German researchers say they’ve found security gaps in four models of DJI drones – albeit not the kind that US politicians have claimed to justify placing the company’s craft on federal blacklists.
Expand Expanding Close
Security researcher Kevin Finisterre recently found a security flaw that allowed him to access personal data from DJI’s customers on servers from the Chinese drone manufacturer. Finisterre used DJI’s recently launched Bug Bounty program to report his findings. This resulted in many emails being sent back and forth between the researcher and the drone company’s legal department about the scope of DJI’s Bug Bounty program and other legalities. In the end, Finisterre felt threatened and concluded he could not sign DJI’s document. He then decided to not only forgo the 30,000 top reward but also to go public with his story in an 18-page PDF titled: “Why I walked away from $30,000 of DJI bounty money.”
Late in August DJI launched their “Bug Bounty” program after hackers had been able to bypass DJI’s geo-fencing. Around the same time, the US army stopped using DJI’s products because of ‘cyber vulnerabilities’. Apparently, the program has been quite the success and DJI is now planning to make the first payouts, according to DroneLife. The combined payout is in excess of $30,000 to multiple researchers.
