Drone-Maker DJI Offers Bug Bounty Program, Then Threatens Bug-Finder With The CFAA
from the that's-a-shitty-bounty dept
Far too many companies and industries out there seem to think that the best way to handle a security researcher finding security holes in their tech and websites is to immediately begin issuing threats. This is almost always monumentally dumb for any number of reasons, ranging from the work these researchers do actually being a benefit to these companies issuing the threats, to the resulting coverage of the threats making the vulnerabilities more widely known than they would have been otherwise.
But drone-maker DJI gets special marks for attacking security researchers, having decided to turn on one that was working within the bug-bounty program it had set up.
DJI, the Chinese company that manufactures the popular Phantom brand of consumer quadcopter drones, was informed in September that developers had left the private keys for both the "wildcard" certificate for all the company's Web domains and the keys to cloud storage accounts on Amazon Web Services exposed publicly in code posted to GitHub. Using the data, researcher Kevin Finisterre was able to access flight log data and images uploaded by DJI customers, including photos of government IDs, drivers licenses, and passports. Some of the data included flight logs from accounts associated with government and military domains.
Finisterre found the security error after beginning to probe DJI's systems under DJI's bug bounty program, which was announced in August. But as Finisterre worked to document the bug with the company, he got increasing pushback—including a threat of charges under the Computer Fraud and Abuse Act (CFAA). DJI refused to offer any protection against legal action in the company's "final offer" for the data. So Finisterre dropped out of the program and published his findings publicly yesterday, along with a narrative entitled, "Why I walked away from $30,000 of DJI bounty money."
Finisterre helpfully documented his interactions with several DJI employees, all of which paint a pretty clear picture of a company that encouraged his work in finding exposed data and insecure public-facing websites. So appreciative was DJI, in fact, that Finisterre won the top prize for its bug-bounty program: $30,000. That prize came for Finisterre's discovery that DJI's SSL certificates and firmware encryption keys had been exposed via GitHub for years. After receiving written confirmation from DJI that its servers were within the scope of the bounty program, Finisterre submitted his disclosure report.
That's when things got weird.
When Finisterre submitted his full report on the exposure to the bug bounty program, he received an e-mail from DJI's Brendan Schulman that said the company's servers were suddenly not in scope for the bounty program. Still, Finisterre received notification from DJI's bug bounty program e-mail account on September 28 that his report earned the top reward for the program—$30,000 in cash. Then, Finisterre heard nothing for nearly a month.
Ultimately, Finisterre received an e-mail containing an agreement contract that he said "did not offer researchers any sort of protection. For me personally, the wording put my right to work at risk, and posed a direct conflict of interest to many things including my freedom of speech." It seemed clear to Finisterre that "the entire ‘Bug Bounty’ program was rushed based on this alone," he wrote.
He goes on to note that he had several lawyers look over the contract, all of whom balked at the language it contained. Hiring any of them to work the contract to the point that it was something he would sign would cost several thousand dollars, reducing the bounty reward to the point that it wasn't really worth collecting. On top of all that, the language in the contract offered nothing in the way of protection from the CFAA, which is frankly insane for a bug bounty program. The whole point is to research vulnerabilities. Jail time is not supposed to be a risk in that sort of work.
When Finisterre decided to refuse the bounty and go public instead, DJI suddenly began calling him a "hacker" and acted as though it barely had any idea who he was, despite having interacted with him over hundreds of emails.
DJI is investigating the reported unauthorized access of one of DJI’s servers containing personal information submitted by our users. As part of its commitment to customers’ data security, DJI engaged an independent cyber security firm to investigate this report and the impact of any unauthorized access to that data. Today, a hacker who obtained some of this data posted online his confidential communications with DJI employees about his attempts to claim a “bug bounty” from the DJI Security Response Center.
DJI implemented its Security Response Center to encourage independent security researchers to responsibly report potential vulnerabilities. DJI asks researchers to follow standard terms for bug bounty programs, which are designed to protect confidential data and allow time for analysis and resolution of a vulnerability before it is publicly disclosed. The hacker in question refused to agree to these terms, despite DJI’s continued attempts to negotiate with him, and threatened DJI if his terms were not met.
DJI has also shuttered the bug bounty program, with emails to it resulting in bouncebacks informing the reader that while they can still submit bug reports, the bounties are no longer available.
And so here we are. DJI offered a bug bounty program that one researcher responded to with a report about some serious vulnerabilities, including the disclosure of DJI customer information. Instead of being grateful for that information and correcting it, DJI instead decided to go the strongarm route, resulting in the public now knowing just how bad at security DJI is. Way to go?
