Researcher Spars With Drone Maker DJI Over Security FlawsDJI Alleges Bug Bounty 'Hacker' Damaged Server and Threatened Company
A longtime security researcher and drone enthusiast has become entangled in a conflict with Chinese drone manufacturer DJI over a security vulnerability report.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
The situation has deteriorated, with DJI calling the security researcher, Kevin Finisterre, a "hacker" who "threatened" the company if his terms were not met.
In late September, Finisterre sent a detailed, 31-page vulnerability report to DJI, which appeared to qualify under the company's relatively new bug bounty disclosure program.
Finisterre found that Amazon Web Services servers used by DJI exposed private encryption keys, unencrypted flight logs, plus scans of passports, ID cards and driver's licenses. He has not publicly released the full findings, but he described the general issues in a Nov. 16 blog post.
He claims that DJI told him he qualified for a $30,000 bug bounty and even floated the idea of hiring him as a consultant. But first, DJI wanted him to sign a legal agreement.
After obtaining legal advice, Finisterre says he has refused to sign an agreement that he believes doesn't offer enough protection from prosecution.
Finisterre says his communication with DJI has now stopped, and the company has asserted its rights under the U.S. Computer Fraud and Abuse Act - a move that begs the question of whether DJI might pursue criminal charges against the researcher.
"Weird stuff," Finisterre tells Information Security Media Group. "I've never seen anything like it, and I've been in the security industry for a long time."
In a Nov. 16 statement, DJI alleges that Finisterre went public with "confidential communications" between him and the company after trying to claim the bug bounty. The company says it requires security researchers to agree to "standard terms" designed to protect confidential information and allow enough time to patch.
"The hacker in question refused to agree to these terms despite DJI's attempts to negotiate with him and threatened DJI if his terms were not met," the company says.
Tensions Can Flare Up
The researcher's conflict with DJI shows that despite an improving atmosphere between software vendors and independent security researchers, tensions can still flare up.
It was common a decade ago for companies to allude to legal action after receiving vulnerability reports. As a result and in retribution, some researchers would make their findings public before vendors had a chance to patch, which potentially put users at risk.
But those attitudes have largely changed. Many companies, such as Google and Facebook, offer lucrative rewards for vulnerability information.
Third-party services such as Bugcrowd, Synack, HackerOne and others help companies connect with independent security researchers, creating more formalized processes around bug hunting and reducing conflict.
In late August, DJI launched its own bug bounty program, which it calls the Threat Identification Reward Program. Rewards range from $100 to $30,000 depending on the severity of the flaw. DJI says it has paid thousands of dollars so far to nearly a dozen security researchers.
When DJI launched the program, it said it wanted to engage with the security community after previously not having offered clear lines of communication for anyone who wanted to report problems with its software or hardware.
Alleged Server Damage
Before submitting his report, Finisterre sought to clarify whether his findings fit the scope of DJI's bug bounty program.
A couple of weeks after his initial inquiry, Finisterre says he was told his findings, which related to servers run by DJI, qualified. He submitted a 31-page report. The report included details on data leaks related to sensitive domains, such as .mil, .gov and .gov.au.
When he searched for those domains in the exposed DJI data, he found that "immediately flight logs for a number of potentially sensitive locations came out," adding that "it should be noted that newer logs, and [personally identifiable information] seemed to be encrypted with a static OpenSSL password, so theoretically some of the data was at least loosely protected from prying eyes."
An intense back-and-forth discussion with DJI ensued, Finisterre says.
"I worked diligently with DJI (alongside 2 others on my reverse engineering team), [including] over 130-plus emails of teaching them the basics of computer security and urging them to hire someone to help them quickly as they were clearly clueless," Finisterre tells ISMG.
He says he was offered a chance to consult for the company as well as its top $30,000 bug bounty award. Finisterre received a letter that described the terms of the bug bounty agreement, which he felt "posed a direct conflict of interest to many things, including my freedom of speech. I was afraid of getting sued as soon as I saw the term's paperwork."
The two sides tried to bridge the gap. But then Finisterre received a letter dated Oct. 27 from DJI's legal department that appeared to raise the stakes. The letter, since posted online by Finisterre, warns him that he obtained proprietary and confidential information through his research "which caused damage to the integrity of the server."
The last line of the letter says that while the situation remains ongoing, DJI reserves its legal rights, including rights granted under the Computer Fraud and Abuse Act.