Enlarge / A security researcher says he was trying to play fair with DJI’s bug bounty program.

DJI calls him a hacker who exposed customer data.
DJI, the Chinese company that manufactures the popular Phantom brand of consumer quadcopter drones, was informed in September that developers had left the private keys for both the “wildcard” certificate for all the company’s Web domains and the keys to cloud storage accounts on Amazon Web Services exposed publicly in code posted to GitHub. Using the data, researcher Kevin Finisterre was able to access flight log data and images uploaded by DJI customers, including photos of government IDs, drivers licenses, and passports.
Some of the data included flight logs from accounts associated with government and military domains.
Finisterre found the security error after beginning to probe DJI’s systems under DJI’s bug bounty program, which was announced in August.

But as Finisterre worked to document the bug with the company, he got increasing pushback—including a threat of charges under the Computer Fraud and Abuse Act (CFAA).

DJI refused to offer any protection against legal action in the company’s “final offer” for the data.
So Finisterre dropped out of the program and published his findings publicly yesterday, along with a narrative entitled, “Why I walked away from $30,000 of DJI bounty money.”
“Hacker?”
DJI launched its bug bounty this fall shortly after the US Army issued a ban on using DJI drones for any military purpose due to “operational security” concerns.

There were also spreading reports of people hacking the firmware of DJI drones—some have even posted hacks to GitHub by Finisterre.

But according to Finisterre, the program was clearly rushed out.

The company did not, and has yet to, define the scope of the bounty program publicly.
So when Finisterre discovered that DJI’s SSL certificates and firmware AES encryption keys had been exposed through searches on GitHub—in some cases for as long as four years—he contacted the company to see if its servers were within the scope of the bug bounty program. He was told they were—a statement that would later be walked back from by DJI officials.
Read 12 remaining paragraphs

Leave a Reply