| Título | DJI DJI Mavic Mini, Spark, Mini SE 01.00.0500 and Below Authentication Bypass by Capture-replay |
|---|
| Descripción | DJI drones running Enhanced Wi-Fi transmission system uses WEP encryption which is easily crackable. This allows adversaries to transmit commands to the drone or remote controller as long as the WEP key is encrypted.
It is discovered that during the pairing sequence for the drone and RC, a series of bytes are sent to set the drone into a pairing mode. By decrypting this sequence, the connection bytes are discovered and can be used to retransmit it to other drones. By reencrypting this sequence of bytes and amending the packet to the correct MAC address, it is possible to force a disconnect between any drone and its RC regardless of its flight state, thus performing an availability attack on any drone.
DJI drones using the Enhanced-WiFi transmission system employ WEP encryption, which is cryptographically weak and susceptible to key recovery. An attacker within wireless range who obtains the WEP key can inject crafted IEEE 802.11 frames into the communication channel between the drone and its remote controller (RC).
During the drone–RC pairing process, a specific sequence of bytes is transmitted to place the drone into pairing mode. Once this sequence is decrypted, the same byte sequence can be re-encrypted and replayed with a modified destination MAC address. By retransmitting this crafted packet, an attacker can forcibly terminate the connection between any drone and its paired RC.
This replay-based attack can be performed regardless of the drone’s flight state, resulting in a denial-of-service condition and loss of control & telemetry, impacting the availability of affected DJI drones.
|
|---|
| Fuente | ⚠️ https://github.com/ByteMe1001/DJI-CatNect |
|---|
| Usuario | byteme1001 (UID 89355) |
|---|
| Sumisión | 2026-01-17 09:33 (hace 5 meses) |
|---|
| Moderación | 2026-02-01 17:36 (15 days later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 343674 [DJI Mavic Mini/Air/Spark/Mini SE hasta 01.00.0500 Enhanced Wi-Fi Pairing autenticación débil] |
|---|
| Puntos | 20 |
|---|