Bug bounty hunter reveals DJI SSL, firmware keys have been public for years

Opinion: The researcher has discarded $30,000 to ensure there is full public disclosure of the drone maker's poor security and revealing how not every bug bounty hunt ends well.
Written by Charlie Osborne, Contributing Writer

An exasperated bug bounty hunter has revealed that drone maker DJI left everything from AWS credentials to private SSL keys on public forums.

As reported by the Register, security researcher Kevin Finisterre discovered the Chinese firm had left the private keys of the DJI HTTPS domain on GitHub, exposed for all to see for roughly four years.

To make matters worse, DJI had also made AWS credentials and firmware AES keys available for anyone to search for through the GitHub repository.

Given these tools, as summarized by the researcher as a "full infrastructure compromise," a cyberattacker could have free reign to cause utter havoc for DJI, stealing data, compromising systems, and much more.

The problems started in August, when the Chinese firm announced a bug bounty program that invited external researchers to find, submit, and be rewarded for responsibly disclosing vulnerabilities in the company's products.

While many vendors have chosen this route to protect company infrastructure, consumer devices, and services, DJI was also attempting to clamp down on a growing underground of homegrown hacking.

Users have been and continue to modify drones to bypass flight and geolocation restrictions, such as the No Fly Zone (NFZ), and you can now buy software and fully-modded drones that are already exploited.

By resolving bugs which were utilized by homebrew hackers, DJI also hoped to mend its battered reputation with the US military which has banned the use of the Chinese firm's products due to "cyber vulnerabilities."

At the time, ZDNet reported that DJI appeared to have rushed to set up the infrastructure required for a bug bounty program, and this prediction seems to have come to pass.

Finisterre says in an 18-page disclosure (.PDF) that the wording of the program left much to be desired, and after enquiring on the validity of server-based issues, it took DJI weeks to respond.

Meanwhile, hunters were discussing a range of data available on public boards, including public AWS buckets set with zero permissions which were easy to search for and poke around.

"It is unclear what exactly was in the public DJI buckets, short of the reported: "all attachments to the service emails they receive... images of damaged drones... receipt and other personal data..." and "occasional photos of people cut by propellers," the researcher added.

While still waiting for clarification, Finisterre gave the company a heads-up on the brewing storm, to which DJI Corporate Communication Director Adam Lisberg allegedly said: "Stay tuned. I would tell you a little more, if I had your word that it wouldn't end up all over the Internet."

This appears to set the tone for what happened next in a long saga.

DJI finally confirmed two weeks later that source code leaks and server issues were in scope, and the researcher submitted a 31-page report -- which also included that he had seen unencrypted flight logs, passports, drivers licenses, and ID cards.

"It should be noted that newer logs and PII seemed to be encrypted with a static OpenSSL password, so theoretically some of the data was at least loosely protected from prying eyes," the researcher noted.

While dreaming of the Tesla he was going to buy with the reward money of $30,000, 130 emails were exchanged, an offer of paid consultancy was put on the table by DJI and many lessons in basic security and bug bounty disclosure with Finisterre as instructor later, a vulnerability disclosure agreement was on the table to be signed.

"I won't go into too much detail, but the agreement that was put in front of me by DJI in essence did not offer researchers any sort of protection," Finisterre said in the report. "For me personally the wording put my right to work at risk, and posed a direct conflict of interest to many things including my freedom of speech."

"It almost seemed like a joke," the bug bounty hunter added. "It was pretty clear the entire 'bug bounty' program was rushed based on this alone."

Attempts were made by both the researcher and Brendan Schulman, VP of policy and legal affairs at DJI, to amend the agreement to satisfaction on both sides, but Finisterre laments that the executive was "not able to keep the barbarians at the gate," and the researcher then received a "thinly veiled Computer Fraud and Abuse Act threat from DJI."

Lawyers reviewed a "final offer" document from DJI and deemed the contract "extremely risky" and likely "crafted in bad faith."

"If you that are wondering if DJI even bothered to respond after I got offended over the CFAA threat, you should be happy to know it was flat out radio silence from there on out," the researcher said. "All Twitter DM's stopped, SMS messages went unanswered, etc. Cold blooded silence. Thanks for listening. If something sounds too good to be true, it probably is."

The moral of the story? The bug bounty industry offers high rewards, but both experienced veterans and less experienced companies may attempt to enforce disclosure contracts that bind researchers in unacceptable ways, or through wording which results in a conflict of interest.

If companies are asking for external help, time, and effort to improve their own practices, there has to be leeway and respect on both sides for such agreements to work.

It only takes one researcher to have a bad experience with a company to turn other bug bounty hunters away, fearing the risk of legal backlash or wasted time and effort -- better spent with companies that reward researchers without attempting to take away their rights.

See also: Bug bounties: 'Buy what you want'

Speaking to ZDNet, a DJI spokesperson said:

"DJI is investigating the reported unauthorized access of one of DJI's servers containing personal information submitted by our users.

As part of its commitment to customers' data security, DJI engaged an independent cybersecurity firm to investigate this report and the impact of any unauthorized access to that data.

Today, a hacker who obtained some of this data posted online his confidential communications with DJI employees about his attempts to claim a "bug bounty" from the DJI Security Response Center.

[..] DJI asks researchers to follow standard terms for bug bounty programs, which are designed to protect confidential data and allow time for analysis and resolution of a vulnerability before it is publicly disclosed.

The hacker in question refused to agree to these terms, despite DJI's continued attempts to negotiate with him, and threatened DJI if his terms were not met."

Black Friday 2017: The best early US deals in tech

Previous and related coverage

    DJI launches bug bounty program to stop homegrown hacking

    The arms race has gained pace with DJI offering cash rewards for vulnerability reports.

    DJI launches drone identification and monitoring system AeroScope

    The product is aimed at striking a balance between security and privacy.

    DJI looks to boost drone data security after US Army ban

    DJI will introduce a local data mode that will enable drone pilots to disconnect from the internet during flights.

    DJI takes on homegrown drone hackers in arms race

    DIY hackers are making the firm's life a misery in the quest to overturn flight restrictions.

      Editorial standards