DJI Vulnerability Let Hackers Spy on Drones

A Phantom 4, developed by consumer-drone maker DJI, flies during its demonstration flight in Tokyo, Thursday, March 3, 2016.

A Phantom 4, developed by consumer-drone maker DJI, flies during its demonstration flight in Tokyo, Thursday, March 3, 2016. Shizuo Kambayashi/AP File Photo

DJI is one of the world's leading drone companies, providing tools for both consumers and corporations alike.

With such a massive reach, a security flaw could be especially damaging, and researchers from Security Firm Research discovered just that, CNET reports. A hole in DJI.com's code could have allowed people to steal access tokens on DJI forums. From there, they could easily log in to someone's account without needing a password because DJI used the same authentication for both its forums and apps. 

Any hackers who exploited the vulnerability would be able to access live footage from DJI's Flight Hub tool, giving away a drone user's location. In some instances, a hacker could control multiple drones. Hackers would also be able to access the last four digits of users' credit cards as well as photos taken from previous drone flights.

Check Point Research discovered the vulnerability in March. DJI reports that it fixed the flaw in September. The company spent six months patching the vulnerability across its entire infrastructure.

Stealing access tokens was the same method used by hackers to access nearly 30 million Facebook accounts

Fortunately, Check Point Research says there is no evidence this vulnerability was ever exploited. But the incident does serve as an important reminder to strengthen your password security and back up all of your files and data. You never know when or where the next vulnerability could be.