Re: Possible Firmware Bug Leads To Crash & $700 Repair (Vide
I must admit I have tested this long time ago and only by connecting to the WiFi and using SSH. That worked. Afterwards I saw someone mentioning that the camera was only blocking multiple connections but that everything else worked from multiple devices. So I took that for granted.
Anyhow I tested it now myself. Two devices, an iPad(owner) and an iPhone(hacker).
1. Both devices successfully connected to the Wifi network(no blocking there). Both devices successfully started the VISION app and both are showing the green light beside the Phantom network name on the top.
2. Only the first app that was started got the camera image, telemetry information and ability to use the ground station part of the app. The other app(from hacker's device) got no image, no telemetry(everything N/A, except the battery status of the Range Extender) and when swiped to ground station part I would get an warning on screen saying: "Ground Station Failed to Open". Cool. Seems to be at least somewhat safe then!
3. Went to settings part of the VISION app on the hacker's device. Settings were there, perfectly readable and I could change them. So I went to change the WiFi (SSID) name. The idea was that if I change the WiFi name, the owner device will loose connection and will probably not be able to connect again(since he will need much more time to conclude which WiFi network is now his). OK. The app allowed me to change the name, but for verification it asked me last six characters of the MAC address(that AA:BB:CC
D:EE:FF type of address) of the Range Extender. That was probably imagined to be some sort of security, but it is not. Since the MAC address can easily be obtained with for example Fing app(available on the App Store). Or even if the owner has not changed his Phantom's WiFi name from original factory setting, then the last six characters that are required are already part of the WiFi name!!! after Phantom_ prefix.
Long story short. WiFi name was successfully changed. The original/owner device lost connection. I reconnected with the other/hacker device and acquired full control.
This was a simple scenario that anyone without special knowledge can execute. A person with knowledge would connect to SSH, drop active connections there and connect with VISION app, way faster. And later he can also change the SSID and even enable WiFi encryption.
Basically DJI has not implemented blocking multiple connections at the WiFi level, only at the app level and even that not to complete extent. I seriously don't know why isn't WiFi encryption enabled by default?!
Jstic said:
I must admit I have tested this long time ago and only by connecting to the WiFi and using SSH. That worked. Afterwards I saw someone mentioning that the camera was only blocking multiple connections but that everything else worked from multiple devices. So I took that for granted.
Anyhow I tested it now myself. Two devices, an iPad(owner) and an iPhone(hacker).
1. Both devices successfully connected to the Wifi network(no blocking there). Both devices successfully started the VISION app and both are showing the green light beside the Phantom network name on the top.
2. Only the first app that was started got the camera image, telemetry information and ability to use the ground station part of the app. The other app(from hacker's device) got no image, no telemetry(everything N/A, except the battery status of the Range Extender) and when swiped to ground station part I would get an warning on screen saying: "Ground Station Failed to Open". Cool. Seems to be at least somewhat safe then!
3. Went to settings part of the VISION app on the hacker's device. Settings were there, perfectly readable and I could change them. So I went to change the WiFi (SSID) name. The idea was that if I change the WiFi name, the owner device will loose connection and will probably not be able to connect again(since he will need much more time to conclude which WiFi network is now his). OK. The app allowed me to change the name, but for verification it asked me last six characters of the MAC address(that AA:BB:CC
D:EE:FF type of address) of the Range Extender. That was probably imagined to be some sort of security, but it is not. Since the MAC address can easily be obtained with for example Fing app(available on the App Store). Or even if the owner has not changed his Phantom's WiFi name from original factory setting, then the last six characters that are required are already part of the WiFi name!!! after Phantom_ prefix. Long story short. WiFi name was successfully changed. The original/owner device lost connection. I reconnected with the other/hacker device and acquired full control.
This was a simple scenario that anyone without special knowledge can execute. A person with knowledge would connect to SSH, drop active connections there and connect with VISION app, way faster. And later he can also change the SSID and even enable WiFi encryption.
Basically DJI has not implemented blocking multiple connections at the WiFi level, only at the app level and even that not to complete extent. I seriously don't know why isn't WiFi encryption enabled by default?!
