from the post-secret-keys-and-you-get-forked dept.
Drone hackers/researchers can modify the firmware for DJI drones, thanks to rogue DJI developers and a fork of a public Github repo:
Github rejected a DMCA takedown request from Chinese drone-maker DJI after someone forked source code left in the open by a naughty DJI developer, The Register can reveal.
This included AES keys permitting decryption of flight control firmware, which could allow drone fliers with technical skills to remove geofencing from the flight control software: this software prevents DJI drones from flying in certain areas such as the approach paths for airports, or near government buildings deemed to be sensitive.
Though the released key is not for the latest firmware version, The Register has seen evidence (detailed below) that drone hackers are already incorporating it in modified firmware available for anyone to download and flash to their drones.
[...] In fact the people who posted the keys to DJI's kingdom, as well as source code for various projects, were DJI devs. The company said in a later statement that they were sacked.
The code was forked by drone researcher Kevin Finisterre, who submitted a successful rebuttal to the takedown request on the grounds that Github's terms and conditions explicitly permit forking of public repos.
[...] Drone hackers have already begun distributing modded firmware for DJI's popular Phantom drones, as we can see on – where else? – Github
Previously: Man Gets Threats-Not Bug Bounty-After Finding DJI Customer Data in Public View
Related: DJI introduced new software to stop its drones from flying in restricted airspace.
Skip the Complex Tracking Software, DJI Says, and Give Drones an "Invisible" License Plate
$500 DJI Spark Drone can Take Off and Land from Your Palm
DJI Will Ground Drones If They Don't Apply a Software Update
Related Stories
DJI Innovations, the leading manufacturer of drones, launched a beta version of its new "geofencing" system that should keep its drones from flying into restricted airspace. The new feature is called Geospatial Environment Online (GEO), and it will let users know about areas where drone flight is restricted, either due to regulations or because of safety issues.
GEO will stop DJI drones from taking off in restricted areas like airports, Washington D.C., and temporarily restricted areas such as places near forest fires or big stadium events. Sensitive areas around prisons and power plants will be off limits in the system as well.
DJI owners can temporarily opt out of GEO and unlock some of the flight restrictions, but there's a catch. They must have verified accounts with the company, with a credit card, debit card, or cellphone number on file. Users cannot turn off all the flight restrictions though; places like Washington D.C. will remain completely off limits.
Drones could someday have a sort of invisible license plate that allows local authorities to determine who the unmanned aerial system (UAS) belongs too. Pitched by Chinese drone manufacturer DJI, the concept for an electronic identification system for small drones is just one of many ideas as the Federal Aviation Administration looks into potential ways of identifying drone users.
DJI suggests drones should use the radio equipment already on board most systems to transmit a unique registration number. That number would identify the drone owner to law enforcement in the event of a complaint or flight through a restricted area. Areas with restricted drone flight, such as airports, could use radio equipment to read that number and report the ID number to the authorities. Since identifying the drone would require access to a database linking each number with a name, the invisible license plate approach would be less likely to be abused outside of law enforcement, DJI suggests.
"The best solution is usually the simplest," DJI wrote on Monday. "The focus of the primary method for remote identification should be on a way for anyone concerned about a drone flight in close proximity to report an identifier number to the authorities, who would then have the tools to investigate the complaint without infringing on operator privacy."
Source: Digital Trends
Related: FAA Drone Registry to be Publicly Searchable
FAA Doubles "Blanket Authorization" Altitude for Drones to 400 Feet
What's the non-soyvertisement angle for this drone? Uh... you can spy on people with it!
The drone starts at a surprisingly accessible $499. That was really going to be the big sticking point here — with most pundits considering anything under $1,000 a good play for the company's generally high-quality but high-priced products. It's still not cheap, exactly, giving the number of budget drones that have flooded the market in recent years, but with all of the functionality the company has jammed into the thing, the Spark could well be DJI's first truly mainstream drone.
