DJI fires software developers involved in data security breach and responds publicly to Bug Bounty case

In a public statement addressing the Bug Bounty case with Kevin Finisterre, DJI also informs us that they’ve fired the software developers, who were involved in the cyber-security breach of the DJI customer data stored on the AWS servers.

DJI does not shy away from making public statements to set the record straight or at least to provide their side of the story. They have done so in the case of the attack on DJI’s Aeroscope. DJI also responded when a drone struck an airplane in Quebec. And now after Kevin Finisterre publicly posted his reasons for walking away from the top bounty of $30k of DJI’s Bug Bounty Program, DJI releases their public statement, in which they point out the actions they have been taking to remedy the issues. One of which was the firing of the software developers who were responsible for data security.

DJI fires software developers and issues public statement

The response covers four different items; SSL certificates, AWS server data, Bug Bounty Program, and the ICE memo. The latter one we will cover in s separate post.

The first three items all seem to be related to the Kevin Finisterre’s story. Keep in mind that we only have limited information available and therefore we cannot be sure of all the details, but it seems that the SSL certificates are what ultimately provided Finisterre with access to the servers. DJI states that they acted immediately after they were made aware of the issue and replaced the SSL certificates. Furthermore, DJI fired the software engineers who were involved in keeping DJI’s customers’ data save on the AWS servers. DJI also reduced the number of people who have access to this sensitive information and provided additional training for those employees. Lastly, DJI hired a third party cyber forensics firm to investigate this incident. So far it seems that only one person had been able to access the information. It seems logical that DJI is referring to Kevin Finisterre.

A threat or expressing concerns?

Than DJI moves on to the Bug Bounty Program. DJI states that they have awarded almost a dozen security researchers, or hackers as DJI sometimes calls them, since they launched the program back in August. In Kevin Finisterre’s case, DJI states that the company never made any threats or required that Finisterre remain silent about his discovery. What Finisterre calls a “thinly veiled Computer Fraud and Abuse Act threat from DJI”,  DJI calls a “concern about activities outside the program and potentially in violation of applicable laws”. What is interesting, is that Finisterre in his pdf document admits that he initially missed the ‘threat’. DJI confirms this and states that they had not heard back from the security researcher for two weeks after they had sent him the draft letter. After those weeks passed, Finisterre decides to break off the negotiations, effectively walking away from the $30k bug bounty and making his story public. What exactly happened in those two weeks, we will probably never find out but obviously, DJI thought it was necessary to tell their side of the story.

DJI concludes their statement about the Finisterre case by stating that the company does not intend to downplay any data security issues. The FInisterre case is an individual situation that is not representative of the almost one dozen cases that have been resolved successfully. DJI has no intention of halting the Bug Bounty Program (website and statement).

You can read the entire response below.

DJI’s “Statement About DJI’s Cyber Security and Privacy Practices”

Statement About DJI’s Cyber Security and Privacy Practices

Recent news and blog coverage of DJI has raised a number of key questions about DJI’s practices regarding cyber security and privacy. We recognize that there are several reasonable concerns brought up about DJI’s record in this space, so we’d like to set the record straight on the current state of DJI’s security efforts.

1. SSL Certificate

In early September, DJI was notified that its SSL Certificate for the DJI website had been compromised. Immediately upon receiving this report, DJI revoked this certificate and replaced it with a new certificate.

Based on its investigation, DJI has no reason to believe that customer data has been compromised as a result. As a part of responsible disclosure to our customers, we have been working with an independent cyber forensics company to confirm our findings. We will continue monitoring the activities related to the expired SSL certificate and alert relevant customers if there is any evidence that their data integrity might have been impacted.

2. AWS Server Data

DJI received a report from an independent security researcher that an AWS server repository was accessible by unauthorized parties. We took this issue very seriously, and fixed it within a day of receiving the report.

After doing an internal audit, we identified the DJI developers responsible for this error, and took immediate disciplinary actions against them. We terminated their employment because we considered their behavior inexcusable and not in line with company policy. We also reduced the number of people who had authorization to change the public and private settings of our servers to prevent this situation from happening in the future. In addition, DJI further enhanced security measures and employee training to prevent similar incidents from occurring again.

