Hackers had access to the flight paths, photos, and aerial video footage collected by the world’s largest seller of drones for consumers, adding to fears about the security of pilotless flying devices.
Access to customer accounts of Chinese-based drone maker SZ DJI Technology Co could be gained via a vulnerability on the company’s website forum, according to a report from Check Point Software Technologies Ltd.
DJI dominates the US$6bil (RM25.05bil) market for consumer drones, but has been subject to criticism over security holes. Last year, the US Army directed its personnel to stop using drones made by DJI and to uninstall all DJI software, after it became aware of security breeches in the Chinese company’s products.
Following the Army ruling, DJI set up a bug bounty program, where it pays independent hackers who find flaws in its systems. DJI marked Check Point’s discovery a high risk but low probability because the vulnerability required a complicated set of preconditions to be successfully exploited. It installed a patch and said there were no signs that the breach was exploited.
If left unpatched, the vulnerability could have given attackers access to information including maps providing intricate details and images of critical infrastructure facilities, among others, Check Point said. In addition, hackers could get access to real-time activity of drones after obtaining entry to the DJI flight hub. The data could have been used as reconnaissance information and used in a possible attack.
“All technology companies understand that bolstering cybersecurity is a continual process that never ends,” said Mario Rebello, head of US at DJI, in a statement.
DJI has been pushing its business division. In October, the company announced deals for its latest industrial drone – the Mavic 2 – which will soon survey power grids for Southern Co, while American Airlines Group Inc will test the craft for plane inspections. In the same month, the US Federal Aviation Administration warned that drone-makers may be accessing sensitive footage of electrical grids and critical infrastructure.
Last year, Israeli-based Check Point illustrated how cameras in smart vacuum cleaners could be used to infiltrate private homes or corporate offices. The DJI vulnerability was just another example of how sensitive data stored in the cloud by various devices offers an increasing number of windows of access for cyber espionage, its latest report said. – Bloomberg