Slashdot Mirror
DJI Threatens Researcher Who Reported Exposed Cert Key, Credentials, and Customer Data (arstechnica.com)
An anonymous reader quotes Ars Technica:
DJI, the Chinese company that manufactures the popular Phantom brand of consumer quadcopter drones, was informed in September that developers had left the private keys for both the "wildcard" certificate for all the company's Web domains and the keys to cloud storage accounts on Amazon Web Services exposed publicly in code posted to GitHub. Using the data, researcher Kevin Finisterre was able to access flight log data and images uploaded by DJI customers, including photos of government IDs, drivers licenses, and passports. Some of the data included flight logs from accounts associated with government and military domains.
Finisterre found the security error after beginning to probe DJI's systems under DJI's bug bounty program, which was announced in August. But as Finisterre worked to document the bug with the company, he got increasing pushback -- including a threat of charges under the Computer Fraud and Abuse Act. DJI refused to offer any protection against legal action in the company's "final offer" for the data. So Finisterre dropped out of the program and published his findings publicly yesterday, along with a narrative entitled, "Why I walked away from $30,000 of DJI bounty money."
The company says they're now investigating "unauthorized access of one of DJI's servers containing personal information," adding that "the hacker in question" refused to agree to their terms and shared "confidential communications with DJI employees."
Finisterre found the security error after beginning to probe DJI's systems under DJI's bug bounty program, which was announced in August. But as Finisterre worked to document the bug with the company, he got increasing pushback -- including a threat of charges under the Computer Fraud and Abuse Act. DJI refused to offer any protection against legal action in the company's "final offer" for the data. So Finisterre dropped out of the program and published his findings publicly yesterday, along with a narrative entitled, "Why I walked away from $30,000 of DJI bounty money."
The company says they're now investigating "unauthorized access of one of DJI's servers containing personal information," adding that "the hacker in question" refused to agree to their terms and shared "confidential communications with DJI employees."
I'm pretty sure someone from another country will pay, don't worry.
Dear companies, in general: Somehow you'll pay for us finding your blunders. Either you pay us, or you pay the damage the one does we sell it to.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
After doing some investigation, I understand why the US Military decided not to allow DJI use any more.
DJI makes some really nice drones (I have a Phantom III Pro). No argument there.
However, their app is a security nightmare. Installing it leaves persistent services running on your phone forever, and those persistent services maintain open network connections to servers in China. With it's extensive list of required permissions, you basically give it complete and total control of your phone.
And the worms ate into his brain.
They'd be boycotted starting now, for threatening someone trying to help them improve their product. If we know the whole story, that is. Sometimes when you just hear one side...
Why guess when you can know? Measure!
Why was DJI unwilling to offer the guy a deal that said "if you agree to destroy all our data (credentials, keys, customer data etc), not use it for any purpose and not talk publicly about it, we will agree not to take you to court over it". Then DJI could have replaced the credentials that got put into the GitHub code (certificate private keys, AWS credentials, whatever else) with things that aren't public, closed any other holes that resulted from what the guy found and moved on with the public at large not finding out what happened.
Stock value goes to zero :/
Requiem for the American Dream
The company has showed themselves to be the a-holes they are, release the keys and to hell with them.
Oh why did you have to utilize those keys, oh why? Just report the issue and be done with it. Nothing to charge, nothing to fear. Your white hat has a distinctively gray tint on it now, and it's not the smog in LA or the Beijing.
A significant fraction of available quadcopters use PX4 or it's relatives, DroneCode and Ardupilot. You can buy one ready to fly, or you can do as many PX4 users do and select your own motors, frame, radio, and controller to make exactly the quad you want.
I was just considering a DJI Spark. Not anymore. Another business to add to my blacklist.
I bet you minor talks about this will happen, and in less then a month everyone will have forgotten about it.
Just like OnePlus, just like Lenovo, just like Blackberry.
