top of page

Security Enhancements in Drone Harmony’s DJI Dock Integration

  • Writer: Jeannine Stoll
    Jeannine Stoll
  • 1 day ago
  • 2 min read

At Drone Harmony, we take the security of our systems and customers’ data seriously. That’s why we welcomed the opportunity to undergo a comprehensive penetration test of our DJI Dock implementation, conducted by the independent security testing firm MGM on behalf of Vattenfall, a national power grid provider.


No Critical Issues Found

First, the best news: no critical vulnerabilities were discovered. Among the 18 findings, the majority were of low or medium severity, with only six rated as high severity, and all of those have already been resolved.


Here’s a breakdown of the results:

  • 0 critical findings

  • 6 high-severity issues – resolved

  • 6 additional issues – resolved

  • 6 remaining low-severity issues – scheduled for resolution shortly


This outcome underscores the robustness of our current implementation, while also highlighting areas where we’ve now made targeted improvements.



Strengthening Password Security

Several findings revolved around password management. As a result, we’re implementing stricter password requirements across all Drone Harmony users, not just Dock users. In addition:


  • On-premise Dock customers can define and enforce their password policies.

  • Password rules will be strengthened globally to enhance user account security further.


Highlights from the Security Review

We coordinated closely with MGM on their findings and prioritized fixes based on severity and potential real-world impact. Here are a few notable areas of improvement:


1. Reflected Cross-Site Scripting (XSS)

A vulnerability could allow an attacker to inject JavaScript via a manipulated URL. This could have enabled session hijacking or user redirection to spoofed pages.


  • Fix: To prevent script execution, we’ve blocked the upload/download of HTML files and enforced stricter content header rules.


2. Session Token Exposure

Session tokens were previously exposed in cookies and URLs, which could increase the risk of session hijacking.


  • Fix: Session tokens are now handled securely and are no longer exposed via URLs.


3. Privilege Escalation

A vulnerability existed where a logged-in user might escalate their privileges and gain unauthorized access to other users’ data.


  • Fix: We’ve added robust server-side checks to ensure users can only access data they are authorized to see.


4. Arbitrary File Uploads

In some cases, file uploads didn’t verify file types, potentially allowing harmful files to be uploaded.


  • Fix: Both the web app and backend server now strictly validate uploaded file types.


5. MQTT Password Exposure

Previously, the web interface displayed the MQTT password in plain text.


  • Fix: Viewing the MQTT password now requires an additional login and is only accessible to administrators.


Ongoing Commitment

Security is not a one-time effort—it’s a continuous process. We’re grateful to MGM and Vattenfall for facilitating this important assessment and remain committed to making ongoing improvements to keep our systems secure.


We encourage you to contact us if you have any questions or feedback about our security measures.

Comments

Commenting on this post isn't available anymore. Contact the site owner for more info.
bottom of page