DJI Mavic Products Hard-Coded Cryptographic Key Vulnerability

A cryptographic vulnerability has been identified in DJI Mavic Spark, Mavic Air, and Mavic Mini drones running version 01.00.0500. This vulnerability arises from the use of static WEP encryption in the Enhanced Wi-Fi communication protocol, which is susceptible to interception and decryption. The issue allows local network attackers to access control and telemetry data by exploiting hard-coded encryption keys. The vulnerability is particularly concerning as it could lead to complete hijacking of the drone, once the command protocol is reconstructed.

Impact

The vulnerability allows for interception, decryption, and replay of control and telemetry traffic, potentially leading to complete hijacking of the drone.

Reproduction

The vulnerability can be reproduced by capturing Enhanced Wi-Fi traffic using a compatible Wi-Fi adapter or a TP-Link router with an older Atheros chipset. After intercepting the data, the WEP encryption can be cracked using Aircrack-ng, revealing the static encryption keys. These keys can then be used to decrypt the intercepted telemetry and control commands.