Security researcher Kevin Finisterre recently found a flaw that exposed private customer data of the Chinese drone company DJI to the public. After reporting the bug to DJI’s bug bounty program, Finisterre received pushback and a legal threat. So instead of collecting his $30,000 bounty, Finisterre is now going public with his findings (and experience).
Ars Technica reports that DJI developers had left private keys for the company’s web domains and cloud storage accounts within source code hosted on GitHub.
Using the keys, Finisterre discovered that he was able to access private data uploaded by DJI customers — not just flight logs and aerial photos, but also government IDs, drivers licenses, and passports. What’s more, some of the flight logs appeared to have been sent from government and military domains (as a side note, the US Army ended its use of DJI drones earlier this year due to “cyber vulnerabilities.”
After reporting the vulnerability to DJI, Finisterre was initially informed that his report qualified for the top bounty of $30,000. He then engaged in a lengthy conversation with a DJI employee who both confirmed the existence of the exposed data and showed a striking lack of cybersecurity know-how.
“This was the first in a long line of education on basic security concepts, and bug bounty practices,” Finisterre says. “Over 130 emails were exchanged back and forth at one point in one thread. At one point days later DJI even offered to hire me directly to consult with them on their security.”
As he continued his conversations with DJI, however, Finisterre soon found that DJI wasn’t readily agreeing that its servers were part of the scope of the new bounty program. Finisterre was also turned off by DJI’s refusal to provide him with protection against legal action.
What’s more, DJI itself sent a threat of charges under the Computer Fraud and Abuse Act (CFAA), accusing Finisterre of “unauthorized access and transmission of information.”
Still, Finisterre went ahead and negotiated a “final offer” from DJI for the contract in the bug bounty program. After consulting with lawyers, however, Finisterre concluded that the terms were horrible.
“[N]o less than 4 lawyers told me in various ways that the agreement was not only extremely risky, but was likely crafted in bad faith to silence anyone that signed it,” Finisterre writes. “I went through various iterations to get the letter corrected. It was ultimately going to cost me several thousand dollars for a lawyer that I was confident could cover all angles to put my concerns to bed and make the agreement sign-able.”
So instead of collecting his lucrative $30,000 bounty, staying silent, and risking future legal action, Finisterre decided to gather all of his findings into an 18-page PDF he just published, titled “Why I walked away from $30,000 of DJI bounty money.”
After the report was published, DJI called Finisterre a “hacker” in a statement to Ars Technica:
DJI is investigating the reported unauthorized access of one of DJI’s servers containing personal information submitted by our users. As part of its commitment to customers’ data security, DJI engaged an independent cyber security firm to investigate this report and the impact of any unauthorized access to that data. Today, a hacker who obtained some of this data posted online his confidential communications with DJI employees about his attempts to claim a “bug bounty” from the DJI Security Response Center.
DJI implemented its Security Response Center to encourage independent security researchers to responsibly report potential vulnerabilities. DJI asks researchers to follow standard terms for bug bounty programs, which are designed to protect confidential data and allow time for analysis and resolution of a vulnerability before it is publicly disclosed. The hacker in question refused to agree to these terms, despite DJI’s continued attempts to negotiate with him, and threatened DJI if his terms were not met.
Finisterre says that DJI has since given him “cold blooded silence” after his last messages expressing disappointment and offense over DJI’s bug bounty program.