TECHNOPOLICE
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Analyse sécu de l'application android des drones DJI (PPP, Nice...)... Abusé

    Scheduled Pinned Locked Moved Technologies et industries de surveillance
    1 Posts 1 Posters 103 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C Offline
      cccccc
      last edited by cccccc

      Vous trouverez les résumés et rapport ici et ici et ici.

      En gros, l'appli android des DJI, utilisés par les FDO:

      • permet l'execution de code arbitraire via la possible installation d'applications non vérifiées (en gros ils font ce qu'ils veulent)
      • leak des tonnes et des tonnes de data sur le telephone/user (non nécessaires au fonctionnement du drone)

      "In the worst case, these features can be used to target specific users with malicious updates or applications that could be used to exploit the user's phone. Given the amount of user’s information retrieved from their device, DJI or Weibo would easily be able to identify specific targets of interest. The next step in exploiting these targets would be to suggest a new application (via the Weibo SDK) or update the DJI application with a customized version built specifically to exploit their device. Once their device has been exploited, it could be used to gather additional information from the phone, track the user via the phone’s various sensors, or be used as a springboard to attack other devices on the phone’s WiFi network. This targeting system would allow an attacker to be much stealthier with their exploitation, rather than much noisier techniques, such as exploiting all devices visiting a website."

      1 Reply Last reply Reply Quote 0
      • First post
        Last post