A group of German experts revealed serious security flaws in several models of DJI drones that could enable attackers to track the device and its operator, change identification data and remotely deactivate the drone in flight. The experts, led by Niko Schiller from IT Security Institute and Professor Torsten Kholtz from CISPA information security centre, disclosed the vulnerabilities at a symposium on network and distributed systems security. The team introduced random input data to the drone hardware and microprogram support and generated DUML data packages to test the drone software. The experts detected 16 vulnerabilities in total in all four tested DJI drone models.
The DJI Mini 2, Mavic Air 2 and Mavic 3 models showed to be the most vulnerable, with four of the most serious vulnerabilities affecting those models. The attackers could receive advanced system access rights, change the event journal data, and manipulate the drone’s serial number. As DJI has banned firmware that enables drones to be flown over restricted areas like airports and prisons, hackers could use these vulnerabilities to remove the restrictions and allow undetected flying within restricted areas, putting public safety at risk. Additionally, the hackers could deactivate the drone in-flight, causing it to crash, and exploit the most critical vulnerability to track the exact location of the drone and its operator. All data transmitted through the Droneid protocol would be vulnerable as it was not encrypted.
The German expert team has informed DJI of these serious flaws, and the manufacturer has already fixed the vulnerabilities. DJI has provided firmware updates to users worldwide to address the discovered security issues. Future research will investigate the safety vulnerabilities of other drone models.