Notably, 14 of these vulnerabilities could be remotely triggered using an operator’s smartphone, which could result in the drone crashing mid-flight.
Security researchers have found several security vulnerabilities in DJI drones, which could allow users to modify crucial identification details and even access the location of the pilot and the drone.
This research was led by Nico Schiller of the Horst Görtz Institute for IT Security at Ruhr University Bochum, Germany, and Professor Thorsten Holz from the CISPA Helmholtz Center for Information Security.
The Chinese manufacturer, DJI, was informed of these vulnerabilities prior to the release of information publicly, and they have subsequently been fixed.
DJI uses a tracking protocol called DroneID, which is designed to transmit the drone’s position and its pilot to authorities. However, the researchers analyzed the drone’s attack surface and revealed that, with a bit of reverse engineering, they were able to infer the data transmitted to and from the drone, as it was not encrypted.
This means that it could be accessed by anyone, compromising the drone operator’s privacy. “We show that the transmitted data is not encrypted, but accessible to anyone, compromising the drone operator’s privacy,” the researchers explain in their report (PDF).
“Second, we conduct a comprehensive analysis of drone security: Using a combination of reverse engineering, a novel fuzzing approach tailored to DJI’s communication protocol, and hardware analysis, we uncover several critical flaws in drone firmware that allow attackers to gain elevated privileges on two different DJI drones and their remote control,” researchers continued. “Such root access paves the way to disable or bypass countermeasures and abuse drones,” researchers explained.
The research team tested drones belonging to different categories, including the small DJI Mini 2, the medium-sized Air 2, and the large Mavic 2. Later research conducted using the newer Mavic 3 model reproduced similar results.
During their assessment, the researchers discovered a total of 16 vulnerabilities with a broad range of impacts, from denial of service to arbitrary code execution. Notably, 14 of these vulnerabilities could be remotely triggered using an operator’s smartphone, which could result in the drone crashing mid-flight.
The researchers could also take control of the operator’s smartphone and crash the drone mid-flight. This was just one of the fourteen bugs that could be triggered remotely via the phone.
DJI imposes certain limits on the software regarding speed and altitude, uses geofencing, virtual boundaries, and implements no-fly zones around airports and prisons. The research team found that even these mechanisms could be overridden by the vulnerabilities they had found.
“An attacker can thus change log data or the serial number and disguise their identity,” explains Thorsten Holz. “Plus, while DJI does take precautions to prevent drones from flying over airports or other restricted areas such as prisons, these mechanisms could also be overridden,” Holz added.
The Bochum-Saarbrücken team aims to test other drone models in future studies.
