China-based Da-Jiang Innovations (DJI), one of the world’s largest drone makers, has accused a researcher of accessing sensitive information without authorization after the expert bashed the company’s bug bounty program.
DJI announced the launch of a bug bounty program in late August and offered between $100 and $30,000 for vulnerabilities that allow the creation of backdoors, and ones that expose sensitive customer information, source code or encryption keys.
Bug bounty hunters started analyzing the company’s systems for vulnerabilities, but didn’t know exactly where to look for them as DJI had failed to clarify exactly which of its assets were in scope.
Kevin Finisterre, a security researcher who specializes in drones, discovered that DJI had inadvertently made public SSL and firmware AES keys in source code published on GitHub. He also found keys for AWS buckets storing flight logs and customer identity documents, including passports, driver’s licenses, and state identification.
Finisterre said others had found unprotected AWS buckets storing, among other things, personal data and images of damaged drones submitted by customers.
“There were serious ramifications to the things that were found on the DJI AWS servers,” the researcher said. “One of the first things I did to judge the impact of the exposure was grep for ‘.mil’ and ‘.gov’, ‘gov.au’. Immediately flight logs for a number of potentially sensitive locations came out. It should be noted that newer logs, and PII seemed to be encrypted with a static OpenSSL password, so theoretically some of the data was at least loosely protected from prying eyes. Unfortunately the rest of the server side security renders this point moot.”
After reporting his findings to DJI via its bug bounty program, Finisterre was informed that he qualified for the maximum reward, $30,000. However, the company told him that in order to receive the bug bounty, he would have to sign an agreement.
“I won’t go into too much detail, but the agreement that was put in front of me by DJI in essence did not offer researchers any sort of protection,” Finisterre said. “For me personally the wording put my right to work at risk, and posed a direct conflicts of interest to many things including my freedom of speech. It almost seemed like a joke. It was pretty clear the entire ‘Bug Bounty’ program was rushed based on this alone.”
While the researcher was trying to negotiate the non-disclosure agreement (NDA) via a DJI representative in the United States, the drone manufacturer’s legal department in China sent him a notice that he may be facing charges under the controversial Computer Fraud and Abuse Act (CFAA).
After consulting with lawyers who told him that DJI’s agreement was “extremely risky” and “likely crafted in bad faith to silence anyone that signed it,” the researcher decided to walk away from the bug bounty. He also decided to make his findings public, including some of the communications with DJI representatives during this process.
In response, DJI published a statement saying that it’s investigating Finisterre’s unauthorized access to its servers, and accused the researcher of publishing confidential communications with DJI employees.
“DJI implemented its Security Response Center to encourage independent security researchers to responsibly report potential vulnerabilities,” the company said in a statement. “DJI asks researchers to follow standard terms for bug bounty programs, which are designed to protect confidential data and allow time for analysis and resolution of a vulnerability before it is publicly disclosed. The hacker in question refused to agree to these terms, despite DJI’s continued attempts to negotiate with him, and threatened DJI if his terms were not met.”
The infosec community is split on this issue – some have taken Finisterre’s side pointing to DJI’s failure to specify exactly what its bug bounty covered and what researchers were allowed to do. Others, however, have sided with DJI, noting that the bounty hunter shouldn’t have accessed the data and that the agreement was reasonable.
Following Finisterre’s disclosure, DJI provided more information on its bug bounty program, including scope and requirements for disclosing flaws.
“DJI understands the importance of public disclosure of unknown or novel security flaws to build a common base of knowledge within the security community and to build a safer internet,” the company said. “DJI is committed to disclosing such information to the fullest extent possible. However, DJI in its sole discretion will decide when and how, and to what extent of details, to disclose to the public the bugs/vulnerabilities reported by you.”
DJI says it has paid out “thousands of dollars” to nearly a dozen researchers since the launch of its bug bounty program.