A security researcher by the name of Kevin Finisterre posted details of his findings of the serious security gaps and carelessness on the part of DJI, which is the popular Chinese company responsible for manufacturing quality drones.
Finisterre started his work to check the DJI software and code as part of the recently launched bug bounty program after confirming the scope of research. The program was announced back in August to allow security researchers and developers to find issues with the software for security of the customers and the user data.
For the uninitiated, the practice of Bug Bounty programs is not new as other companies in the software space have introduced their own programs allowing developers and security researchers to probe through their software, code and services and report back about any possible issues. This allows the software companies and the service providers to continuously patch and ensure that their system is not open to any kind of hacking attacks. Everyone from Google to Facebook to Microsoft has them.
Those who point out the bugs are eligible for a cash reward depending on the severity of the bug. Some companies provide free hardware or goodies. This bounty acts as an incentive for the researchers to work more comprehensively.
Coming back to the DJI issue, as soon as Finisterre started working on documenting the security flaws as part of the bug bounty programme, he started receiving some pushback. The interesting thing was that he was able to access flight log data and images that other DJI customers had uploaded. These images included passports, drivers licenses, and other government IDs. He pointed out that he got some of the data from DJI accounts that were associated with the military and the government.
He could access this because the developers at DJI had accidentally left the private keys, both for ’wildcard’ certificate for all the DJI web domains and the keys to access the cloud storage accounts on Amazon Web Services. The amusing part here is the fact that developers posted all these details on the DJI GitHub and this did not involve any complex ‘hacking’.
According to a detailed report by ArsTechnica, the most important part of the entire thing happened when DJI hit Finisterre with threats of serious charges like Computer Fraud and Abuse Act. The company refused to cover or provide any protection to him regarding the same. All these missteps from DJI prompted him to drop out of the programme and publish his findings on his own.
While trying to communicate with DJI about all these issues, he also found that DJI drones were sending personally identifiable data. He sent a ‘heads-up’ to the company to ensure that they had sufficient time to patch that issue. The communications stretched over 130 e-mails as the bug bounty website issued him with a notification that he had won the top reward on the website.
After the notification, he did not hear back from the company. A month later, DJI sent an email with a notice saying that it did not offer any protection to researchers.
According to a statement from 16 November, the statement addresses Finisterre as a ‘hacker’. The company also issued a separate statement when talking to ArsTechnica saying that DJI has paid out almost thousands of dollars to dozen researchers.