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: bug bounty, cfaa, drones, hacks, kevin finisterre, threats
Companies: dji
Reader Comments
Subscribe: RSS
View by: Time | Thread
Giving DJI the benefit of doubt
They opened up the bounty program thinking their security was solid enough that it only needed tweaking, and then here comes a guy who proves it needs to be rewritten entirely.
Truth is hard, and they should pay him and learn their lesson.
But instead, it's so easy to litigate.
[ link to this | view in chronology ]
Re: Giving DJI the benefit of doubt
DJI: Just another name on the "Never give these guys money" list.
[ link to this | view in chronology ]
From...
[ link to this | view in chronology ]
Isn't this bait and switch?
Though the proposer of the bounty is a Chinese company and Finisterre appears to be American, the challenge can only be made in a US court. While it may be difficult to get financial satisfaction from a Chinese company in the US, given the circumstances (many emails between proponents prior to the charges), there seems to be some illegal activity on the part of the Chinese company.
Is it shame or an unwillingness to part with the $30,000 bounty that is precluding them from paying up? Or both?
Denial is such a pernicious position.
[ link to this | view in chronology ]
Re: Isn't this bait and switch?
Now, why would anyone do anything with anyone in China, small business especially, that required any amount of trust? The moral fiber of China has been wicked away since the Revolution. The goal for many is how much you can get away with! Lies and deceit are just a given. Ultimately, you can only trust those that have more to lose than you do.
[ link to this | view in chronology ]
Re: Re: Isn't this bait and switch?
China’s population truly feels that getting someone into a scam is a good thing and will have no respect for the victim. I can’t say it’s all of China, but dear lord I have not seen so many scams in one place.
[ link to this | view in chronology ]
Re: Isn't this bait and switch?
His options earlier were to sue for the $30,000. Even if they changed the rules in the middle of the game, that was the limit of his claim. Today he can claim no reward. A smart lawyer may be able to squeeze some damages out of any law suit, but I'm not seeing it.
And you know what? That sucks. But that is what happened when we allowed the government to put in all those protections for businesses over consumers and the public.
[ link to this | view in chronology ]
In a way, the researcher had beat DJI to the punch, and I thought it was hilarious when I read the original article before I submitted it. LOLS
[ link to this | view in chronology ]
2. Wait for security reports to arrive
3. Fix the security holes
4. Threaten the researchers and withold pay
5. ???
6. PROFIT!!!
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
Seriously, this might be one of those privacy violations the EU only seems to care about when it's Facebook or some other US company.
[ link to this | view in chronology ]
Rule #1 in security research
... Never, not ever, leave bread crumbs back to yourself.
For every 1 time a security researcher finds and reports a bug and it's handled well, I would guess they get legal threats 9 more times. It's just not worth the hassle.
If you want to make money finding vulnerabilities, find them, then sell them on the dark web. If the companies that have vulnerabilities don't like it, then they can stop being asshats to people trying to tell them "Uh, dude, you've got a problem you might want to look at..." and the good companies that treat the researchers like gold can put pressure on the bad ones.
[ link to this | view in chronology ]
Re: Rule #1 in security research
There are two side effects to this case.
First, nobody is ever going to freely help DJI again. They just burned all their currency with the entire security community. Which means that if any of us find something nasty and amusing, we might release it to the world for free -- just to piss them off. Or maybe sell it to one of their competitors.
Second, now that we have some ideal how bad DJI is at this, we also know that there are probably plenty of other problems to find. I'm not interested in looking, but I'm sure lots of other people are.
[ link to this | view in chronology ]
Re: Rule #1 in security research
What makes it particularly insidious here was that the circumstances involved an implied permission for the first, and a requirement of the second. The company told people they wanted them to find flaws, and claiming the bounty required the researcher to provide contact detail.
With companies suing and/or threatening to sue people for exposing vulnerabilities in their products/services your advice to never report to them directly is definitely the safest bet, but they took one of the few 'safe' avenues to do so and torched it, such that people would be insane to ever try to privately tell them specifically about a problem, and you can bet people will be a lot more hesitant to accept bug-bounties from any company that doesn't have an extensive history of not doing this, screwing over newer companies as well.
[ link to this | view in chronology ]
Re: Rule #1 in security research
Smart companies have an office that receives notices of bugs. Rewards and bugs are handled quietly but fairly. Companies that screw over those who report bugs, end up not getting tips.
[ link to this | view in chronology ]
Re: Rule #1 in security research
Discovering that the security keys to pretty much everything the company does are on that public server does not magically make the discoverer a hacker any more than you become a burglar because you looked (just looked, didn't take anything) from a pile on the side of the road beneath a sign saying "free stuff."
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Automated tertiary model
[ link to this | view in chronology ]
Persevering upward-trending encoding
[ link to this | view in chronology ]
Grass-roots logistical productivity
[ link to this | view in chronology ]