Cybersecurity

Holy Stone Remote ID Vulnerability Disclosure

Matt Foster

Senior Consultant - Cyber Security Services

November 6, 2024
Adobe Stock 1022406428 webopt

Communication History
July 7, 2024 – Initial disclosure to Holy Stone
September 12, 2024 – Acknowledgement from Holy Stone
October 3, 2024 – Holy Stone released patch

CVSS: 7.1 (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N)

 
Product: Holy Stone Remote ID Module HSRID01 (https://store.holystone.com/products/holy-stone-drone-remote-id-module)
Affected versions: Firmware distributed with the Drone Go2 mobile app prior to version 1.1.8

The remote ID module is vulnerable to remote power off while configured for broadcast mode. Exploitation does not require authentication or user interaction. An attacker can exploit the vulnerability by connecting to the module over Bluetooth and performing multiple read operations on the ASTM Remote ID (0xFFFA) generic attribute profile (GATT).