Security Researcher Exposes Hole in DJI’s Security, Receives Threat

Share: 

Security breaches can be a complete nightmare for a tech company, which is why many of them incentivize users who discover lapses in the corporation's data protection scheme to notify the company through a bounty program.

One firm that employs such a method is DJI, the massive Chinese commercial drone manufacturer that dominates the entry-level drone market across the world.

A security researcher named Kevin Finisterre informed DJI of a flaw in their system that exposed private, confidential customer information.

He contacted the company through its bounty program but, rather than collecting on a $USD 30,000 bounty, he was met with pushbacks and what he calls “threats” according to Peta Pixel.

This reaction has prompted him to tell his story to the world at large and it does give one pause before reporting any errors to massive companies when it comes to their technology.

Image via Pixabay from Pexels.com.

Ars Technica reports that the flow is when DJI developers left private keys for the company’s web domains and cloud storage accounts within source code DJI had hosted on GitHub.

With this information, Kevin Finisterre found out he could see private things uploaded by DJI customers such as flight logs and aerial photos. Most terrifying of all, Finisterre was able to find government ids, driver’s licenses, and passports as well. Some of the information seemed to be related to military use of drones and military personnel accounts.

Initially DJI’s response was positive, and they informed him that he qualified for the maximum bounty of $USD 30,000.

“This was the first in a long line of education on basic security concepts, and bug bounty practices…Over 130 emails were exchanged back and forth at one point in one thread. At one point days later DJI even offered to hire me directly to consult with them on their security,” Finisterre said.

He attempted to negotiate a contract for the bounty hunting with DJI but was told by legal counsel that the terms of the agreement were “horrible.”

In a piece for Digital Munition that acts as a comprehensive explanation of the entire situation, Finisterre writes: “[N]o less than 4 lawyers told me in various ways that the agreement was not only extremely risky, but was likely crafted in bad faith to silence anyone that signed it…I went through various iterations to get the letter corrected. It was ultimately going to cost me several thousand dollars for a lawyer that I was confident could cover all angles to put my concerns to bed and make the agreement sign-able.”

Apparently things have only gotten worse between the two, with DJI telling Ars Technica that he was a hacker.

In a lengthy response, DJI outlines what it believes is evidence of Finisterre’s reluctance to cooperate with them or adhere to the bounty program’s guidelines.

What We Recommend to Improve Your Photography Fast

It's possible to get some pretty large improvements in your photography skills very fast be learning some fundamentals. Consider this the 80:20 rule of photography where 80% of the improvements will come from 20% of the learnable skills. Those fundamentals include camera craft, composition, understanding light and mastering post-production. Here are the premium guides we recommend.

  1. html cleaner  Easy DSLR –  Friend of Light Stalking, Ken Schultz has developed this course over several years and it still remains the single best source for mastering your camera by identifying the main things that are holding you back.
  2. Word to html  Understanding Composition – As one of the core elements of a good photograph, getting your head around composition is essential. Photzy's guide to the subject is an excellent introduction. Their follow-up on Advanced Composition is also well worth a read.
  3. Word to html  Understanding Light – Also by Photzy, the other essential part of photography is covered in this epic guide and followed up in Understanding Light, Part 2. This is fundamental stuff that every photographer should aim to master.
  4. Word to html  5 Minute Magic Lightroom Workflow – Understanding post production is one of the keys to photographs that you will be proud of. This short course by one of the best in the business will show you how an award-winning photographer does it.

About Author

Avatar

Kehl is our staff photography news writer and has over a decade of experience in online media and publishing and you can get to know him better here

Leave a Reply

Your email address will not be published. Required fields are marked *