Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Tuesday November 21 2017, @09:53AM   Printer-friendly
from the not-the-bugs-getting-squashed dept.

A bug bounty hunter shared evidence; DJI called him a hacker and threatened with CFAA.

https://arstechnica.com/information-technology/2017/11/dji-left-private-keys-for-ssl-cloud-storage-in-public-view-and-exposed-customers/

DJI, the Chinese company that manufactures the popular Phantom brand of consumer quadcopter drones, was informed in September that developers had left the private keys for both the "wildcard" certificate for all the company's Web domains and the keys to cloud storage accounts on Amazon Web Services exposed publicly in code posted to GitHub. Using the data, researcher Kevin Finisterre was able to access flight log data and images uploaded by DJI customers, including photos of government IDs, drivers licenses, and passports. Some of the data included flight logs from accounts associated with government and military domains.

Finisterre found the security error after beginning to probe DJI's systems under DJI's bug bounty program, which was announced in August. But as Finisterre worked to document the bug with the company, he got increasing pushback—including a threat of charges under the Computer Fraud and Abuse Act (CFAA). DJI refused to offer any protection against legal action in the company's "final offer" for the data. So Finisterre dropped out of the program and published his findings publicly yesterday, along with a narrative entitled, "Why I walked away from $30,000 of DJI bounty money."

-- submitted from IRC


Original Submission

Related Stories

GitHub Rejects Drone-Maker DJI's DMCA Takedown After Encryption Keys Get Forked 19 comments

Drone hackers/researchers can modify the firmware for DJI drones, thanks to rogue DJI developers and a fork of a public Github repo:

Github rejected a DMCA takedown request from Chinese drone-maker DJI after someone forked source code left in the open by a naughty DJI developer, The Register can reveal.

This included AES keys permitting decryption of flight control firmware, which could allow drone fliers with technical skills to remove geofencing from the flight control software: this software prevents DJI drones from flying in certain areas such as the approach paths for airports, or near government buildings deemed to be sensitive.

Though the released key is not for the latest firmware version, The Register has seen evidence (detailed below) that drone hackers are already incorporating it in modified firmware available for anyone to download and flash to their drones.

[...] In fact the people who posted the keys to DJI's kingdom, as well as source code for various projects, were DJI devs. The company said in a later statement that they were sacked.

The code was forked by drone researcher Kevin Finisterre, who submitted a successful rebuttal to the takedown request on the grounds that Github's terms and conditions explicitly permit forking of public repos.

[...] Drone hackers have already begun distributing modded firmware for DJI's popular Phantom drones, as we can see on – where else? – Github

Previously: Man Gets Threats-Not Bug Bounty-After Finding DJI Customer Data in Public View

Related: DJI introduced new software to stop its drones from flying in restricted airspace.
Skip the Complex Tracking Software, DJI Says, and Give Drones an "Invisible" License Plate
$500 DJI Spark Drone can Take Off and Land from Your Palm
DJI Will Ground Drones If They Don't Apply a Software Update


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 3, Funny) by c0lo on Tuesday November 21 2017, @12:48PM (3 children)

    by c0lo (156) on Tuesday November 21 2017, @12:48PM (#599616)

    ...because profit is king.

    If you are a chinese business, perhaps the above needs to be corrected to "profit is the emperor"

    • (Score: 0) by Anonymous Coward on Tuesday November 21 2017, @01:50PM (1 child)

      by Anonymous Coward on Tuesday November 21 2017, @01:50PM (#599637)

      You're out of date by about a century. It's "profit is the General Secretary" these days.

      • (Score: 2) by c0lo on Tuesday November 21 2017, @02:20PM

        by c0lo (156) on Tuesday November 21 2017, @02:20PM (#599644)

        There's no "Profit is Mr. President" saying in America, is it now.

    • (Score: 2) by AnonTechie on Tuesday November 21 2017, @08:10PM

      by AnonTechie (2275) on Tuesday November 21 2017, @08:10PM (#599841) Journal

      The road to hell is paved with good intentions ... true in this case and in so many others.

      --
      Albert Einstein - "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former."
  • (Score: 3, Insightful) by MichaelDavidCrawford on Tuesday November 21 2017, @03:19PM

    by MichaelDavidCrawford (2339) <mdcrawford@gmail.com> on Tuesday November 21 2017, @03:19PM (#599678) Homepage Journal

    For finding a security hole called Threats-Not

    --
    My United States Social Security Number Is 518-92-8663
  • (Score: 5, Touché) by Anonymous Coward on Tuesday November 21 2017, @03:20PM (3 children)

    by Anonymous Coward on Tuesday November 21 2017, @03:20PM (#599680)

    This is what they call "Responsible Disclosure." You disclose a vulnerability and the company tries to hold you responsible.

    • (Score: -1, Offtopic) by Anonymous Coward on Tuesday November 21 2017, @03:29PM (2 children)

      by Anonymous Coward on Tuesday November 21 2017, @03:29PM (#599688)

      Exactly. The only scenario I would possibly, ever even consider disclosing a vuln like this to a vendor is if I had cisfemale privilege, which I will never have, so meh.

      Cisfemale privilege is the only durable way to not immediately be seen as a “hacker” up to no good, complete with the presumption that the only reason one has such skills is because one is a failure at executing her assigned gender caste (without which, heteronormative feminist hegemony would like us to imagine life being meaningless) and are completely without financial or sexual value to womyn-born-womyn.

      (Yes, I forgot to log in. Meh. If one cannot separate my AC posts from AC posts such as a whopper last night [that nearly got a 10 page response from me before I realized that I was trying to even when even-ing, in $current_year, is a futile pursuit], then I am not doing a good enough job of presenting my viewpoint and arguments. I will strive to do better.)

      • (Score: 2) by DannyB on Tuesday November 21 2017, @03:36PM (1 child)

        by DannyB (5839) Subscriber Badge on Tuesday November 21 2017, @03:36PM (#599694)

        > is if I had cisfemale privilege

        Learn chmod.

        • (Score: 2) by AssCork on Tuesday November 21 2017, @06:48PM

          by AssCork (6255) Subscriber Badge on Tuesday November 21 2017, @06:48PM (#599783) Journal

          Learn chmod.

          root# chmod 0666 /dev/gender
          root# ls -l /dev/gender
          -rw-rw-rw- 1 root root 0 Nov 21 18:46 /dev/gender
          root#

          Hm, so anybody can just come in and write to the device? Sounds legit.

          --
          Just popped-out of a tight spot. Came out mostly clean, too.
  • (Score: 4, Interesting) by DannyB on Tuesday November 21 2017, @03:35PM

    by DannyB (5839) Subscriber Badge on Tuesday November 21 2017, @03:35PM (#599691)

    There are some companies that offer genuine bug bounties. Organizations that are genuinely interested in security and grateful to be informed of bugs they can fix.

    Then there are the irresponsible companies that will try to punish anyone trying to help them.

    It is in the interests of the first group to find some kind of systematic ways to punish the second group. Maybe by submitting amicus curiae during litigation. Maybe by getting laws passed that protect responsible disclosure done in a specified responsible way. Maybe by working toward reform of CFAA and the like.

    It just feels like somehow that second group need to incur some kind of financial cost so great that putting their head on a pike, it stands as a warning to the next ten generations.

  • (Score: 0) by Anonymous Coward on Tuesday November 21 2017, @11:11PM

    by Anonymous Coward on Tuesday November 21 2017, @11:11PM (#599945)

    DJI: so confident that they can just piss off security researchers!

    Looking for competing vendors now ...

(1)