Similar to the SSL Certificate issue we have engaged a third party cyber forensics firm to investigate this incident. Based on our analysis so far, only one party was able to download data from the server, including personal information of our developers. The investigation is ongoing, and we will notify customers if evidence suggests that the data has been misused.

3. Bug Bounty Program

DJI created the DJI Security Response Center (DSRC) to provide a channel for independent researchers to report issues that may impact the security of DJI’s products as a part of our focus on addressing data integrity.

Since announcing the DJI Bug Bounty program in August 2017, DJI has rewarded almost a dozen security researchers who have discovered potential vulnerabilities and received payment for their contributions after they complied with the program’s terms.

Claims that we have threatened one of the participants in the program, or required that he remain silent about his discovery, are false. The record of email exchanges and communication with the person in question shows that DJI continued negotiating the terms of the bounty in good faith with the participant until he chose to walk away from the program. While the participant did receive an unsigned draft letter via email expressing DJI’s concern about activities outside the program and potentially in violation of applicable laws, he did not complain to DJI when he received it, and continued negotiating terms of his bounty for two subsequent weeks.  The last version of the terms DJI sent to this person provided for a limited, 90 day confidentiality period in which DJI could address the security vulnerability and provide any required legal notices, after which point he would be free to disclose to the public the facts about his discovery.  This person agreed in principle to this provision, as well as the other main provisions of the last draft sent to him.  While DJI waited two weeks for this person’s final comments and proposed revisions to this latest version of the terms, the person unilaterally decided to terminate negotiations.  Subsequently, he posted the draft letter, the redacted developer information, confidential communications with DJI employees, and published an incomplete and misleading narrative of his negotiation process with DJI.

With the DSRC program, we showed that we have no intention to downplay concerns about data protection. The experience with the one person is an outlier and not representative of a program which has already paid almost a dozen researchers who have worked with us in good faith and who have adhered to the terms of the program.  DJI remains committed to the DSRC program and continues to work together with researchers to help improve the security of our products.

4. ICE Memo

We are aware of a bulletin about DJI issued in August by an agent in the Los Angeles office of U.S. Immigration and Customs Enforcement (ICE).  The bulletin is based on clearly false and misleading claims from an unidentified source.

Several of the key claims made by this unnamed source show a fundamental lack of understanding of DJI, its technology and the drone market.
Some of the claims made are easily refuted with a few minutes of research. Had this research been done, the unnamed informant would know that:

• Neither DJI drones nor the GO App perform facial recognition when the system is off.  In fact, even when powered on, no DJI product has the ability to “recognize” a face as a particular person for identification purposes.  Advanced new products have “Active Track” algorithms that can track the movement of the shape of a face or the shape of a person to facilitate control of the drone or movement of the camera (when the product is powered on, and Active Track mode is engaged by the user).
• DJI’s pricing strategy has not caused Parrot or Yuneec to stop production. While many companies in our industry have reduced staff, there are still several companies producing new models of drones every year.
• DJI does not sell products at a loss or cheaper in the United States than in China. Pricing information has been and remains publicly available on DJI’s website. For example, through November, the Spark was $499 in the US and RMB 3,299 ($500) in China.

Based on these easily disproved claims, the statement makes several other false or misleading claims about our technology, how we manage data and our relationship with the Chinese government.

DJI does strive to comply with local laws and regulations in each country where its drones operate and to facilitate compliance by our customers. To the extent that there are location-specific rules and policies within China, we ensure that our systems comply with these rules, including the need to register or include no-fly zones on board. In compliance with the Chinese regulation, DJI utilizes the user’s IP address, GPS location, and MCC ID to determine if a drone is being operated in China. If so, DJI provides the customer with the features necessary to comply with Chinese regulations and policies. Otherwise, DJI provides no information about or data collected by the drone to the Chinese government.

Additional Official DJI Statements on these issues:

DJI Statement On ICE Bulletin: https://www.dji.com/newsroom/news/dji-statement-on-ice-bulletin

DJI Statement On Reported Data Security Issue: https://www.dji.com/newsroom/news/dji-statement-on-reported-data-security-issue

For additional information, please contact: pr@dji.com