A bug bounty hunter shared evidence; DJI called him a hacker and threatened with CFAA.
DJI, the Chinese company that manufactures the popular Phantom brand of consumer quadcopter drones, was informed in September that developers had left the private keys for both the "wildcard" certificate for all the company's Web domains and the keys to cloud storage accounts on Amazon Web Services exposed publicly in code posted to GitHub. Using the data, researcher Kevin Finisterre was able to access flight log data and images uploaded by DJI customers, including photos of government IDs, drivers licenses, and passports. Some of the data included flight logs from accounts associated with government and military domains.
Finisterre found the security error after beginning to probe DJI's systems under DJI's bug bounty program, which was announced in August. But as Finisterre worked to document the bug with the company, he got increasing pushback—including a threat of charges under the Computer Fraud and Abuse Act (CFAA). DJI refused to offer any protection against legal action in the company's "final offer" for the data. So Finisterre dropped out of the program and published his findings publicly yesterday, along with a narrative entitled, "Why I walked away from $30,000 of DJI bounty money."
-- submitted from IRC
Related Stories
Drone hackers/researchers can modify the firmware for DJI drones, thanks to rogue DJI developers and a fork of a public Github repo:
Github rejected a DMCA takedown request from Chinese drone-maker DJI after someone forked source code left in the open by a naughty DJI developer, The Register can reveal.
This included AES keys permitting decryption of flight control firmware, which could allow drone fliers with technical skills to remove geofencing from the flight control software: this software prevents DJI drones from flying in certain areas such as the approach paths for airports, or near government buildings deemed to be sensitive.
Though the released key is not for the latest firmware version, The Register has seen evidence (detailed below) that drone hackers are already incorporating it in modified firmware available for anyone to download and flash to their drones.
[...] In fact the people who posted the keys to DJI's kingdom, as well as source code for various projects, were DJI devs. The company said in a later statement that they were sacked.
The code was forked by drone researcher Kevin Finisterre, who submitted a successful rebuttal to the takedown request on the grounds that Github's terms and conditions explicitly permit forking of public repos.
[...] Drone hackers have already begun distributing modded firmware for DJI's popular Phantom drones, as we can see on – where else? – Github
Previously: Man Gets Threats-Not Bug Bounty-After Finding DJI Customer Data in Public View
Related: DJI introduced new software to stop its drones from flying in restricted airspace.
Skip the Complex Tracking Software, DJI Says, and Give Drones an "Invisible" License Plate
$500 DJI Spark Drone can Take Off and Land from Your Palm
DJI Will Ground Drones If They Don't Apply a Software Update
https://arstechnica.com/tech-policy/2024/03/charges-against-journalist-tim-burke-are-a-hack-job/
Caitlin Vogus is the deputy director of advocacy at Freedom of the Press Foundation and a First Amendment lawyer. Jennifer Stisa Granick is the surveillance and cybersecurity counsel with the ACLU's Speech, Privacy, and Technology Project. The opinions in this piece do not necessarily reflect the views of Ars Technica.
Imagine a journalist finds a folder on a park bench, opens it, and sees a telephone number inside. She dials the number. A famous rapper answers and spews a racist rant. If no one gave her permission to open the folder and the rapper's telephone number was unlisted, should the reporter go to jail for publishing what she heard?
If that sounds ridiculous, it's because it is. And yet, add in a computer and the Internet, and that's basically what a newly unsealed federal indictment accuses Florida journalist Tim Burke of doing when he found and disseminated outtakes of Tucker Carlson's Fox News interview with Ye, the artist formerly known as Kanye West, going on the first of many antisemitic diatribes.
[...]
According to Burke, the video of Carlson's interview with Ye was streamed via a publicly available, unencrypted URL that anyone could access by typing the address into your browser. Those URLs were not listed in any search engine, but Burke says that a source pointed him to a website on the Internet Archive where a radio station had posted "demo credentials" that gave access to a page where the URLs were listed.The credentials were for a webpage created by LiveU, a company that provides video streaming services to broadcasters. Using the demo username and password, Burke logged into the website, and, Burke's lawyer claims, the list of URLs for video streams automatically downloaded to his computer.
And that, the government says, is a crime. It charges Burke with violating the CFAA's prohibition on intentionally accessing a computer "without authorization" because he accessed the LiveU website and URLs without having been authorized by Fox or LiveU. In other words, because Burke didn't ask Fox or LiveU for permission to use the demo account or view the URLs, the indictment alleges, he acted without authorization.
(Score: 3, Funny) by c0lo on Tuesday November 21 2017, @12:48PM (3 children)
...because profit is king.
If you are a chinese business, perhaps the above needs to be corrected to "profit is the emperor"
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 0) by Anonymous Coward on Tuesday November 21 2017, @01:50PM (1 child)
You're out of date by about a century. It's "profit is the General Secretary" these days.
(Score: 2) by c0lo on Tuesday November 21 2017, @02:20PM
There's no "Profit is Mr. President" saying in America, is it now.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by AnonTechie on Tuesday November 21 2017, @08:10PM
The road to hell is paved with good intentions ... true in this case and in so many others.
Albert Einstein - "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former."
(Score: 3, Insightful) by MichaelDavidCrawford on Tuesday November 21 2017, @03:19PM
For finding a security hole called Threats-Not
Yes I Have No Bananas. [gofundme.com]
(Score: 5, Touché) by Anonymous Coward on Tuesday November 21 2017, @03:20PM (3 children)
This is what they call "Responsible Disclosure." You disclose a vulnerability and the company tries to hold you responsible.
(Score: -1, Offtopic) by Anonymous Coward on Tuesday November 21 2017, @03:29PM (2 children)
Exactly. The only scenario I would possibly, ever even consider disclosing a vuln like this to a vendor is if I had cisfemale privilege, which I will never have, so meh.
Cisfemale privilege is the only durable way to not immediately be seen as a “hacker” up to no good, complete with the presumption that the only reason one has such skills is because one is a failure at executing her assigned gender caste (without which, heteronormative feminist hegemony would like us to imagine life being meaningless) and are completely without financial or sexual value to womyn-born-womyn.
(Yes, I forgot to log in. Meh. If one cannot separate my AC posts from AC posts such as a whopper last night [that nearly got a 10 page response from me before I realized that I was trying to even when even-ing, in $current_year, is a futile pursuit], then I am not doing a good enough job of presenting my viewpoint and arguments. I will strive to do better.)
(Score: 2) by DannyB on Tuesday November 21 2017, @03:36PM (1 child)
Learn chmod.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 2) by AssCork on Tuesday November 21 2017, @06:48PM
Hm, so anybody can just come in and write to the device? Sounds legit.
Just popped-out of a tight spot. Came out mostly clean, too.
(Score: 4, Interesting) by DannyB on Tuesday November 21 2017, @03:35PM
There are some companies that offer genuine bug bounties. Organizations that are genuinely interested in security and grateful to be informed of bugs they can fix.
Then there are the irresponsible companies that will try to punish anyone trying to help them.
It is in the interests of the first group to find some kind of systematic ways to punish the second group. Maybe by submitting amicus curiae during litigation. Maybe by getting laws passed that protect responsible disclosure done in a specified responsible way. Maybe by working toward reform of CFAA and the like.
It just feels like somehow that second group need to incur some kind of financial cost so great that putting their head on a pike, it stands as a warning to the next ten generations.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 0) by Anonymous Coward on Tuesday November 21 2017, @11:11PM
DJI: so confident that they can just piss off security researchers!
Looking for competing vendors now ...