DJI resorts to threatening security researcher after the researcher uncovered glaring security issues involving customer data

[AlTech]

A security researcher wanted to try and find bugs for DJI after DJI launched a bug bounty program this year.

 

Said security researcher found security errors after trying to probe DJI's system.

 

He then followed this up and found glaring security issues involving customer data.

 

The researcher attempted to inform DJI of the issues and DJI gave the researcher a choice: $30,000 and the report he was working on would never be published OR $0 and he could be sued under the Computer Fraud and Abuse Act.

 

He chose the latter and walked away from $30,000 USD after being threatened for finding glaring security issues.

 

 

The researcher has published their report online.

 

Quote

DJI, the Chinese company that manufactures the popular Phantom brand of consumer quadcopter drones, was informed in September that developers had left the private keys for both the "wildcard" certificate for all the company's Web domains and the keys to cloud storage accounts on Amazon Web Services exposed publicly in code posted to GitHub. Using the data, researcher Kevin Finisterre was able to access flight log data and images uploaded by DJI customers, including photos of government IDs, drivers licenses, and passports. Some of the data included flight logs from accounts associated with government and military domains.

Finisterre found the security error after beginning to probe DJI's systems under DJI's bug bounty program, which was announced in August. But as Finisterre worked to document the bug with the company, he got increasing pushback—including a threat of charges under the Computer Fraud and Abuse Act (CFAA). DJI refused to offer any protection against legal action in the company's "final offer" for the data. So Finisterre dropped out of the program and published his findings publicly yesterday, along with a narrative entitled, "Why I walked away from $30,000 of DJI bounty money."

 

So yeah, DJI PR really screwed up. There's not a ton of ways a company could possibly recover from something like this.

 

Oh and DJI had the balls to call him a Hacker in their corporate communications.

 

Source: https://arstechnica.co.uk/information-technology/2017/11/dji-left-private-keys-for-ssl-cloud-storage-in-public-view-and-exposed-customers/

[leadeater]

It's probably a good idea to sign some kind of legal agreement when entering a bug program now days, it's just too easy for companies to reneg on their commitment and do this type of thing. Of course one has to be offered to be able to sign one.

[Bananasplit_00]

talk about screwing up... they could have done this so nicely, giving him the money, fixing the flaws and not haveing it exposed untill they could have fixed it but nope...

[Master Disaster]

China man, it's literally a different world over there.

[ScratchCat]

They managed to leave their private keys in open source code??

It is worryingly impressive for a tech company to manage to publish their keys which are meant to be store on a separate device.

DJI probably wanted the researcher to keep quiet not only because of the bad PR but to also give them time to blacklist the certificates and issue new ones because as soon as the researcher would publish their findings everyone would be able to find the keys even if DJI pushed a commit over them.

[Matu20]

Wow, what a shitty move.

[TetraSky]

Don't you just love it when companies are so unable to accept the fact their systems are vulnerable, that they decide to sue the ones telling them about it.

This sort of behaviors will only encourage security researchers to sell information on vulnerability to the highest bidder instead.

[Sniperfox47]

On 11/19/2017 at 5:35 AM, ScratchCat said:

They managed to leave their private keys in open source code??

It is worryingly impressive for a tech company to manage to publish their keys which are meant to be store on a separate device.

DJI probably wanted the researcher to keep quiet not only because of the bad PR but to also give them time to blacklist the certificates and issue new ones because as soon as the researcher would publish their findings everyone would be able to find the keys even if DJI pushed a commit over them.

Except the typical way to handle this is for the paper to just not be published for a certain length of time, so the company has time to fix the issue, usually a month or two.

 

You don't tell a researcher to publish it "never!"

[dalekphalm]

On 11/20/2017 at 10:48 AM, Sniperfox47 said:

Except the typical way to handle this is for the paper to just not be published for a certain length of time, so the company has time to fix the issue, usually a month or two.

 

You don't tell a researcher to publish it "never!"

Indeed - usually there's either a pre-arranged time for a bug bounty program (3 months, eg).

 

Or you simply negotiate a timing when presenting the details:

 

"Hey DJI, I found this major vulnerability!"

-Hacker guy

 

"Thanks my Dude, we need 45 days to fix it, then you can publish the full report. In the mean time, here's your $30,000 reward - we cool?"

-DJI

 

"We cool, man"

-Hacker guy

 

---

That is how it SHOULD have happened.