Man gets threats—not bug bounty—after finding DJI customer data in public view

Channel:
Tech House
Subscribers:
957
Published on ● Video Link: https://www.youtube.com/watch?v=Ead5VY8UC7E


Duration: 5:46
21 views
0

Man gets threats—not bug bounty—after finding DJI customer data in public view.
DJI, the Chinese company that manufactures the popular Phantom brand of consumer quadcopter drones, was informed in September that developers had left the private keys for both the "wildcard" certificate for all the company's Web domains and the keys to cloud storage accounts on Amazon Web Services exposed publicly in code posted to GitHub. Using the data, researcher Kevin Finisterre was able to access flight log data and images uploaded by DJI customers, including photos of government IDs, drivers licenses, and passports. Some of the data included flight logs from accounts associated with government and military domains.

Finisterre found the security error after beginning to probe DJI's systems under DJI's bug bounty program, which was announced in August. But as Finisterre worked to document the bug with the company, he got increasing pushback—including a threat of charges under the Computer Fraud and Abuse Act (CFAA). DJI refused to offer any protection against legal action in the company's "final offer" for the data. So Finisterre dropped out of the program and published his findings publicly yesterday, along with a narrative entitled, "Why I walked away from $30,000 of DJI bounty money."

DJI launched its bug bounty this fall shortly after the US Army issued a ban on using DJI drones for any military purpose due to "operational security" concerns. There were also spreading reports of people hacking the firmware of DJI drones—some have even posted hacks to GitHub by Finisterre. But according to Finisterre, the program was clearly rushed out. The company did not, and has yet to, define the scope of the bounty program publicly. So when Finisterre discovered that DJI's SSL certificates and firmware AES encryption keys had been exposed through searches on GitHub—in some cases for as long as four years—he contacted the company to see if its servers were within the scope of the bug bounty program. He was told they were—a statement that would later be walked back from by DJI officials.Further ReadingArmy tells troops to stop using DJI drones immediately, because cyber



Other Videos By Tech House


2017-11-17The darkest material on Earth will be used in the 2018 Winter Olympics — here's what
2017-11-17Metroid Prime turns 15 as the franchise finally becomes relevant again
2017-11-17Bose Black Friday Deals Just Started Early
2017-11-17How the OnePlus 5T was built so quickly
2017-11-17Logitech HD Pro Webcam C920 review HD video and stereo sound add polish to video calls
2017-11-17A Japanese railway company issued an apology after its train left 20 seconds early
2017-11-17The startup incubator Y Combinator quietly stopped working with billionaire VC Peter Thiel just
2017-11-17Bend light to fit your needs with this flexible and portable rope light
2017-11-17NASA IceBridge “flying lab” aids in search for missing Argentine Navy sub
2017-11-17Humans used to walk in a totally different way until one shoe innovation
2017-11-17Man gets threats—not bug bounty—after finding DJI customer data in public view
2017-11-17A favorite pair of Bluetooth buds is back at it's lowest price ever—just $23 95
2017-11-17The DeanBeat The tragedy of the Star Wars Battlefront II loot crates
2017-11-17The life and career of Steve Jobs' mysterious widow Laurene Powell Jobs, who has become a
2017-11-17Fabriq Chorus Review A gorgeous, b attery powered Alexa speaker for under $100
2017-11-17Billionaire Snapchat CEO Evan Spiegel and supermodel Miranda Kerr are having a baby —
2017-11-17Big iOS 11 2 Update Brings Apple Pay Cash, iPhone X Fix
2017-11-17Cisco, Huawei take duel to smart cities
2017-11-17We gave the £1900 Lamborghini phone a speed test against an iPhone X — here's who
2017-11-17Facebook removes ‘delete post’ option from the desktop web version
2017-11-17A new study predicts the top 13 places Amazon could build its new headquarters AMZN


Tags:
Man gets
threats—not bug bounty—after finding DJI customer data in public view
Man gets threats—not bug bounty—after finding DJI customer data in public view