A report published November 8, 2018 by Check Point Research titled “DJI Vulnerability Discovered And Patched” has understandably raised several questions about DJI’s data security. We want to clarify how DJI addressed this vulnerability, and how it exemplifies our commitment to protecting DJI customer data and our constant vigilance on data security.
The vulnerability was reported through DJI’s Bug Bounty Program, which encourages security researchers to discover and report issues with DJI’s products by offering rewards of up to $30,000, depending on severity. To date, DJI has paid almost $75,000 to 87 researchers who have reported almost 200 vulnerabilities. For more information on the program, visit here.
Check Point Research submitted a report through DJI’s Bug Bounty Program which outlined a process through which an attacker could have potentially gained access to a user’s account. Check Point’s researchers identified this vulnerability in the user identification process within DJI Forum, a DJI-sponsored online forum about DJI products.
Check Point’s researchers discovered that DJI’s platforms used a token to identify registered users across different aspects of the customer experience, making it a target for potential hackers looking for ways to access accounts. DJI users who had manually uploaded photos, videos or flight logs to DJI’s cloud servers could have seen that data become vulnerable to hacking. It could have also allowed access to some customer information, and users on the DJI FlightHub fleet management system could have had live flight information accessed as well.
DJI engineers reviewed the report submitted by Check Point and, in accordance with its Bug Bounty Policy, marked it as high risk – low probability. This is because the vulnerability required a complicated set of preconditions to be successfully exploited: The user would have to be logged into their DJI account while clicking on a specially-planted malicious link in the DJI Forum.
DJI engineers efficiently and effectively patched this vulnerability after being notified by Check Point Research. There is no evidence it was ever exploited. DJI thanks Check Point for responsibly disclosing their findings via DJI’s Bug Bounty Program and welcomes continued collaboration with the security researcher community to further bolster its data security.
DJI’s Bug Bounty Program
DJI established its Bug Bounty Program in August 2017 to encourage researchers to responsibly discover and report flaws in DJI products that may create security vulnerabilities, in exchange for financial rewards of up to $30,000, depending on severity. DJI customers have benefited from this program, which has patched dozens of issues that could have potentially affected their experience with DJI products.
“We applaud the expertise Check Point researchers demonstrated through the responsible disclosure of a potentially critical vulnerability,” said Mario Rebello, Vice President and Country Manager, North America at DJI. “This is exactly the reason DJI established our Bug Bounty Program in the first place. All technology companies understand that bolstering cybersecurity is a continual process that never ends. Protecting the integrity of our users’ information is a top priority for DJI, and we are committed to continued collaboration with responsible security researchers such as Check Point.”
DJI’s Data Security Commitment
DJI takes data security concerns very seriously, and is committed to protecting its customers data. DJI does not access any customer data, including photos, videos or flight logs, unless they deliberately choose to share it, such as by uploading data to DJI cloud servers. For customers flying sensitive missions who need additional assurance that their data will not be accessible to anyone else, DJI has created a Local Data Mode, which shuts down all internet connection to the phone or tablet used to control the drone.
In April 2018, DJI released the results of an independent report scrutinizing DJI’s data practices that concludes DJI drone users have control over how their data is collected, stored and transmitted. San Francisco-based Kivu Consulting, Inc. studied DJI drones, mobile apps and servers and confirmed that DJI did not access photos, videos or flight logs generated by those drones unless the operators voluntarily chose to share them. DJI had no input into Kivu’s findings or conclusions.
“For some types of data, such as media files and flight logs, the drone user must affirmatively initiate transmission to any remote server,” wrote Douglas Brush, Kivu’s Director, Cyber Security Investigations, in a summary available for download here. “For other types, such as initial location checks or diagnostic data, the user may prevent transmission by deactivating settings in the GO 4 application and/or disabling the Internet connection.”
DJI is further developing additional levels of data security protection for its enterprise product line. The FlightHub fleet management system will introduce a Private Cloud Access option next year, ensuring that all remote activities and data transfers will occur through a cloud system controlled by that enterprise. DJI is also customizing a high-security system to meet U.S. government needs for strict data security for drone operations.
“DJI’s goal is to provide our customers the data protection they need to use our products in even the highest-security applications,” Rebello said. “From our continued work with Kivu Consulting, to our thorough debunking of unsubstantiated rumors about our products, to our Bug Bounty Program’s system for responsibly identifying and fixing vulnerabilities, DJI puts this commitment into action every day.”