Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Drone Maker DJI, Researcher Quarrel Over Bug Bounty Program

China-based Da-Jiang Innovations (DJI), one of the world’s largest drone makers, has accused a researcher of accessing sensitive information without authorization after the expert bashed the company’s bug bounty program.

China-based Da-Jiang Innovations (DJI), one of the world’s largest drone makers, has accused a researcher of accessing sensitive information without authorization after the expert bashed the company’s bug bounty program.

DJI announced the launch of a bug bounty program in late August and offered between $100 and $30,000 for vulnerabilities that allow the creation of backdoors, and ones that expose sensitive customer information, source code or encryption keys.

Bug bounty hunters started analyzing the company’s systems for vulnerabilities, but didn’t know exactly where to look for them as DJI had failed to clarify exactly which of its assets were in scope.

Kevin Finisterre, a security researcher who specializes in drones, discovered that DJI had inadvertently made public SSL and firmware AES keys in source code published on GitHub. He also found keys for AWS buckets storing flight logs and customer identity documents, including passports, driver’s licenses, and state identification.DJI fights with researcher over bug bounty program

Finisterre said others had found unprotected AWS buckets storing, among other things, personal data and images of damaged drones submitted by customers.

“There were serious ramifications to the things that were found on the DJI AWS servers,” the researcher said. “One of the first things I did to judge the impact of the exposure was grep for ‘.mil’ and ‘.gov’, ‘gov.au’. Immediately flight logs for a number of potentially sensitive locations came out. It should be noted that newer logs, and PII seemed to be encrypted with a static OpenSSL password, so theoretically some of the data was at least loosely protected from prying eyes. Unfortunately the rest of the server side security renders this point moot.”

After reporting his findings to DJI via its bug bounty program, Finisterre was informed that he qualified for the maximum reward, $30,000. However, the company told him that in order to receive the bug bounty, he would have to sign an agreement.

“I won’t go into too much detail, but the agreement that was put in front of me by DJI in essence did not offer researchers any sort of protection,” Finisterre said. “For me personally the wording put my right to work at risk, and posed a direct conflicts of interest to many things including my freedom of speech. It almost seemed like a joke. It was pretty clear the entire ‘Bug Bounty’ program was rushed based on this alone.”

While the researcher was trying to negotiate the non-disclosure agreement (NDA) via a DJI representative in the United States, the drone manufacturer’s legal department in China sent him a notice that he may be facing charges under the controversial Computer Fraud and Abuse Act (CFAA).

After consulting with lawyers who told him that DJI’s agreement was “extremely risky” and “likely crafted in bad faith to silence anyone that signed it,” the researcher decided to walk away from the bug bounty. He also decided to make his findings public, including some of the communications with DJI representatives during this process.

In response, DJI published a statement saying that it’s investigating Finisterre’s unauthorized access to its servers, and accused the researcher of publishing confidential communications with DJI employees.

“DJI implemented its Security Response Center to encourage independent security researchers to responsibly report potential vulnerabilities,” the company said in a statement. “DJI asks researchers to follow standard terms for bug bounty programs, which are designed to protect confidential data and allow time for analysis and resolution of a vulnerability before it is publicly disclosed. The hacker in question refused to agree to these terms, despite DJI’s continued attempts to negotiate with him, and threatened DJI if his terms were not met.”

The infosec community is split on this issue – some have taken Finisterre’s side pointing to DJI’s failure to specify exactly what its bug bounty covered and what researchers were allowed to do. Others, however, have sided with DJI, noting that the bounty hunter shouldn’t have accessed the data and that the agreement was reasonable.

Following Finisterre’s disclosure, DJI provided more information on its bug bounty program, including scope and requirements for disclosing flaws.

“DJI understands the importance of public disclosure of unknown or novel security flaws to build a common base of knowledge within the security community and to build a safer internet,” the company said. “DJI is committed to disclosing such information to the fullest extent possible. However, DJI in its sole discretion will decide when and how, and to what extent of details, to disclose to the public the bugs/vulnerabilities reported by you.”

DJI says it has paid out “thousands of dollars” to nearly a dozen researchers since the launch of its bug bounty program.

Related: Design Flaws Expose Drones to Hacker Attacks

Related: Chinese Cyberspies Target European Drone Maker, Energy Firm

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.