Stories
Slash Boxes
Comments

SoylentNews is people

GitHub Rejects Drone-Maker DJI's DMCA Takedown After Encryption Keys Get Forked

posted by martyb on Friday January 26 2018, @11:45AM   Printer-friendly
from the post-secret-keys-and-you-get-forked dept.

takyon writes:

Drone hackers/researchers can modify the firmware for DJI drones, thanks to rogue DJI developers and a fork of a public Github repo:

Github rejected a DMCA takedown request from Chinese drone-maker DJI after someone forked source code left in the open by a naughty DJI developer, The Register can reveal.

This included AES keys permitting decryption of flight control firmware, which could allow drone fliers with technical skills to remove geofencing from the flight control software: this software prevents DJI drones from flying in certain areas such as the approach paths for airports, or near government buildings deemed to be sensitive.

Though the released key is not for the latest firmware version, The Register has seen evidence (detailed below) that drone hackers are already incorporating it in modified firmware available for anyone to download and flash to their drones.

[...] In fact the people who posted the keys to DJI's kingdom, as well as source code for various projects, were DJI devs. The company said in a later statement that they were sacked.

The code was forked by drone researcher Kevin Finisterre, who submitted a successful rebuttal to the takedown request on the grounds that Github's terms and conditions explicitly permit forking of public repos.

[...] Drone hackers have already begun distributing modded firmware for DJI's popular Phantom drones, as we can see on – where else? – Github

Previously: Man Gets Threats-Not Bug Bounty-After Finding DJI Customer Data in Public View

Related: DJI introduced new software to stop its drones from flying in restricted airspace.
Skip the Complex Tracking Software, DJI Says, and Give Drones an "Invisible" License Plate
$500 DJI Spark Drone can Take Off and Land from Your Palm
DJI Will Ground Drones If They Don't Apply a Software Update

Original Submission

 
This discussion has been archived. No new comments can be posted.
GitHub Rejects Drone-Maker DJI's DMCA Takedown After Encryption Keys Get Forked | Log In/Create an Account | Top | 19 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 5, Insightful) by rigrig on Friday January 26 2018, @12:48PM (1 child)

    by rigrig (5129) Subscriber Badge <soylentnews@tubul.net> on Friday January 26 2018, @12:48PM (#628238) Homepage

    Places not to store secrets:

    1. In a repository
    2. In the cloud
    3. In the old green safe in the Pseudopolis Yard Watch House

    DJI:

    Where shall I store these secret encryption keys?

    Oh, just put them in our cloud-hosted repository

    --
    No one remembers the singer.
    Starting Score:    1  point
    Moderation   +3  
       Insightful=2, Informative=1, Total=3
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   5  

  • (Score: 3, Funny) by The Mighty Buzzard on Friday January 26 2018, @01:06PM

    by The Mighty Buzzard (18) Subscriber Badge <themightybuzzard@proton.me> on Friday January 26 2018, @01:06PM (#628244) Homepage Journal

    Yeah, this would be why we put default or empty values in the db updates on github instead of the ones we're actually going to use. And also why we only put things in the safe that we want Nobby to find.

    --
    My rights don't end where your fear begins.