DJI drones are the hot trend of 21st century. However, as functional and well built they are, some vulnerabilities in them could pose serious threat to your security. As these drones rely on a DJI account to be functional, you can land in serious trouble if a hacker gains access to your account. The hacker may access your drone and fly or crash it into a sensitive more or no fly zone. Not only that, personal information can also be accessed through the exploit and that may put you in more danger. According to researchers at, the cybersecurity firm Check Point, DJI accounts have three major vulnerabilities:
- Secure Cookie bug in the DJI identification process
- A cross-site scripting (XSS) flaw in its Forum
- An SSL Pinning issue in its mobile app
Hackers may exploit the above-mentioned weaknesses by just posting a link in one of the forums as click bait and as soon as the user logs in his/her DJI account, Voila! They have complete access to the account. The hackers can use it to track the movements of the drone through live map coverage which can also expose the user’s location. They even gain access to the user’s personal photos captured through the camera.
Furthermore, hackers can also gain access to your drone directly by bombarding it with multiple wireless connection requests in quick successions, thus malfunctioning the data packet and crashing the drone. The hacker may send the drone an exceptionally large data packet which would exceed the buffer capacity of the drone and instantly crash it. Additionally, the hacker may send a fake digital packet from their Laptop or PC, which may pose as a signal sent from the real controller, allowing them to control your drone. Using your drone, the hackers may even commit potential crimes such as flying it to sensitive areas and you’ll never know. Similarly, by taking control of your account, the hackers can easily steal your drone by landing it on their own doorstep.
These vulnerabilities were discovered through DJI’s bug bounty program, where researchers are encouraged to report the discovered bug in exchange for a financial reward. Although the exact details of the financial reward given were kept hidden, the bug bounty reward is said to be up to $30,000 for reporting a single vulnerability. thehackernews.com claims that the vulnerability was reported to the security team in March 2018 and the issue was successfully resolved six months later in September 2018. DJI classified the security flaw as ‘high risk – low vulnerability’ due to its requirement for user to already be logged in their DJI account. Nevertheless, the latest security patch has addressed the system’s susceptibility to such attacks where the data is secretly relayed to the hacker.