Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Transportation Security

DJI Threatens Researcher Who Reported Exposed Cert Key, Credentials, and Customer Data (arstechnica.com) 81

An anonymous reader quotes Ars Technica: DJI, the Chinese company that manufactures the popular Phantom brand of consumer quadcopter drones, was informed in September that developers had left the private keys for both the "wildcard" certificate for all the company's Web domains and the keys to cloud storage accounts on Amazon Web Services exposed publicly in code posted to GitHub. Using the data, researcher Kevin Finisterre was able to access flight log data and images uploaded by DJI customers, including photos of government IDs, drivers licenses, and passports. Some of the data included flight logs from accounts associated with government and military domains.

Finisterre found the security error after beginning to probe DJI's systems under DJI's bug bounty program, which was announced in August. But as Finisterre worked to document the bug with the company, he got increasing pushback -- including a threat of charges under the Computer Fraud and Abuse Act. DJI refused to offer any protection against legal action in the company's "final offer" for the data. So Finisterre dropped out of the program and published his findings publicly yesterday, along with a narrative entitled, "Why I walked away from $30,000 of DJI bounty money."

The company says they're now investigating "unauthorized access of one of DJI's servers containing personal information," adding that "the hacker in question" refused to agree to their terms and shared "confidential communications with DJI employees."
This discussion has been archived. No new comments can be posted.

DJI Threatens Researcher Who Reported Exposed Cert Key, Credentials, and Customer Data

Comments Filter:
  • by Opportunist ( 166417 ) on Saturday November 18, 2017 @07:51PM (#55578707)

    I'm pretty sure someone from another country will pay, don't worry.

    Dear companies, in general: Somehow you'll pay for us finding your blunders. Either you pay us, or you pay the damage the one does we sell it to.

  • by FrankSchwab ( 675585 ) on Saturday November 18, 2017 @07:55PM (#55578719) Journal

    After doing some investigation, I understand why the US Military decided not to allow DJI use any more.

    DJI makes some really nice drones (I have a Phantom III Pro). No argument there.

    However, their app is a security nightmare. Installing it leaves persistent services running on your phone forever, and those persistent services maintain open network connections to servers in China. With it's extensive list of required permissions, you basically give it complete and total control of your phone.

    • by Anonymous Coward

      The question is, why do people install crappy software?

    • Yes they do, but it requires an Internet connection. At least with the US military, I'd expect them to hand the folks using the drones a nice little Android tablet. With the Wifi plugged off.

      There are lots of DJI users, myself included, who just don't let the Chatty Cathy apps just blather along. Both the iOS and Android apps can be quieted, it just takes a modicum of work. Perhaps beyond Joe Clueless, but I really hope the US 'Cyber Command' could rise to the occasion.

      And from what I've seen on the DJI

    • Watch the Defcon video about drone hacking. The software has to keep an ever updated database of no fly zones. However once the database is on your phone you can edit it as you please.

    • by msauve ( 701917 )
      " Installing it leaves persistent services running on your phone forever, and those persistent services maintain open network connections to servers in China. With it's extensive list of required permissions, you basically give it complete and total control of your phone."

      This may be naive - I don't have a DJI drone. Can't you just install it on an older phone you're no longer using as a phone, making it a dedicated remote for the drone. Is anything more than WiFi needed?
  • by DCFusor ( 1763438 ) on Saturday November 18, 2017 @07:59PM (#55578731) Homepage
    They'd be boycotted starting now, for threatening someone trying to help them improve their product. If we know the whole story, that is. Sometimes when you just hear one side...
    • They might be, especially if people start to realize that there in a company from France called Parrot making similar drones to DJI but a little cheaper.

    • ... goods wouldn't be produced for profit, but for satisfying the needs of consumers, in cooperation, not competition. In such a world, we wouldn't even have a story. In the world as it is, no matter how just or how effective in their justice the reactions ever will be, such stories will continue to be the normality they are and have always been since the invention of money.

      • In a just world, people who advocate for government-run centralized manufacturing of goods with no reward for being competitively better than the next guy, would get to time travel to the peak of Soviet culture, and enjoy some of their fabulous consumer products.
        • Good thing, then, I suppose, that I didn't propose "government-run centralized manufacturing of goods" in any part whatsoever of what I wrote!

