to a newly published report.
The vulnerability, revealed Thursday by security researchers at Check Point Software Technologies Ltd., involves access to a forum DJI runs for discussions about its products. Users logged into the forum, then tricked into clicking on a malicious link, could have had their login credentials stolen to allow access to other DJI online assets.
Those assets include flight logs, photos and videos generated during drone flights if a DJI user had synced them with DJI’s cloud servers; a live camera view and map view during drone flights, if a DJI user were using DJI’s FlightHub flight management software; and information associated with a DJI user’s account, including user profile information.
Obviously a privacy concern, the vulnerability may have also been a national security concern. DJI has an estimated 74 percent market share of the drone market and is popular among all market segments, including government and private businesses.
“Drones are increasingly used in the corporate landscape, with customers coming from the critical infrastructure, manufacturing, agricultural, construction, emergency management, government agencies, military and other sectors,” Check Point said in a separate blog post. “Whereas previous concerns regarding the security of drones … focused on the hijacking of the drone itself, often referred to as ‘dronejacking,’ or using these unmanned aerial vehicles (UAVs) to fly over sensitive locations such as the White House, our research uncovered a simpler and perhaps more serious threat to an organization’s data – a customer account takeover.”
Check Point discovered the vulnerability in March and reported it to DJI via its bug bounty program. After classifying it as high-risk but low-probability, the vulnerability was patched. DJI said it could find no evidence that the vulnerability was exploited.
Photo: Pixabay
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
