DJI threatens court with a cybersecurity expert, who discovered the access keys to the company's accounts on GitHub

About the quadrocopters of the DJI company on Geektimes wrote many times. Most of them are really good devices. They have a number of problems that may cause inconvenience to users, but everything can be solved. Not so long ago, it became known that software developers DJI left in the public domain private keys for the "wildcard" certificate of all web domains of the company, as well as to DJI accounts for Amazon Web Services. Using this information, cybersecurity researcher Kevin Finisterre was able to access the company's flight data for quadcopter DJI customers. This includes tracking, photos of driver's licenses, passports and other documents of these people. In some cases, even the flight tracking data of the copters from accounts, which are clearly owned by government agencies, became “lit”.



The company has a program to attract third-party experts to eliminate vulnerabilities in the DJI software. This is a bug bounty , announced in August. The researcher mentioned above just looked for vulnerabilities, hoping to get a reward. But so far all he has received is the threat from the DJI to launch an investigation into his actions under the CFAA (Computer Fraud and Abuse Act). After that, the specialist decided to act independently, without notifying the DJI of his plans. He published information about the findings, accompanied by an explanation of the material about the reason for abandoning the conditions of the DJI bounty program.



The Chinese launched their program to reward information security experts after the US military abandoned the company's devices. As far as can be understood, the leadership of the country's air force made such a decision, fearing that the Chinese government would receive all the information collected by DJI drones.



A little later, cases of hacking into the company's drone firmware began to spread. Modified versions of the firmware were placed on Github and in other places. There were also companies that did it for money, replacing proprietary software with their own, devoid of a number of flaws and vulnerabilities that prevented users.



Kevin Finnister decided to join the DJI's bug-bounty program. When he started, he almost accidentally discovered that the company's developers had left on Github an archive with private keys for HTTPS certificates * .dji.com, AES-firmware encryption keys, as well as passwords for accessing cloud environments in AWS and Amazon cloud service instances S3. Moreover, this information has been in the public domain for a long time - for several years. Finnister conducted an additional search and found on the same GutHub private keys from AWS for the SkyPixel photo sharing service. Accounts were valid at the time of verification. The service revealed a lot of materials that were sent by DJI drone users to the company's support service. These include photos of damaged quadcopters, bills and other personal information of users, and even pictures of people with damage caused by propellers of copter screws.



Finnister sent a request to the company's support service with a request to indicate whether everything he found falls under the provisions of the bounty program and waited for an answer. There was no reaction from the Chinese company for two weeks, after which a message was received of the following nature: “The bug bounty program has all the problems in the software, applications and network elements, including software leaks or security vulnerabilities. We are working on a detailed guide. ”



After receiving such a confirmation, Finistère began to compile a report describing all the vulnerabilities and problems found by him. Documenting a large number of details is not easy, but everything was done in the shortest possible time. After this, Finistère contacted a DJI employee, providing him with a detailed explanation of almost all the problems found. He responded promptly and began a business correspondence. The communication was quite long, the correspondence to its completion consisted of 130 e-mail messages. Nothing foreshadowed problems.



This was followed by a proposal for Finister to become a full-time cybersecurity consultant.



But after Finistère received another letter, which indicated that server vulnerabilities are not subject to the conditions of the bounty program. Nevertheless, he was told that he would receive a reward, its size was $ 30,000. And that's all - the flow of messages from the company almost dried up, Finisterte received nothing during the month.



In the end, the specialist received another proposal, or rather, it was an agreement on non-disclosure of the problems found by him. Finistère did not agree to the terms of the agreement, stating that it violates his right to free speech.



He tried to contact other DJI units to clarify the situation, but to no avail. But he was contacted by the legal division of the company from Shenzhen. Lawyers stated the need to remove all data describing the problems found. Otherwise, lawyers said, a lawsuit could be filed against Finisterra with charges of hacking into the company's servers and stealing information of commercial value. The same unit sent him a contract containing clauses with the requirements listed above.



Finistère decided to consult with professional lawyers in his country regarding contract clauses. According to him, four experts, whom he addressed separately, said that the document does not contain any guarantees for him personally, but he gives full support to the positions of the originators, that is, the DJI company.



Nothing has changed much in the latest version of the contract Finistre received. “The four lawyers to whom I addressed said that the contract was extremely risky, it was drafted to silence the person who signed it.” Consultations cost several thousand dollars. That is, the cybersecurity expert not only did not receive any money from DJI, but also lost his own funds (albeit on his own will).







Finistere expressed dissatisfaction with the Chinese company in connection with threats to initiate prosecution, and they preferred to stop all communication altogether, refusing to pay the $ 30,000 promised earlier.



After that, DJI published an official report, which referred to the company’s investigation into information security issues. DJI reported that it attracted a private cyber security company that conducted a thorough investigation into the incident. Mention is also made in the message of Finistère, whom DJI calls the “hacker”, who posted information about the correspondence with the company’s employees and the data on the vulnerabilities found by him in the public domain.



The Chinese company claims that it has already paid thousands of dollars to a dozen information security researchers. But Finistère, according to representatives of DJI, refused to cooperate, preferring to publish the information he discovered in the public domain.



The description of the bounty program states that the study of materials or services of third-party companies, including those that still have links with DJI applications, does not fall under its provisions. That is, in other words, materials found on GitHub are not counted. So far, however, it is not entirely clear whether these provisions existed before Finister started work or were added later, after he applied to the company.



DJI quadcopters with “factory” software collect a large amount of information about the movements of the device. The fact is that DJI installed a special software in its drones, which determines the location of the device, referring to the coordinates of the no fly zone ( No Fly Zone ). The developers believe that the function No Fly Zone (NFZ) allows you to save your customers from trouble. This data is sent to the company's servers , which is not pleasant not only to the US military, but also to ordinary users.



One solution is to use third-party firmware. In the summer of this year, Geektimes reported that one of the Russian companies, Coptersafe, launched its own firmware and jailbreaks. “It’s very good that DJI is concerned about security,” a Coptersafe representative said at the time . "But I believe that these restrictions should be set at the local level."