Security researcher Kevin Finisterre just lately discovered a flaw that uncovered personal buyer knowledge of the Chinese drone firm DJI to the general public. After reporting the bug to DJI’s bug bounty program, Finisterre acquired pushback and a authorized menace. So as a substitute of accumulating his $30,000 bounty, Finisterre is now going public along with his findings (and expertise).
Ars Technica studies that DJI builders had left personal keys for the corporate’s internet domains and cloud storage accounts inside supply code hosted on GitHub.
Using the keys, Finisterre found that he was capable of entry personal knowledge uploaded by DJI clients — not simply flight logs and aerial pictures, but additionally authorities IDs, drivers licenses, and pbadports. What’s extra, a number of the flight logs appeared to have been despatched from authorities and navy domains (as a aspect notice, the US Army ended its use of DJI drones earlier this yr as a consequence of “cyber vulnerabilities.”
After reporting the vulnerability to DJI, Finisterre was initially knowledgeable that his report certified for the highest bounty of $30,000. He then engaged in a prolonged dialog with a DJI worker who each confirmed the existence of the uncovered knowledge and confirmed a placing lack of cybersecurity know-how.
“This was the first in a long line of education on basic security concepts, and bug bounty practices,” Finisterre says. “Over 130 emails were exchanged back and forth at one point in one thread. At one point days later DJI even offered to hire me directly to consult with them on their security.”
As he continued his conversations with DJI, nevertheless, Finisterre quickly discovered that DJI wasn’t readily agreeing that its servers had been a part of the scope of the brand new bounty program. Finisterre was additionally turned off by DJI’s refusal to supply him with safety towards authorized motion.
What’s extra, DJI itself despatched a menace of fees beneath the Computer Fraud and Abuse Act (CFAA), accusing Finisterre of “unauthorized access and transmission of information.”
Still, Finisterre went forward and negotiated a “final offer” from DJI for the contract within the bug bounty program. After consulting with attorneys, nevertheless, Finisterre concluded that the phrases had been horrible.
“[N]o less than 4 lawyers told me in various ways that the agreement was not only extremely risky, but was likely crafted in bad faith to silence anyone that signed it,” Finisterre writes. “I went through various iterations to get the letter corrected. It was ultimately going to cost me several thousand dollars for a lawyer that I was confident could cover all angles to put my concerns to bed and make the agreement sign-able.”
So as a substitute of accumulating his profitable $30,000 bounty, staying silent, and risking future authorized motion, Finisterre determined to bademble all of his findings into an 18-page PDF he simply printed, titled “Why I walked away from $30,000 of DJI bounty money.”
After the report was printed, DJI referred to as Finisterre a “hacker” in an announcement to Ars Technica:
DJI is investigating the reported unauthorized entry of considered one of DJI’s servers containing private data submitted by our customers. As a part of its dedication to clients’ knowledge safety, DJI engaged an unbiased cyber safety agency to research this report and the affect of any unauthorized entry to that knowledge. Today, a hacker who obtained a few of this knowledge posted on-line his confidential communications with DJI staff about his makes an attempt to say a “bug bounty” from the DJI Security Response Center.
DJI carried out its Security Response Center to encourage unbiased safety researchers to responsibly report potential vulnerabilities. DJI asks researchers to observe commonplace phrases for bug bounty applications, that are designed to guard confidential knowledge and permit time for evaluation and determination of a vulnerability earlier than it’s publicly disclosed. The hacker in query refused to agree to those phrases, regardless of DJI’s continued makes an attempt to barter with him, and threatened DJI if his phrases weren’t met.
Finisterre says that DJI has since given him “cold blooded silence” after his final messages expressing disappointment and offense over DJI’s bug bounty program.