          • No, you just proposed something that only comes to pass if you resort to that. Because if you are going to tell people they can't compete with each other to produce better things, and seek out people willing to pay for that better quality, then you're going to have to get the government involved in stopping them. Regardless, you're going to end up with a profit-driven black market anyway. Which you know. A "sensible" approach is to let the market actually work. Despite their lip service to your preferred me
  • by jonwil ( 467024 ) on Saturday November 18, 2017 @08:04PM (#55578743)

    Why was DJI unwilling to offer the guy a deal that said "if you agree to destroy all our data (credentials, keys, customer data etc), not use it for any purpose and not talk publicly about it, we will agree not to take you to court over it". Then DJI could have replaced the credentials that got put into the GitHub code (certificate private keys, AWS credentials, whatever else) with things that aren't public, closed any other holes that resulted from what the guy found and moved on with the public at large not finding out what happened.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      Ego. And stupidity. And some members of the company not on the same page with other members about how to handle their bug bounty program.

      Of course, it could also be that Finisterre's methods exceed the parameters established in the program. He could be the type that thinks the ends justify the means, and that the rules don't apply to him. "Since I found something important you should be grateful and offer me indemnity, even though I broke the law and violated the TOS of your bug bounty program."

      I don't

      • by Anonymous Coward

        This is stupid. If there is a problem it's got to be fixed regardless. Your not going to have some Chinese agent or a Russian agent or a US agent or North Korea complying with whatever rules the company has. The company should just be thankful that this guy is reporting it period and get its act together and fix the bugs. Personally I think any computer connected to the internet is fair game. You are literally agreeing to accept *ANY* data sent your way from anywhere in the world. It's dumb f'cs who think t

      • Re: (Score:2, Informative)

        by Anonymous Coward

        Ego. And stupidity. And some members of the company not on the same page with other members

        Yes. This is a big problem with many companies.

        even though I broke the law and violated the TOS of your bug bounty program."

        Their bug bounty program specifically said they were looking for: "potential threats related to DJI's servers, apps or hardware."

        He found EXACTLY what they said they were looking for, and told them about it.

        And, as he pointed out to them, in his response to their threat to prosecute him under the Computer Fraud and Abuse Act, "you can't find a security problem without first accessing the system".

        Just another crooked company run by scumbags.

        • by Cederic ( 9623 )

          And, as he pointed out to them, in his response to their threat to prosecute him under the Computer Fraud and Abuse Act, "you can't find a security problem without first accessing the system".

          Does he have permission to use Github? Yes. Does he have permission to use information from Github to connect to DJI servers and explore them? No.

          He may have found a vulnerability doing that, but he broke the law to do so. There are ways to do these things legally, and fuck him if he decided to break the law instead.

    • The correct corporate response should have been: Give us everything you got and we'll pay the bounty. They also need to replace the certificates and update their code to the new certificates at the same time. Assuming their hardware supports downloading new firmware, because if it doesn't they'd not have that option and would have to hope their government will shield them from lawsuits.
    • Because there is no way for him to prove he destroyed everything, and no way for them to prove somone else didn't independently find the flaws, and no way for anyone to prove someone isn't actively exploiting the bug right now.
    • by stephanruby ( 542433 ) on Saturday November 18, 2017 @08:56PM (#55578929)

      Why was DJI unwilling to offer the guy a deal that said "if you agree to destroy all our data (credentials, keys, customer data etc), not use it for any purpose and not talk publicly about it, we will agree not to take you to court over it".

      A better agreement would have been:

      "if you agree to destroy all our data (credentials, keys, customer data etc), not use it for any purpose and not talk publicly about it for a period of one year ending on Nov 1st, 2018, we will agree to credit you publicly and pay you the bounty."

      Threatening someone you already gave permission to, and someone who has been acting in good faith all this time, is really a bad idea. It turns what is supposed to be a collaborative relationship into a confrontational one.

      Furthermore, a bug bounty program can't expect to silence a white hacker from a foreign country forever. Hackers are very ego-driven. Also, they make money and recruit new clients from recounting their exploit stories to others.