[...] [Aside] from size (which let's be honest, is the most important thing here), the Spark's got some pretty impressive tricks up its sleeves. It can take off from the palm of your hands and land back in it with little hassle. The demo of the functionality went exactly as planned, which isn't always the case at these sorts of events, especially given the swamp of cell phone signals that is Grand Central Station.
Even more impressive is a gesture-based control, about which the assembled press made audibly excited mumbled comparisons to Star Wars. And yeah, there's a selfie function, too. Smiling with you arms folded will trigger the picture taking functionality.
It's only capable of recording 1080p! No 4K = useless!
In related news, DJI users will apparently need to login and register their drones to activate certain features.
[Ed note: From what I've read, it is generally suggested to keep all active drones away from any persons — including yourself. What makes this drone so different? --martyb]
Also at VentureBeat, USA Today, The Verge, and YouTube.
DJI Spark drones will not fly after September 1 until users have applied a mandatory software update:
DJI Spark drones will not fly after 1 September unless owners apply a mandatory software update, the device's maker has warned. DJI said the update to the small drone's core software fixes some flight control issues suffered by the gadget.
The drone maker said it had warned owners about the deadline so they could avoid having their craft grounded. But the mandatory update has caused some owners to question the control DJI retains over their devices.
In a statement, DJI said the update would improve how the Spark manages power. It also helps it work with smart spectacles that give owners an immersive view of what the drone films. It added: "If the firmware of either the aircraft or the battery is not updated by September 1, Spark will not be able to take off."
A bug bounty hunter shared evidence; DJI called him a hacker and threatened with CFAA.
DJI, the Chinese company that manufactures the popular Phantom brand of consumer quadcopter drones, was informed in September that developers had left the private keys for both the "wildcard" certificate for all the company's Web domains and the keys to cloud storage accounts on Amazon Web Services exposed publicly in code posted to GitHub. Using the data, researcher Kevin Finisterre was able to access flight log data and images uploaded by DJI customers, including photos of government IDs, drivers licenses, and passports. Some of the data included flight logs from accounts associated with government and military domains.
Finisterre found the security error after beginning to probe DJI's systems under DJI's bug bounty program, which was announced in August. But as Finisterre worked to document the bug with the company, he got increasing pushback—including a threat of charges under the Computer Fraud and Abuse Act (CFAA). DJI refused to offer any protection against legal action in the company's "final offer" for the data. So Finisterre dropped out of the program and published his findings publicly yesterday, along with a narrative entitled, "Why I walked away from $30,000 of DJI bounty money."
-- submitted from IRC
(Score: 2, Interesting) by Anonymous Coward on Friday January 26 2018, @12:42PM (8 children)
Good!, I say.
If the story from the article is true (we only know one side, so far ...), I do not condone AT ALL what those DJI devs did. It was probably illegal, and IMNSHO it was morally wrong. In a just world, the results of these acts *would* be undone; the reality of the Streisand effect notwithstanding.
But no result ever justifies the methods.
The DMCA was not violated here (at least not by the forker), so it does not apply. The DMCA is not a magic content removal tool (no matter how your MAFIAA pals are spinning their story at business lunches). In fact, there is *no* magic content removal tool. And for very good reason. Your code's out now, and there's nothing you can do about it.
So, *IF* those two developers did it on purpose (and not through a foolhardy setup of yours that was only waiting for a trivial mistake to be made): be my guest, fuck them sideways. But apart from that, we the world are not obliged to be nice to you now - we're only obliged to obey the law. Which was done here. You were wronged, but you have no recourse. So go home, and cry a little, and next time have better work processes to prevent this shit.
On the other hand, knowing how this stuff works, those two developers are most likely just the fall guys. The real culprit is a manager three levels above, who has been ignoring their pleas on preventing this for years, just so that his own bottom line looks a little better. Hey, win-win-win-win now! Money was saved, whiney deceiving assholes are gone, will be replaced by proper little shut-up-ing blame-takers now, heroic manager to the rescue. Please excuse me while using my barfbag.
(Score: 0) by Anonymous Coward on Friday January 26 2018, @01:20PM (7 children)
No. It should all be free software and 100% controlled by the user. Short of that, making it easier for people to hack their own drones is a good thing, not a morally wrong thing.
