[UAV] A security breach in DJI drones directly impacted user data

In March 2018, security researchers from Israeli company Check Point identified a security breach in the cloud authentication system, specifically authentication tokens. This system was based on a “Single-Sign On” approach. In other words, a single token opened access to a DJI drone user’s entire account. However, an attacker could get this token either via a malicious link posted on the DJI forum, or via requests on the Asian company’s websites. Exploiting this flaw would have allowed an attacker to obtain not only user data but also photos and videos taken using DJI drones. The researchers informed Chinese society of their discovery. This allowed the vulnerability to be patched before it was revealed. According to investigations conducted to date, this security vulnerability has not been exploited and DJI drone user data is therefore not at risk. Nevertheless, this case demonstrates once again that manufacturers of connected objects have to improve the security of their products.  Very popular, DJI drones have seen their reputation discredited in this way.