Security researcher Kevin Finisterre recently found a security flaw that allowed him to access personal data from DJI’s customers on servers from the Chinese drone manufacturer. Finisterre used DJI’s recently launched Bug Bounty program to report his findings. This resulted in many emails being sent back and forth between the researcher and the drone company’s legal department about the scope of DJI’s Bug Bounty program and other legalities. In the end, Finisterre felt threatened and concluded he could not sign DJI’s document. He then decided to not only forgo the 30,000 top reward but also to go public with his story in an 18-page PDF titled: “Why I walked away from $30,000 of DJI bounty money.”
DJI customer data exposed in security breach
ARS Technica reported that this all started back in September when DJI was first informed that code publicly posted on Github contained the private keys to both the ‘wildcard’ certificate for all the company’s Web domains and the keys to cloud storage accounts on Amazon Web Services (AWS). Finisterre was able to use this data to get access to DJI’s servers, where he was able to access customers flight records and images uploaded by DJI customers, including photos of driver licenses, passports and government ID’s. Some of the data included even flight logs from accounts associated with military and other government domains. This may well be the reason why the U.S. Army decided to stop using DJI products due to cyber vulnerabilities earlier this year.
After receiving and evaluating Finisterre’s report, DJI informed the researcher that his findings qualified for the top Bug Bounty of $30,000.
A little over an hour later I received the following email stating that DJI has “concluded that the issues [I] submitted reached TOP reward (30,000 USD)” and that I “will be rewarded with cash”.
Finisterre was then introduced to one of DJI’s engineers and a lengthy email conversation ensued in which he tried to explain to the DJI employee how it could be that the customer’s data was exposed. During these conversations, Finisterre also realized the lack of security understanding on his counterpart’s side.
“This was the first in a long line of education on basic security concepts, and bug bounty practices,” Finisterre says. “Over 130 emails were exchanged back and forth at one point in one thread. At one point days later DJI even offered to hire me directly to consult with them on their security.”
The conversation turns offensive
As the conversations continued, DJI apparently changed its mind and servers that initially were within the scope of the Bug Bounty program now no longer were. Furthermore, the legal documents Finisterre had to sign in order to receive his bounty were so broadly defined and restrictive that the researcher, after consulting with his lawyers, decided he could not sign them. Even worse, Finisterre felt mistreated by some of the language used in the email correspondence between himself and DJI’s legal department. This reached its culmination in a thinly disguised threat from DJI of charges under the Computer Fraud and Abuse Act (CFAA), accusing Finisterre of “unauthorized access and transmission of information.”
According to his report, Finisterre continued the negotiations with DJI and received a final offer for terms under which he could receive the top bounty of $30,000. Finisterre consulted with his lawyers and concluded that the terms were simply unacceptable.
“In the days following no less than 4 lawyers told me in various ways that the agreement was not only extremely risky, but was likely crafted in bad faith to silence anyone that signed it. I went through various iterations to get the letter corrected. It was ultimately going to cost me several thousand dollars for a lawyer that I was confident could cover all angles to put my concerns to bed and make the agreement sign-able.”
In the end, Finisterre felt offended, threatened and it all seemed like a waste of time. Instead of collecting the $30,000 bounty and risking future legal actions from DJI against him, Finisterre decided to go public and compile his experience in an 18-page PDF titled: “Why I walked away from $30,000 of DJI bounty money.”
After Finisterre published his report, DJI issued a statement online in which Finisterre was no longer referred to as a security researcher but was called a hacker instead.
DJI responded with a public statement on its website:
DJI is investigating the reported unauthorized access of one of DJI’s servers containing personal information submitted by our users.
As part of its commitment to customers’ data security, DJI engaged an independent cyber security firm to investigate this report and the impact of any unauthorized access to that data. Today, a hacker who obtained some of this data posted online his confidential communications with DJI employees about his attempts to claim a “bug bounty” from the DJI Security Response Center.
DJI implemented its Security Response Center to encourage independent security researchers to responsibly report potential vulnerabilities. DJI asks researchers to follow standard terms for bug bounty programs, which are designed to protect confidential data and allow time for analysis and resolution of a vulnerability before it is publicly disclosed. The hacker in question refused to agree to these terms, despite DJI’s continued attempts to negotiate with him, and threatened DJI if his terms were not met.
DJI takes data security extremely seriously, and will continue to improve its products thanks to researchers who responsibly discover and disclose issues that may affect the security of DJI user data and DJI’s products. DJI has paid thousands of dollars to almost a dozen researchers who have submitted reports to the Security Response Center and agreed to the terms for payment. As the Security Response Center receives new reports, DJI regularly agrees to pay new bounties to researchers for their discoveries.
More details about the Security Response Center and information on how to submit bugs are available on the center’s website at security.dji.com.
Finisterre expressed his disappointment with DJI’s Bug Bounty program in messages to the drone manufacturer but claims that he has received nothing other than “cold-blooded silence” in return.