Cybersecurity
Holy Stone Remote ID Vulnerability Disclosure
Communication History
July 7, 2024 – Initial disclosure to Holy Stone
September 12, 2024 – Acknowledgement from Holy Stone
October 3, 2024 – Holy Stone released patch
CVSS: 7.1 (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N)
CVE-2024-52876
Product: Holy Stone Remote ID Module HSRID01 (https://store.holystone.com/products/holy-stone-drone-remote-id-module)
Affected versions: Firmware distributed with the Drone Go2 mobile app prior to version 1.1.8
The remote ID module is vulnerable to remote power off while configured for broadcast mode. Exploitation does not require authentication or user interaction. An attacker can exploit the vulnerability by connecting to the module over Bluetooth and performing multiple read operations on the ASTM Remote ID (0xFFFA) generic attribute profile (GATT).