DJI FlightHub

DJI FlightHub is the universal platform for control of drones.

2018

Vulnerability in process of user identification at the online forum DJI Forum

On November 9, 2018 representatives of the companies Check Point Software Technologies also DJI shared information on the found vulnerability which could be used potentially for impact on infrastructure DJI.

In the report the Check Point Research command described process in which the malefactor could get access to the user account through the vulnerability detected in the course of user identification at the online forum DJI Forum supported by the company potentially. Researchers of Check Point showed how malefactors can get full access to the user account using the DJI platforms and steal such data as:

• Magazines of flights, photos and video from drones if the user of DJI synchronized them with cloud servers of DJI.
• Pictures about cameras and record of a flight trajectory in real time if the software for FlightHub DJI flight control was used.
• Information connected with the user account DJI (for example, given a profile, credit card information, etc.)

As reported in Check Point Software Technologies, vulnerability was available through an online forum to users of DJI Forum. The research showed that the server DJI interface identifies each user with the same identification marker on all platforms. Then it was quite simple to execute the XSS attack which intercepts an identification token and uses it for login as the client. Unlike the majority of cases of stealing of accounts when malefactors rely on methods of social engineering, in this case was to collect an identification token of the user using the normal reference placed at the forum DJI enough to hack the account of the victim on all platforms. When the user followed the malicious URL, his credentials could be stolen for access to other resources:

• To the DJI web platform (account, shop, forum);
• To data of a cloud server which are synchronized with the DJI Go or DJI GO 4 applications;
• To management system for DJI FlightHub drones.

Check Point notified DJI on this vulnerability then the company corrected vulnerability. DJI classified this vulnerability as high risk, however notified that there are no reasons to suspect that this vulnerability was ever operated by someone, except researchers of Check Point.

"We welcome examination of specialists of Check Point which they showed in disclosure of potentially critical vulnerability. When we created the Bug Bounty program, we were guided, first of all, by such situations. All technology companies understand that gain of cyber security is a continuous process which never comes to an end. Protection of integrity of information of our users — a priority for DJI, and we aim at continuation of cooperation with responsible researchers of information security". Mario Rebello, vice president of DJI

"Considering popularity of DJI UAVs, it is important that potentially critical vulnerabilities, similar to this, were solved quickly and effectively. After such opening of the company should realize that confidential information can be used between all platforms and if there is a leak to one of them, it can lead to a compromise of global infrastructure". Oded Vanunu, head of division of Check Point Software Technologies of researches and search of vulnerabilities

Possibilities of FlightHub

For November, 2018 the FlightHub DJI platform provides following features:

• Job control in real time
  • Viewing card: data on all flights are collected on one card for fast assessment of tasks.
  • A preview in real time: forward translation of video from cameras of drones (to four drones) coordinates actions of pilots with actions of commands at offices.

• Management of flight telemetry
  • Record of flights: detailed records of flights for check of compliance with laws, viewing flight statistics, supervision of use of the equipment and viewing tasks.
  • Protected cloud storage: FlightHub saves records about your flights on protected AWS-server in USA, SOC2 conforming to requirements.

• Management of the fleet and pilots
  • Management of the fleet: control of use of the equipment will help to make the weighed decisions on purchases and repair.

• Team management: an opportunity to group commands in projects, regions, clients or other categories for increase in efficiency.
• Integration with the fleet of DJI drones: DJI FlightHub works with drones of the Matrice 200, Inspire 2, Phantom 4 and Mavic Pro series through the DJI Pilot application for Android.

Data from drones come to the cloud storage of FlightHub through the protected HTTPS connection through the DJI Pilot application on your mobile device.