DJI Drones Denial-of-Service Vulnerability via Enhanced-WiFi Transmission

A denial-of-service vulnerability has been identified in several DJI drone models, including the Mavic Mini, Spark, Mavic Air, Mini, and Mini SE versions 0.1.00.0500 and below. The issue arises in the DJI Enhanced-WiFi transmission subsystem, which uses WEP encryption, allowing remote attackers to inject crafted IEEE 802.11 frames into the communication channel between the drone and its remote controller. This injection can replay a static pairing byte sequence that, when decrypted and re-encrypted, forces a disconnection, disrupting control and telemetry.

Impact

Exploitation of this vulnerability causes a loss of control and telemetry between the drone and its remote controller. The disconnection can occur while the drone is either on the ground or in the air, and it remains disabled as long as the injected frames are broadcasted.

Reproduction

The vulnerability can be reproduced by recovering the WEP key used in the drone's Enhanced-WiFi communication. Once the key is obtained, an attacker within wireless range can inject crafted frames to replay the static pairing byte sequence, forcibly disconnecting the drone from its remote controller.