A Chinese developer had ‘unintentionally’ posted DJI’s private AES keys in plain text on Github. The developer who had previously expressed suicidal thoughts has since been put in jail.
DJI Mavic Pro
Chinese developer ‘unintentionally’ posted DJI’s keys on Github
The Register reports that access to the key would have allowed access to DJI’s encrypted flight control firmware and thus open up the possibility to bypass geofencing and other performance restrictions on DJI drones.
A wildcard SSL key for *.dji.com was also disclosed in plain text, providing skilled ‘researchers’ the option to spoof DJI’s website and decrypt communications between DJI drones and the company’s servers in China.
The developer had been successfully prosecuted in early April before the Shenzhen District Court. Local media report that:
“The employee was sentenced to six months in prison for infringement of trade secrets. The penalty is 200,000 yuan” (just under $30,000).
The damages caused to DJI are reportedly around 1.164m yuan, or about $175,000.
Researcher, Kevin Finisterre forwarded the following quote from the jailed developer, Li Zhanbin, to The Register. It reads:
“I am the stupid guy who unintentionally shared the DJI SSL keys and firmware AES keys on the github. I in total shared 4 repositories named ‘spray-system’, ‘Management-platform’, ‘real_time_serve_v1’ and ‘real_time_serve’.”
If the name Finisterre sounds familiar to you it is likely because of this story from some time ago.
Finisterre was also the one who spotted the key on Github. Zhanbin, the now-jailed developer had asked for help in dealing with the Chinese police.
In another email, Zhanbin explains he had been let go from DJI on January 26th, 2018. He added that:
“I was born in a very poor village; I stud[ied] hard all the time, I finally got into …university. It is a very happy thing to me and my parents. BUT now all the things are done. I am done. I will go to jail, and I have to take this stain … in my life. My girlfriend begin to break up with me, woooo, my family are broken. Fuck!!! What are terrible things! Maybe the only thing I can do now is to die; it is so hard. I need to be free.”
Local media who seem to be quoting Chinese state prosecutors report the jailed developer to have tweeted:
“There is no intention to disclose the secrets of Dajiang” and “I regret that I have no legal awareness, and I am willing to bear the corresponding legal responsibilities.”
A spokesperson from DJI declined to provide further information. He informed The Register:
“DJI does not comment on legal matters involving current or former employees. Our company policy is that we do not discuss specific employment issues in the media.”
Stay in touch!
If you’d like to stay up to date with all the latest drone news, scoops, rumors and reviews, then follow us on Twitter, Facebook, YouTube, Instagram or sign up for our daily email newsletter, that goes out every weekday at 6 pm.
Buy your next drone through directly from manufacturers, such as DJI, Parrot, Yuneec or retailers like Amazon, B&H, BestBuy or eBay. By using our links, we will make a small commission, but it will not cost you anything extra. Thank you for helping DroneDJ grow!