(Score: 1, Interesting) by Anonymous Coward on Friday January 26 2018, @02:12PM (6 children)
In philosphical principle, that software should have been free, yes, I'm with you on that.
But those two developers had a contract with their employer. I'll bet you that this contract contained wording about confidentiality. Which they agreed to by signing the contract. And then they broke that promise.
In my opinion, promising something and then doing the opposite is morally wrong (plusminus a few corner cases where you were not in full possession of the facts during the promise).
If such behaviour were _intentional_, i.e. the breaking of the promise was already planned while giving it, then it's not only morally wrong but also antisocial.
Accepting that "the ends justify the means" has always been a prime road into tyranny and murder, for societies as well as individuals.
(Score: 0) by Anonymous Coward on Friday January 26 2018, @03:12PM (1 child)
Tell that to Snowden etc.
(Score: 1, Insightful) by Anonymous Coward on Friday January 26 2018, @04:41PM
Actually he was acting in *exactly* one of those corner cases which I exempted.
Are you trying telling me that you consider "the US secretly and forcibly spying on the whole world, with the implied goal of more easily bending everybody's actions to US will" to be in the same league as "DJI won't give the firmware sourcode which they created at their own expense"?
If you always wanted sourcecode for the firmware, why did you buy DJI crap in the first place?
(Score: 0) by Anonymous Coward on Friday January 26 2018, @05:00PM (1 child)
the war for control of skynet is a war for the future of humanity. even using violence is ok.
(Score: 0) by Anonymous Coward on Friday January 26 2018, @06:12PM
Ugh, that is some horrible bit of social programming there. Hoping to turn some unbalanced techies into your toys soldier anarchists?
(Score: 0) by Anonymous Coward on Friday January 26 2018, @09:47PM (1 child)
Violating contracts can be perfectly justifiable, and I say it would be in a case like this. Same for NDAs in general. I don't think they should even be enforceable.
Making a "promise" to employers who hold power over you and then breaking it is not necessarily wrong. Most of these contracts are unjust.
The ends do sometimes justify the means, particularly when the means are not actually bad, like in this case. No, this will not lead to tyranny and murder.
(Score: 0) by Anonymous Coward on Saturday January 27 2018, @07:40AM
Your idea that "I am right and they are wrong. Therefore my actions cannot be wrong, even if they hurt them" is exactly what I am talking about.
So let me get personal for the first time:
With this basic idea, you are putting yourself in the footsteps of the likes of Mao, Stalin, McCarthy, the "only-a-dead-readskin-..." crowd and lots of smaller assholes that were fought and later reviled throughout human history.
Since you are a believer in your being an ubermensch (deciding about good and bad according to your own, blatantly self-serving opinion), I'll stop trying to have a rational discussion now. I just hope, for all people around you, that you never, ever get into a position of power, no matter how small.
(Score: 5, Insightful) by rigrig on Friday January 26 2018, @12:48PM (1 child)
Places not to store secrets:
DJI:
No one remembers the singer.
(Score: 3, Funny) by The Mighty Buzzard on Friday January 26 2018, @01:06PM
Yeah, this would be why we put default or empty values in the db updates on github instead of the ones we're actually going to use. And also why we only put things in the safe that we want Nobby to find.
My rights don't end where your fear begins.
(Score: 3, Interesting) by DannyB on Friday January 26 2018, @02:51PM (5 children)
DMCA is not a magical way to disappear things that you don't like.
It is for copyright infringement only.
A DMCA notice requires a signature attesting that the notice is correct under penalty of perjury.
The perjury things needs to be enforced. There needs to be a statutory minimum equivalent to the statutory damages for copyright infringement. (What is it now? $150,000.00 ?) This is reasonable, because nobody should be filing a DMCA notice unless they have a legitimate copyright complaint, just as nobody should be infringing copyright. If one is a legitimate grievance deserving a huge statutory penalty to protect people, then the other is also.
