DJI Alleges Bug Bounty ‘Hacker’ Damaged Server And Threatened Company
A longtime security researcher and drone enthusiast has become entangled in a conflict with Chinese drone manufacturer DJI over a security vulnerability report.
See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach
The situation has deteriorated, with DJI calling the security researcher, Kevin Finisterre, a “hacker” who “threatened” the company if his terms were not met.
In late September, Finisterre sent a detailed, 31-page vulnerability report to DJI, which appeared to qualify under the company’s relatively new bug bounty disclosure program.
Finisterre found that Amazon Web Services servers used by DJI exposed private encryption keys, unencrypted flight logs, plus scans of passports, ID cards and driver’s licenses. He has not released the full findings publicly, but described the general issues in a Nov. 16 blog post.
He says DJI told him he qualified for a $30,000 bug bounty and even floated the idea of hiring him as a consultant. But first, DJI wanted him to sign a legal agreement.
After obtaining legal advice, Finisterre says he has refused to sign an agreement that he believes doesn’t offer enough protection from prosecution.
Communication has now stopped with DJI, and the company has asserted its rights under the U.S.
The researcher’s conflict with DJI shows that despite an improving atmosphere between software vendors and independent security researchers, tensions can still flare up.
It was not uncommon a decade ago for companies to allude to legal action after receiving vulnerability reports. As a result and in retribution, some researchers would make their findings public before vendors had a chance to patch, which potentially put users at risk.
But those attitudes have largely changed. Many companies, such as Google and Facebook, offer lucrative rewards for vulnerability information.
Third-party services such as Bugcrowd, Synack, HackerOne and others help companies connect with independent security researchers, creating more formalized processes around bug hunting and reducing conflict.
In late August, DJI launched its own bug bounty program, which it calls the Threat Identification Reward Program. Rewards range from $100 to $30,000 depending on the severity of the flaw. DJI says it has paid thousands of dollars so far to nearly a dozen security researchers.
When DJI launched the program, it said it wanted to engage with the security community after previously not having offered clear lines of communication for anyone who wanted to report problems with its software or hardware.
Alleged Server Damage
Before submitting his report, Finisterre sought to clarify whether his findings fit the scope of DJI’s bug bounty program.
A couple of weeks after his initial inquiry, Finisterre says he was told his findings, which related to servers run by DJI, qualified. He submitted a 31-page report. The report included details on data leaks related to sensitive domains, such as .mil, .gov and .gov.au.
When he searched for those domains in the exposed DJI data, he found that “immediately flight logs for a number of potentially sensitive locations came out,” adding that “it should be noted that newer logs, and [personally identifiable information] seemed to be encrypted with a static OpenSSL password, so theoretically some of the data was at least loosely protected from prying eyes.”
An intense back-and-forth discussion with DJI ensued, Finisterre says.
“I worked diligently with DJI (alongside 2 others on my reverse engineering team), [including] over 130-plus emails of teaching them the basics of computer security and urging them to hire someone to help them quickly as they were clearly clueless,” Finisterre tells ISMG.
He says he was offered a chance to consult for the company as well as its top $30,000 bug bounty award. Finisterre received a letter that described the terms of the bug bounty agreement, which he felt “posed a direct conflict of interest to many things, including my freedom of speech.”
He adds: “I was afraid of getting sued as soon as I saw the term’s paperwork.”
The two sides tried to bridge the gap. But then Finisterre received a letter dated Oct. 27 from DJI’s legal department that appeared to raise the stakes. The letter, since posted online by Finisterre, warns him that he obtained proprietary and confidential information through his research “which caused damage to the integrity of the server.”
The last line of the letter says that while the situation remains ongoing, DJI reserves its legal rights, including rights granted under the Computer Fraud and Abuse Act.