Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Drone Maker DJI, Researcher Quarrel Over Bug Bounty Program

China-based Da-Jiang Innovations (DJI), one of the world’s largest drone makers, has accused a researcher of accessing sensitive information without authorization after the expert bashed the company’s bug bounty program.

China-based Da-Jiang Innovations (DJI), one of the world’s largest drone makers, has accused a researcher of accessing sensitive information without authorization after the expert bashed the company’s bug bounty program.

DJI announced the launch of a bug bounty program in late August and offered between $100 and $30,000 for vulnerabilities that allow the creation of backdoors, and ones that expose sensitive customer information, source code or encryption keys.

Bug bounty hunters started analyzing the company’s systems for vulnerabilities, but didn’t know exactly where to look for them as DJI had failed to clarify exactly which of its assets were in scope.

Kevin Finisterre, a security researcher who specializes in drones, discovered that DJI had inadvertently made public SSL and firmware AES keys in source code published on GitHub. He also found keys for AWS buckets storing flight logs and customer identity documents, including passports, driver’s licenses, and state identification.DJI fights with researcher over bug bounty program

Finisterre said others had found unprotected AWS buckets storing, among other things, personal data and images of damaged drones submitted by customers.

“There were serious ramifications to the things that were found on the DJI AWS servers,” the researcher said. “One of the first things I did to judge the impact of the exposure was grep for ‘.mil’ and ‘.gov’, ‘gov.au’. Immediately flight logs for a number of potentially sensitive locations came out. It should be noted that newer logs, and PII seemed to be encrypted with a static OpenSSL password, so theoretically some of the data was at least loosely protected from prying eyes. Unfortunately the rest of the server side security renders this point moot.”

After reporting his findings to DJI via its bug bounty program, Finisterre was informed that he qualified for the maximum reward, $30,000. However, the company told him that in order to receive the bug bounty, he would have to sign an agreement.

“I won’t go into too much detail, but the agreement that was put in front of me by DJI in essence did not offer researchers any sort of protection,” Finisterre said. “For me personally the wording put my right to work at risk, and posed a direct conflicts of interest to many things including my freedom of speech. It almost seemed like a joke. It was pretty clear the entire ‘Bug Bounty’ program was rushed based on this alone.”

While the researcher was trying to negotiate the non-disclosure agreement (NDA) via a DJI representative in the United States, the drone manufacturer’s legal department in China sent him a notice that he may be facing charges under the controversial Computer Fraud and Abuse Act (CFAA).

Advertisement. Scroll to continue reading.

After consulting with lawyers who told him that DJI’s agreement was “extremely risky” and “likely crafted in bad faith to silence anyone that signed it,” the researcher decided to walk away from the bug bounty. He also decided to make his findings public, including some of the communications with DJI representatives during this process.

In response, DJI published a statement saying that it’s investigating Finisterre’s unauthorized access to its servers, and accused the researcher of publishing confidential communications with DJI employees.

“DJI implemented its Security Response Center to encourage independent security researchers to responsibly report potential vulnerabilities,” the company said in a statement. “DJI asks researchers to follow standard terms for bug bounty programs, which are designed to protect confidential data and allow time for analysis and resolution of a vulnerability before it is publicly disclosed. The hacker in question refused to agree to these terms, despite DJI’s continued attempts to negotiate with him, and threatened DJI if his terms were not met.”

The infosec community is split on this issue – some have taken Finisterre’s side pointing to DJI’s failure to specify exactly what its bug bounty covered and what researchers were allowed to do. Others, however, have sided with DJI, noting that the bounty hunter shouldn’t have accessed the data and that the agreement was reasonable.

Following Finisterre’s disclosure, DJI provided more information on its bug bounty program, including scope and requirements for disclosing flaws.

“DJI understands the importance of public disclosure of unknown or novel security flaws to build a common base of knowledge within the security community and to build a safer internet,” the company said. “DJI is committed to disclosing such information to the fullest extent possible. However, DJI in its sole discretion will decide when and how, and to what extent of details, to disclose to the public the bugs/vulnerabilities reported by you.”

DJI says it has paid out “thousands of dollars” to nearly a dozen researchers since the launch of its bug bounty program.

Related: Design Flaws Expose Drones to Hacker Attacks

Related: Chinese Cyberspies Target European Drone Maker, Energy Firm

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...