Researchers from the Horst Görtz Institute for IT Security at Ruhr University Bochum and the CISPA Helmholtz Center for Information Security have discovered multiple serious security vulnerabilities in DJI drones that could allow users to modify drone identification details and bypass security mechanisms.
In some cases, drones could be remotely brought down in flight. The findings were presented at the Network and Distributed System Security Symposium, and DJI was informed of the vulnerabilities before they were made public.
The manufacturer has since fixed the issues. The researchers tested three DJI drone models and found all had vulnerabilities, documenting 16 in total.
The DJI Mini 2, Mavic Air 2, and Mavic 3 models had four serious flaws. In addition, the researchers discovered that unencrypted location data transmitted by DJI drones could be read by anyone with relatively simple methods.
The researchers used a method known as fuzzing to test the drones by feeding them random inputs to check for crashes and unwanted changes to the drone’s data, such as the serial number.
Due to the complexity of DJI drones, fuzzing had to be performed on the live system. The team developed an algorithm to generate DUML data packets, which were sent to the drone, and evaluated which inputs caused the drone’s software to crash.
They paired the drone with a mobile phone running the DJI app to periodically check if fuzzing was changing the drone’s state.
The discovered vulnerabilities allowed attackers to gain extended access rights in the system and change log data, the serial number, or override DJI’s mechanisms to prevent drones from flying over restricted areas.
The researchers also found that the unencrypted location data transmitted by DJI drones could be read by anyone. The Bochum-Saarbrücken team plans to test the security of other drone models in future studies.
In conclusion, the vulnerabilities discovered by the researchers pose a significant security risk to DJI drone users, allowing attackers to modify drone identification details, bypass security mechanisms, and even bring down drones remotely in flight.
The unencrypted transmission of location data also poses a risk to pilots’ privacy and security. DJI has since fixed the vulnerabilities, but the discovery highlights the importance of thorough security testing of drones and other devices to identify and address potential weaknesses.
