Credit to Author: Lily Hay Newman| Date: Thu, 08 Nov 2018 14:00:00 +0000
DJI makes some of the most popular quadcopters on the market, but its products have repeatedly drawn scrutiny from the United States government over privacy and security concerns. Most recently, the Department of Defense in May banned the purchase of consumer drones made by a handful of vendors, including DJI.
Now DJI has patched a problematic vulnerability in its cloud infrastructure that could have allowed an attacker to take over users' accounts and access private data like photos and videos taken during drone flights, a user's personal account information, and flight logs that include location data. A hacker could have even potentially accessed real-time drone location and a live camera feed during a flight.
The security firm Check Point discovered the issue and reported it in March through DJI's bug bounty program. Similar to the issue that resulted in this fall's massive Facebook breach, the researchers found that they could compromise the authentication tokens that allow DJI's users to move seamlessly between the company's various cloud offerings and stay logged in. In this setup—known as a single sign-on scheme—an active token is essentially the key to a user's entire account.
"This is a very deep vulnerability," says Oded Vanunu, head of products vulnerability research at Check Point. "We're drone fans and fans of DJI, but we want to bring awareness about account takeover vulnerabilities in big vendors' systems. In order to let users access different services without having to enter a username and password all the time, companies use one-time authentication to make a user token that's valid across everything. But that means we're living in an era where a targeted attack can become an extensive compromise."
Vanunu says that many of DJI's product security protections are very strong, but its ecosystem of services and third-party apps—meant to expand the functionality of its drones—left room for potential intrusions.
"We're drone fans and fans of DJI, but we want to bring awareness about account takeover vulnerabilities in big vendors' systems."
Oded Vanunu, Check Point
The Check Point researchers found two bugs that worked together to create the account takeover vulnerability. First, some DJI sites implemented the single sign-on scheme OAuth in a way that could allow an attacker to easily query for information about a user and their authentication token. But an attacker would still need a special cookie to use this for full account takeovers. Enter the second flaw, in DJI's customer forums platform, which would allow an attacker to craft a malicious but legitimate DJI link that could automatically steal victims' authentication cookies. And since DJI's customer forums are very popular and active, the researchers say it wouldn't be difficult to distribute one of the malicious links through the forums and trick people into clicking.
Using these issues in tandem, an attacker could identify victims and gain information about them, steal the cookie needed to complete the authentication, log into their own DJI account, and then swap in a victim's token and cookie values so the attacker takes on the persona of the victim and suddenly has full access to their account.
DJI said in a statement that the findings "understandably raised several questions about DJI’s data security." The company noted, though, that it classifies the flaw as "high risk—low probability," because "the user would have to be logged into their DJI account while clicking on a specially-planted malicious link in the DJI Forum." DJI says it doesn't see evidence that the flaw was ever exploited.
It took months for DJI to resolve the issues, and the researchers say that the company didn't just push simple fixes. Instead, Check Point's testing shows that DJI fundamentally reworked some elements of how its systems manage trust and user authentication to fix the bugs the researchers found, while also improving security more deeply.
In light of its problems with the US government and other entities, DJI has worked to bolster its security reputation through initiatives like a bug bounty program, which it launched in August 2017. The company says that so far the bounty has paid out almost $75,000 to 87 researchers for the discovery of almost 200 vulnerabilities. Check Point submitted its findings through this forum, as well. The DJI bug bounty led to controversy early on, though, when some researchers said that the company had tried to get them to agree to keep their findings and interactions with DJI secret in exchange for receiving their reward.
Vanunu said Check Point had a positive experience working with DJI and didn't accept a reward for finding the account takeover vulnerability.
For those already skeptical of DJI, the vulnerability may add to concerns. Others may find the company's apparent willingness to make extensive improvements reassuring. Either way, Vanunu emphasizes a larger takeaway from the research, around how large web services implement and manage single sign-on schemes across an ecosystem of internal and third-party applications that hold user data.
"This case was alarming, because drones have a lot of private information and this was something that could be taken easily," Vanunu says. "Giant platforms need to be more careful about account takeovers."