New security vulnerabilities have been discovered for China’s DJI drones on which backdoors are highly likely to be mounted. With backdoor fears of Chinese products spreading around the world, South Korea’s major public agencies are taking the lead in purchasing Chinese drones.
According to Israeli cybersecurity firm Check Point on Nov. 11, its researchers have discovered a total of three vulnerabilities in the DJI infrastructure, including a Secure Cookie bug in the DJI identification process, a cross-site scripting (XSS) flaw in its Forum and a SSL Pinning issue in its mobile app. Check Point detected and responsibly reported the problems to the DJI security team in March this year, but the popular China-based drone manufacturing company fixed the issue after almost six months in September. During the period, attackers could have gained access to user accounts and synced sensitive information within it, including flight records, location, live video camera feed, and photos taken during a flight.
An official from Check Point said, “(Particular users) could have their accounts stolen when they were logged into the DJI Forum and clicked on a specially-planted malicious link.” In this regard, DJI said, “The vulnerability has a high risk but it is hard to find them. So, there is no evidence that it was ever exploited by hackers other than Check Point.”
Currently, DJI holds a 70 percent share of the global commercial drone market. Its drones are used by not only consumers but also critical infrastructure firms and manufacturing, agricultural and construction enterprises. DJI said that it has been expanding the market through its local subsidiary in South Korea from 2016 as well. However, DJI drones are also not free from the backdoor controversy just like other Chinese IT products. The United States Army banned the use of DJI drone products due to increased awareness of cyber vulnerabilities in August last year. When the U.S. Air Force and Navy tried to buy DJI drones for special tactical training after that, the U.S. Department of Defense has banned the use and purchase of DJI drones.
Despite the circumstances, South Korea’s major state agencies are scrambling to introduce the DJI drones. The Electronics and Telecommunications Research Institute (ETRI) of Korea and the National Security Research Institute (NSRI) purchased the DJI drones for research purposes, while the Korea Institute of Geoscience and Mineral Resources (KIGAM), the National Institute of Environmental Research (NIER) under the Ministry of Environment, the Korea National Park Service (KNPS) and the Korea Forest Service (KFS) recently introduced the DJI drones.
Meanwhile, 56.4 percent of drones owned by national public agencies are Chinese products, according to the data from the Korea Drone Industry Promotion Association (KODIPA).