#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Get the Free Newsletter
CrowdSec

DJI Mavic Pro Drone | Breaking Cybersecurity News | The Hacker News

Researchers Reveal New Security Flaw Affecting China's DJI Drones

Researchers Reveal New Security Flaw Affecting China's DJI Drones
Jul 24, 2020
Cybersecurity researchers on Thursday revealed security issues in the Android app developed by Chinese drone-maker Da Jiang Innovations (DJI) that comes with an auto-update mechanism that bypasses Google Play Store and could be used to install malicious applications and transmit sensitive personal information to DJI's servers. The twin reports, courtesy of cybersecurity firms Synacktiv and GRIMM , found that DJI's Go 4 Android app not only asks for extensive permissions and collects personal data (IMSI, IMEI, the serial number of the SIM card), it makes use of anti-debug and encryption techniques to thwart security analysis. "This mechanism is very similar to command and control servers encountered with malware," Synacktiv said. "Given the wide permissions required by DJI GO 4 — contacts, microphone, camera, location, storage, change network connectivity — the DJI or Weibo Chinese servers have almost full control over the user's phone." The

Here's How Hackers Could Have Spied On Your DJI Drone Account

Here's How Hackers Could Have Spied On Your DJI Drone Account
Nov 08, 2018
Cybersecurity researchers at Check Point today revealed details of a potential dangerous vulnerability in DJI Drone web app that could have allowed attackers access user accounts and synced sensitive information within it, including flight records, location, live video camera feed, and photos taken during a flight. Thought the vulnerability was discovered and responsibly reported by the security firm Check Point to the DJI security team in March this year, the popular China-based drone manufacturing company fixed the issue after almost six months in September. The account takeover attack takes advantage of a total of three vulnerabilities in the DJI infrastructure, including a Secure Cookie bug in the DJI identification process, a cross-site scripting (XSS) flaw in its Forum and a SSL Pinning issue in its mobile app. The first vulnerability, i.e. not having the "secure" and "httponly" cookie flag enabled, allowed attackers to steal login cookies of a user b

external linkResearch Report: State of Threat Detection

SaaS
websitevectra.aiSecOps / Threat Detection
SecOps get 4,484 alerts a day — learn how to regain control in the free report. Download now.
Cybersecurity Resources