CVE-2024-52876 identifies a security vulnerability in the Holy Stone Remote ID Module HSRID01 firmware distributed with the Drone Go2 mobile application prior to version 1.1.8. The vulnerability arises from the module's handling of the ASTM Remote ID (0xFFFA) Bluetooth GATT characteristic in broadcast mode. Specifically, an attacker can perform multiple unauthenticated read operations on this GATT characteristic, which triggers a remote power-off command on the drone. This behavior indicates a logic flaw or improper validation in the firmware's Bluetooth communication stack, allowing an out-of-bounds read condition (CWE-125) that leads to unintended device shutdown. The vulnerability requires no privileges or user interaction, and the attack vector is network-based via Bluetooth. The CVSS v3.1 base score is 7.5, reflecting high severity due to the network attack vector, lack of required privileges, no user interaction, and high confidentiality impact (likely due to potential data leakage or control information exposure), though integrity and availability impacts are not directly affected. No patches or exploits are currently publicly available, but the risk remains significant given the potential for disruption of drone operations.

The primary impact of this vulnerability is the unauthorized remote shutdown of affected drones, which can lead to loss of control, mission failure, or physical damage if the drone crashes. For commercial operators, this could disrupt delivery services, aerial inspections, or agricultural monitoring. Recreational users may experience loss of expensive equipment. In critical infrastructure or public safety contexts, such as emergency response or surveillance, the ability to remotely power off drones could be exploited to disable monitoring capabilities or interfere with operations. The confidentiality impact is rated high, possibly due to exposure of Remote ID information during the attack, which could aid further reconnaissance or attacks. Although availability and integrity are not directly compromised by data manipulation, the forced shutdown effectively denies service. The ease of exploitation without authentication or user interaction increases the threat level, potentially enabling attackers in proximity to the drone to cause disruption with minimal effort.

To mitigate this vulnerability, affected users should immediately update the Drone Go2 mobile application to version 1.1.8 or later once available, as this likely contains the necessary firmware fixes. Until patches are deployed, operators should restrict physical and wireless access to drones, especially disabling Bluetooth broadcast mode when not in use. Implementing Bluetooth signal range limitations and using secure pairing methods can reduce exposure. Network-level controls such as Bluetooth device whitelisting and monitoring for abnormal GATT read requests can help detect and prevent exploitation attempts. Manufacturers should consider firmware hardening to validate all GATT operations and implement authentication or authorization checks before executing critical commands like power off. Additionally, operators should conduct risk assessments for drone deployments in sensitive environments and develop contingency plans for potential drone shutdowns.