    • by Aighearach ( 97333 ) on Sunday November 19, 2017 @02:32AM (#55579687)

      THat's what they tried to do! It is lame and slimy.

      If you have a bug bounty, people who are finding security bugs are security researchers, if they can't talk about it how do they build their career?!

      And when you give somebody permission to check your security for bugs, offering not to take them to court is actually a threat to take them to court, just phrased backwards, because you don't have any right to accuse them of crimes when you agreed for them to check your security.

      He left $30k on the table over those lame, slimy, offered terms. Bug bounty is bug bounty! If anything he should sue them for calling him a hacker and claiming he's some kind of black hat!

      The offer goes like this: Thanks for finding our bug, here is your money, thanks again, will you sign a document that says this is everything you found so far? There is no threats or demands. Nor is there even power to be making demands. Bug bounty is a service that helps the company!

  • Stock value goes to zero :/

  • I was just considering a DJI Spark. Not anymore. Another business to add to my blacklist.

    I bet you minor talks about this will happen, and in less then a month everyone will have forgotten about it.

    Just like OnePlus, just like Lenovo, just like Blackberry.

  • by v1 ( 525388 )

    "the hacker in question" refused to agree to their terms

    You don't just get to dictate any terms to anyone you want to and then say it's all their fault if they don't just accept whatever you throw at them. Sounds like the behavior of your stereotypical spoiled brat child.

    Attacking responsible disclosure is bad enough, but when you invite people to pen test with a bug bounty, you're already essentially surrendering your right to apply hacking laws to them. If you then are following up outright refusing t

  • by Anonymous Coward

    the hacker in question" refused to agree to their terms

    Are they fucking serious ??
    Look, someone found a serious fuck up by DJI and tried to do the right thing and notify them about it. But, oh-no.. it has to be on DJI's terms.
    How stupid are DJI here, they're being done a big favor here, they're not in a position to call the shots and piss on the guy trying to help them with their own fuck up.

    What does that teach us? If anyone finds a serious problem with DJI again, they'll remember these ungrateful cunts and say "fuck it, I hope a black hat finds it too" , and

  • It is high time that the US government start a blacklist of foreign companies with terrible security practices and block them from importing into the US. Sure, we can't sue DJI, but we sure as hell can block any new shipments from DJI China until they get their shit together, and then require them to pay US cyber security bounties to a third party responsible for auditing and probing their software for 5 years after they get permission to start importing again. This is basic consumer protection. We don't

    • I agree with just about everything you said, except for one word: foreign. If the US government would get off its corrupt, lazy ass and apply serious sanctions to ANY company doing business in the US that used shoddy security, the world would be a better place.

      For example, I wonder how many people right on this site have been screwed by Equifax. Does anybody believe that massive leak would have happened if the consequences of that kind of negligence were multi-year prison terms for the entire board of di

      • The problem with businesses in general (I can't speak about Equifax because I am not fully up to speed on all the facts there) is that there must be some legal release of liability for best practices. For example, in Engineering, if you can demonstrate that you followed state of the art best practices, you are pretty much assured of avoiding criminal or civil liability, even if your product kills someone.

        In the real world, shit happens, and some things are just un-knowable until they happen. I am all for

  • As a point of hacking pride I hope that anyone who finds a DJI bug just publishes it without any heads up to DJI.
    • by Khyber ( 864651 )

      Someone's already posted the specific freqs for the entirety of the DJI line - in before everyone just makes a signal jammer and keeps DJIs from ever leaving the ground.

  • Finisterre exposed GPL violations of DJI to me and facilitated my getting DJI into compliance, including with my own copyrights. I did not charge DJI or anyone else or ask for DJI proprietary software. But maybe they're annoyed. So, could this be revenge?

  • by Bruce Perens ( 3872 ) <bruce@perens.com> on Sunday November 19, 2017 @01:14AM (#55579589) Homepage Journal

    Kevin Finisterre had previously reported and documented GPL violations to me, which I enforced and got DJI to comply by distributing source for several programs and libraries. I did not charge DJI any money or ask for any proprietary software. One wonders if they have gotten annoyed with Kevin, though.

Your good nature will bring you unbounded happiness.

Working...