DJI threatens court with a cybersecurity expert, who discovered the access keys to the company's accounts on GitHub
About the quadrocopters of the DJI company on Geektimes wrote many times. Most of them are really good devices. They have a number of problems that may cause inconvenience to users, but everything can be solved. Not so long ago it became knownthat DJI software developers left open access private keys for the “wildcard” certificate of all web domains of the company, as well as to DJI accounts for Amazon Web Services. Using this information, cybersecurity researcher Kevin Finisterre was able to get access to the flight data of the company's quadcopter DJI clients. This includes tracking, photos of driver's licenses, passports and other documents of these people. In some cases, even the flight tracking data of the copters from accounts, which are clearly owned by government agencies, became “lit”.
The company has a program to attract third-party experts to eliminate vulnerabilities in the DJI software. It's about bug bountyannounced in August. The researcher mentioned above just looked for vulnerabilities, hoping to get a reward. But so far all he has received is the threat from the DJI to launch an investigation into his actions under the CFAA (Computer Fraud and Abuse Act). After that, the specialist decided to act independently, without notifying the DJI of his plans. He published information about the findings, accompanied by an explanation of the material about the reason for abandoning the conditions of the DJI bounty program.
The Chinese have launched their program to reward information security experts after the US military refused to work with the company's devices. As far as one can understand, the leadership of the country's air force made such a decision, fearing that the Chinese government would receive all the information collected by DJI drones.
A little later, cases of hacking into the company's drone firmware began to spread. Modified versions of the firmware were placed on Github and in other places. There were also companies that did it for money, replacing proprietary software with their own, devoid of a number of flaws and vulnerabilities that prevented users.
Kevin Finnister decided to join the DJI's bug-bounty program. When he started, he almost accidentally discovered that the company's developers had left on Github an archive with private keys for HTTPS certificates * .dji.com, AES-firmware encryption keys, as well as passwords for accessing cloud environments in AWS and Amazon cloud service instances S3. Moreover, this information has been in the public domain for a long time - for several years. Finnister conducted an additional search and found on the same GutHub private keys from AWS for the SkyPixel photo sharing service. Accounts were valid at the time of verification. The service revealed a lot of materials that were sent by DJI drone users to the company's support service. These include photographs of damaged quadcopters, bills and other personal information of users,
Finnister sent a request to the company's support service with a request to indicate whether everything he found falls under the provisions of the bounty program and waited for an answer. There were no reactions from the Chinese company for two weeks, after which a message was received of the following nature: “The bug bounty program has all the problems in the software, applications and network elements, including software leaks or security vulnerabilities. We are working on a detailed guide. ”
After receiving such a confirmation, Finistère began to compile a report describing all the vulnerabilities and problems found by him. Documenting a large number of details is not easy, but everything was done in the shortest possible time. After this, Finistère contacted a DJI employee, providing him with a detailed explanation of almost all the problems found. He responded promptly and began a business correspondence. The communication was quite long, the correspondence to its completion consisted of 130 e-mails. Nothing foreshadowed problems.
Then came the offer of Finistère to become a full-time cybersecurity consultant.
But after Finistère received another letter, which indicated that server vulnerabilities are not subject to the conditions of the bounty program. Nevertheless, he was told that he would receive a reward, her size was $ 30,000. And that's all - the flow of messages from the company almost dried up, Finisterte received nothing during the month.
In the end, the specialist received another proposal, or rather, it was an agreement on non-disclosure of the problems found by him. Finistère disagreed with the terms of the agreement, stating that it violates his right to free speech.
He tried to contact other DJI units to clarify the situation, but to no avail. But he was contacted by the legal division of the company from Shenzhen. Lawyers stated the need to remove all data describing the problems found. Otherwise, lawyers said, a lawsuit could be filed against Finisterra with charges of hacking into the company's servers and stealing information of commercial value. The same unit sent him a contract containing clauses with the requirements listed above.
Finistère decided to consult with professional lawyers in his country regarding contract clauses. According to him, four specialists, whom he addressed separately, said that the document does not contain any guarantees for him personally, but he gives full support to the positions of the originators, that is, the DJI company.
Nothing has changed much in the latest version of the contract Finistre received. “Four lawyers to whom I addressed said that the contract was extremely risky, it was drafted to silence the person who signed it.” Consultations cost several thousand dollars. That is, the cybersecurity expert not only did not receive any money from DJI, but also lost his own funds (albeit on his own will).
Finistere expressed dissatisfaction with the Chinese company in connection with the threats to launch a prosecution, and they preferred to stop all communication altogether, refusing to pay the $ 30,000 promised earlier.
After that, DJI published an official report, which referred to the company’s ongoing investigation into information security issues. DJI reported that it hired a private cyber security company that conducted a thorough investigation into the incident. Mention is also made in the message of Finistère, whom DJI calls the “hacker”, who posted information about the correspondence with company employees and the data on the vulnerabilities he found in the public domain.
The Chinese company claims that it has already paid thousands of dollars to a dozen information security researchers. But Finistère, according to representatives of DJI, refused to cooperate, preferring to publish the information he discovered in the public domain.
The description of the bounty program states that the study of materials or services of third-party companies, including those that still have a connection with DJI applications, does not fall under its provisions. That is, in other words, materials found on GitHub are not counted. So far, however, it is not entirely clear whether these provisions existed before Finister started work or were added later, after he applied to the company.
DJI quadcopters with “factory” software collect a large amount of information about device movements. The fact is that DJI installed a special software in its drones, which determines the location of the device, referring to the coordinates of the no fly zones . The developers believe that the function No Fly Zone (NFZ) allows you to save your customers from trouble. This data is sent to the company's servers , which is not pleasant not only to the US military, but also to ordinary users.
One solution is to use third-party firmware. This summer on Geektimes it was reportedthat one of the Russian companies, Coptersafe, began to release its own firmware and jailbreaks. “It’s very good that DJI is concerned about security,” a Coptersafe representative said at the time . "But I believe that these restrictions should be set at the local level."