You don't just get to dictate any terms to anyone you want to and then say it's all their fault if they don't just accept whatever you throw at them. Sounds like the behavior of your stereotypical spoiled brat child.
Attacking responsible disclosure is bad enough, but when you invite people to pen test with a bug bounty, you're already essentially surrendering your right to apply hacking laws to them. If you then are following up outright refusing to indemnify them and then starting up the legal threats, you're in severe need of a reality check. And a visit from the Streisand Effect too.
I work for the Department of Redundancy Department.
the hacker in question" refused to agree to their terms
Are they fucking serious ??
Look, someone found a serious fuck up by DJI and tried to do the right thing and notify them about it. But, oh-no.. it has to be on DJI's terms.
How stupid are DJI here, they're being done a big favor here, they're not in a position to call the shots and piss on the guy trying to help them with their own fuck up.
What does that teach us? If anyone finds a serious problem with DJI again, they'll remember these ungrateful cunts and say "fuck it, I hope a black hat finds it too" , and then grin like a Cheshire Cat when they do.
And you know what, DJI deserve it.
It is high time that the US government start a blacklist of foreign companies with terrible security practices and block them from importing into the US. Sure, we can't sue DJI, but we sure as hell can block any new shipments from DJI China until they get their shit together, and then require them to pay US cyber security bounties to a third party responsible for auditing and probing their software for 5 years after they get permission to start importing again. This is basic consumer protection. We don't let the Chinese import toys with lead paint, why would we let them import software with HUGE vulnerabilities...
If you disagree, please post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like
Brendan, a pioneer in US drone law, decided to act like the CYA lawyer and throw a bunch of over-aggressive legalease BS at this guy. As much as he understands FAA regulations and the practical intersection of drone use and airspace regulation, he doesn't understand a damn thing about technology and security auditing.
As a DJI drone owner, I'll be doing what I can to A) protect myself from their data collection efforts, as they apparently end up as data disclosure liabilities, and B) replace my hardware with that of another vendor who understands the basics of data security.
As a point of hacking pride I hope that anyone who finds a DJI bug just publishes it without any heads up to DJI.
Ching chong; bing bong!
Finisterre exposed GPL violations of DJI to me and facilitated my getting DJI into compliance, including with my own copyrights. I did not charge DJI or anyone else or ask for DJI proprietary software. But maybe they're annoyed. So, could this be revenge?
Kevin Finisterre had previously reported and documented GPL violations to me, which I enforced and got DJI to comply by distributing source for several programs and libraries. I did not charge DJI any money or ask for any proprietary software. One wonders if they have gotten annoyed with Kevin, though.
Bruce Perens.
Your sock puppets are so brilliant and subtle. No one has any idea that it's you.
... goods wouldn't be produced for profit, but for satisfying the needs of consumers, in cooperation, not competition. In such a world, we wouldn't even have a story. In the world as it is, no matter how just or how effective in their justice the reactions ever will be, such stories will continue to be the normality they are and have always been since the invention of money.
That's all there is to say about DJI.
On one hand they can't just roll over. Yeah they could have had more tact in their response but those letters have no teeth and you can piss on them with no care. Most people are afraid of legal letters and back off due to the scare of litigation. Do you realize the small handful of people actually prosecuted under this abuse act? ATT had mighty fangs and in the end Mr Super Troll Nazi got an appeal. But we have to remember here that Kevin could have taken the money and called it a day. Only after agreeing to their shitty, conflicting terms, would they agree to pay even though he clearly asked what was fair game and how the bounty program worked. It's not like he just said fuck it, here you go, hello world. But you have fans on both sides who don't care otherwise.
My guess is that DJI was working with the Chinese government to infiltrate military installations. Great work, patriot, your country should pony up the money and hire you as a consultant.
This situation demonstrates two issues, using foreign equipment for military use, and relying upon closed source software (albeit on top of a Linux kernel).
It's possible to be right but still annoying.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Comment removed based on user account deletion