So is the DMCA filer claiming that the posting of the source code is copyright infringement? Are they claiming that they are the copyright owner or registered agent to represent the copyright owner? Even if the source code is copyrighted and can be taken own, the public knowledge of the crypto keys are mere fact. Then we are back to arguing that certain numbers can be copyrighted.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 2, Insightful) by Anonymous Coward on Friday January 26 2018, @04:06PM (4 children)
No, that is not the case. The law [cornell.edu] says:
Note how "under penalty of perjury" remark only attaches to the last bit there? Yeah. This bit has no teeth unless you are sending unauthorized DMCA notices claiming infringement of someone else's work.
(Score: 2) by DannyB on Friday January 26 2018, @04:57PM (3 children)
OK.
So do 2 things:
1. Actually seriously punish DMCA notices sent by someone NOT authorized to act on the copyright owner's behalf.
2. Also seriously punish DMCA notices that do not state an actual copyright being infringed, but merely ask to have something taken down for ?reasons?
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 0) by Anonymous Coward on Friday January 26 2018, @08:38PM
Step 1, require all DMCA notices be signed by an attorney registered to practice before the bar in the state in which they sign the notice
Step 2, require disbarment for any attorney who signs a DMCA notice that contains false information (where false information is further defined as most of the current requirements: must state a copyright infringement, must be authorized by the copyright holder, etc., plus include that the copying must not also be considered fair use of the material).
Suddenly, the attorneys will be very careful that they have all their ducks in a row properly before ever signing a DMCA notice.
But, the congressional blowhards, being lawyers themselves mostly, will never do something like this that would hurt fellow lawyers.
(Score: 0) by Anonymous Coward on Friday January 26 2018, @09:01PM
Well sure, but how often does this actually happen? Why would anyone bother sending takedown notices involving a work for which they are not authorized to do so, when it is so simple to just allege infringements of your own works?
But the law doesn't provide any useful mechanism to discourage this behaviour, so this would require a change to the law.
Nevertheless, there may be other statutes that can apply in some circumstances... e.g., perhaps someone could successfully argue that repeated takedown notices made in bad faith constitute some form of harassment of the designated agent (IANAL).
(Score: 0) by Anonymous Coward on Friday January 26 2018, @10:42PM
Get rid of DMCA takedown notices and keep safe harbor. We don't need this censor-first-ask-questions-later 'compromise'. Yes, that means people would actually have to go to court and have a judge request that the content be removed. Yes, that would mean that enforcing copyrights would likely become more difficult, but we're not supposed to sacrifice justice in the name of making it easier to enforce copyright to begin with.
(Score: 1, Informative) by Anonymous Coward on Friday January 26 2018, @11:51PM (1 child)
This is an interesting situation. It's not clear to me how it will turn out.
Github's TOS appear to say that uploading for public viewing made the fork ok.
So the fork may likely stay around, but it's not clear what folks are permitted to do with it.
The TOS appears to provide a way to limit the uses of the fork if there are other license agreements in play.
It says ok to view the code and use it on the GitHub platform.
But doing something else with it might be governed by DJI's license agreement if there is one published with the s/w.
Seems like fair use should also apply. Also, I'm not sure creating a private key is a creative act protected by Copyright?
Here's the actual TOS text.
Any User-Generated Content you post publicly, including issues, comments, and contributions to other Users' repositories, may be viewed by others. By setting your repositories to be viewed publicly, you agree to allow others to view and "fork" your repositories (this means that others may make their own copies of Content from your repositories in repositories they control).
If you set your pages and repositories to be viewed publicly, you grant each User of GitHub a nonexclusive, worldwide license to use, display, and perform Your Content through the GitHub Service and to reproduce Your Content solely on GitHub as permitted through GitHub's functionality (for example, through forking). You may grant further rights if you adopt a license. If you are uploading Content you did not create or own, you are responsible for ensuring that the Content you upload is licensed under terms that grant these permissions to other GitHub Users.
(Score: 0) by Anonymous Coward on Monday January 29 2018, @08:35PM
Encryption keys are most certainly certainly not eligible for copyright protection. These keys are now public knowledge, do what you will with them.