Slashdot Mirror
DJI Threatens Researcher Who Reported Exposed Cert Key, Credentials, and Customer Data (arstechnica.com)
An anonymous reader quotes Ars Technica:
DJI, the Chinese company that manufactures the popular Phantom brand of consumer quadcopter drones, was informed in September that developers had left the private keys for both the "wildcard" certificate for all the company's Web domains and the keys to cloud storage accounts on Amazon Web Services exposed publicly in code posted to GitHub. Using the data, researcher Kevin Finisterre was able to access flight log data and images uploaded by DJI customers, including photos of government IDs, drivers licenses, and passports. Some of the data included flight logs from accounts associated with government and military domains.
Finisterre found the security error after beginning to probe DJI's systems under DJI's bug bounty program, which was announced in August. But as Finisterre worked to document the bug with the company, he got increasing pushback -- including a threat of charges under the Computer Fraud and Abuse Act. DJI refused to offer any protection against legal action in the company's "final offer" for the data. So Finisterre dropped out of the program and published his findings publicly yesterday, along with a narrative entitled, "Why I walked away from $30,000 of DJI bounty money."
The company says they're now investigating "unauthorized access of one of DJI's servers containing personal information," adding that "the hacker in question" refused to agree to their terms and shared "confidential communications with DJI employees."
Finisterre found the security error after beginning to probe DJI's systems under DJI's bug bounty program, which was announced in August. But as Finisterre worked to document the bug with the company, he got increasing pushback -- including a threat of charges under the Computer Fraud and Abuse Act. DJI refused to offer any protection against legal action in the company's "final offer" for the data. So Finisterre dropped out of the program and published his findings publicly yesterday, along with a narrative entitled, "Why I walked away from $30,000 of DJI bounty money."
The company says they're now investigating "unauthorized access of one of DJI's servers containing personal information," adding that "the hacker in question" refused to agree to their terms and shared "confidential communications with DJI employees."
I'm pretty sure someone from another country will pay, don't worry.
Dear companies, in general: Somehow you'll pay for us finding your blunders. Either you pay us, or you pay the damage the one does we sell it to.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Ego. And stupidity. And some members of the company not on the same page with other members about how to handle their bug bounty program.
Of course, it could also be that Finisterre's methods exceed the parameters established in the program. He could be the type that thinks the ends justify the means, and that the rules don't apply to him. "Since I found something important you should be grateful and offer me indemnity, even though I broke the law and violated the TOS of your bug bounty program."
I don't know enough facts to judge at this point.
I control my DJI drone with my burner phone, not my primary device. There is nothing on it for them to steal.