What the DJI Vulnerability Tells Us About Live Video Security
At the beginning of November 2018, it was revealed that Chinese drone company DJI had exposed users to a serious vulnerability. The vulnerability, according to a Forbes’ report about the issue, could allow hackers to spy on the live video feeds of DJI drone users and gain full access to their accounts. A savvy hacker would have also been able to access photos, videos and flight logs including records of where the drone had been, provided that users had synchronized them to DJI’s servers, as Check Point, the Israeli cybersecurity firm which alerted DJI of the issue in March 2018, has reported. Even the FlightHub feature, which provides live camera and map views during drone flights, could have been compromised as a result of this flaw.
It should be noted that DJI has since patched up this vulnerability and the Chinese company says that no hackers did actually exploit this massive security flaw. Check Point also explained that in order for hackers to use the exploit, a user would have to be signed into the DJI forums and they would need to click a malicious link (this link would provide the hacker with tokens which could be used to log in as the user). Therefore, there was a low probability of such a hack occurring. But nevertheless, the discovery of the issue has led to an increased focus on the live video industry with many wondering what more live video providers can do in order to keep their users safe.
How Can Live Video Providers Address Security Issues?
Following industry standards is necessary for providers of live video regardless of genre and application, considering that many live video platforms have been developed and are managed by entirely different teams. For example, the BBC iPlayer live TV and streaming service is incredibly popular and The Guardian notes that hundreds of millions of shows are watched every single month. But it is unclear if that platform, which was developed internally by the BBC, follows industry standards or just internal guidelines.
Things are trickier still for the Amazon-owned streaming platform, Twitch. Although it does secure user data, encouraging users to secure their accounts with two-factor authentication and things like Authy, users are still vulnerable due to the many third-party sites and software that Twitch streamers link to. According to a Statista report about Twitch, there were more than 550,000 Twitch streamers as of December 2017, and that means that users could potentially be exposed to a massive amount of unchecked security vulnerabilities or flaws. There would be far less risk of this, however, if Twitch itself – and not just the sites it linked to – was encouraged to follow industry security standards.
One more way that live video providers can proactively address security issues, patching up vulnerabilities before they could become a problem, is to achieve a globally recognized security certification. For example, a company can become ISO certified like Evolution Gaming, which is the provider of live casino games on Betway Casino, including live blackjack and live baccarat which feature live streams of real-life dealers. The ISO 27001:2013 certification for information security management confirms that the live casino games made by Evolution have been created with cybersecurity safeguards in place, and that both the licensee of these live casino games and their players have their information secured and managed at industry recognized standards. Another industry standard is the PCI DSS or the Payment Card Industry Data Security Standard, which is a certification for security in regards to card payments, including payment processing and the way in which card data is stored or handled.
Why Live Video Security is So Important
Employing best security practices is necessary to foster trust among viewers. Why would they use and view live video on a site that doesn’t take their security seriously? This, in turn, could damage the entire live video streaming industry. There are also tangible ramifications as companies that have faced data breaches have been forced to pay massive fines. Uber was fined $1.1 million for a 2016 data breach, for example. Given that the Firefox browser displays security warnings on breached websites too, live video platforms and sites could see their revenue and viewerships go down the pan if they don’t take security seriously.
DJI may have started the conversation, but it’s far from over. Many agree that more needs to be done.
Kevin Jones750 Posts
Kevin Jones, Ph.D., is a research associate and a Cyber Security Author with experience in Penetration Testing, Vulnerability Assessments, Monitoring solutions, Surveillance and Offensive technologies etc. Currently, he is a freelance writer on latest security news and other happenings. He has authored numerous articles and exploits which can be found on popular sites like hackercombat.com and others.