I've got the key, I've got the secret. I've got the key to another person's DJI drone account: Vids, info left open to theft

Chinese drone giant DJI has fixed a critical security hole that left its customer account data and quadcopter videos potentially up for grabs.

From March through September this year, DJI's customer records, many of which include sensitive data from drone flights, video footage, and owners' personal details, could have been stolen by online attackers.

The whole nine yards

Check Point security researchers this week said they found it was possible to steal account login credentials from DJI's customers, and use those secret keys to swipe info from the victims' accounts.

Specifically, the team found that, after logging in, DJI's web servers send your browser a cookie called _meta_key, which is used to access its various platforms, which include its website, mobile app, and enterprise service. If you supply someone's _meta_key token to DJI's apps or site, you effectively masquerade as that person.

After finding that a HTTP GET request to a /mobile.php URL returned the logged-in user's _meta_key cookie, the team realized if they can somehow get a user to inadvertently fetch that URL, they could obtain the magic cookie to unlock their mark's account.

And sure enough, they were able to use cross-site scripting (XSS) to trick a victim's browser into accessing that URL, and send the fetched access token to the attacker using some crafty JavaScript. The team – Oded Vanun, Dikla Barda and Roman Zaikin – said their technique could also bypass XSS protections in browsers.

Here's how that XSS would work: the thief would post on the DJI forums a malicious yet inviting link that, when clicked on by a curious logged-in user, would in actual fact request the aforementioned mobile.php and direct the returned _meta_key cookie to a web server of the hacker's choosing. That would place the key in the hands of the miscreant, who would then use it to raid the mark's account.

Check Point's eggheads also found they could compromise DJI's FlightHub, a service for enterprise drone users with both web and desktop client interfaces. The FlightHub account hijacking attack also relies on using stolen _meta_key tokens.

Check Point found the flaw first and reported it through the DJI's bug bounty program, which was set up following a US Army memo in August 2017 directing military personnel to stop using DJI drones and software due to security concerns.

"In terms of the potential of data being taken, there has been no indication that the hole had been exploited by anyone outside of Check Point's research team," a Check Point spokesperson said in an email to The Register.

That's fortunate for the company because its data represents a theoretical treasure trove – drone flight records and photos that have been synced to DJI's cloud, user account and payment info, access to drone cameras, mics and map views in real time, and access to a live view of drone pilots' cameras and locations, for those using DJI's FlightHub software.

Bounty-hunting works

DJI characterized Check Point's findings as a validation of its bug bounty program. The vulnerability has been fixed up.

"This is exactly the reason DJI established our Bug Bounty Program in the first place," said Mario Rebello, veep and and country manager for North America at DJI, in a statement. "All technology companies understand that bolstering cybersecurity is a continual process that never ends."

The program has paid out $75,000 to 87 researchers for close to 200 reported flaws; Check Point did not accept an award for its report, which a company spokesperson said was standard for security companies.

Last year security researcher Kevin Finisterre also walked away from a DJI bug bounty prior to the program's formal establishment. In his report about finding publicly exposed DJI Skypixel keys for Amazon Web Services (AWS), he explained that the terms of DJI's award imposed unacceptable limits on his speech. And failing to agree to the terms put him at risk of liability under the Computer Fraud and Abuse Act if he revealed his findings.

DJI's spokesperson said the company's current bug bounty terms were put in place after the company's interaction with Finisterre.

Look after your own data

Perhaps coincidentally, DJI next year plans to offer its enterprise users a feature called Private Cloud Access, which will allow organizations to route data flowing to and from drones through their own servers rather than DJI's cloud.

Last year, DJI debuted something similar for individual customers called Local Data Mode, characterizing it as a privacy enhancement that keeps the DJI Pilot app from communicating over the internet.

If DJI's privacy and security push is intended to win back lost US government business, it hasn't worked so far: In May, the US Department of Defense banned the purchase of commercial, off-the-shelf drones (including DJI) in response to security concerns raised by US Senator Chris Murphy (D-CT).

The ban followed an Immigration and Customs Enforcement bureau memo last year that claimed DJI has been providing data about US critical infrastructure, gathered via drone, to the Chinese government.

DJI has denied that charge, citing a security audit blessing the proprietary part of its code (much of it is open source).

But as a Chinese company during a trade war between the US and China, faced with persistent concerns in the US that Chinese technology firms cannot deny demands from the Chinese government to compromise their products, the drone maker may have to abandon every proprietary bit of code and kit before it can assuage US fears.

And even then, US-based drone makers, not to mention protectionist politicians, may see a competitive advantage in questioning whether any foreign drone company can be trusted. ®