Drone-Maker DJI Offers Bug Bounty Program, Then Threatens Bug-Finder With The CFAA
from the that's-a-shitty-bounty dept
Far too many companies and industries out there seem to think that the best way to handle a security researcher finding security holes in their tech and websites is to immediately begin issuing threats. This is almost always monumentally dumb for any number of reasons, ranging from the work these researchers do actually being a benefit to these companies issuing the threats, to the resulting coverage of the threats making the vulnerabilities more widely known than they would have been otherwise.
But drone-maker DJI gets special marks for attacking security researchers, having decided to turn on one that was working within the bug-bounty program it had set up.
DJI, the Chinese company that manufactures the popular Phantom brand of consumer quadcopter drones, was informed in September that developers had left the private keys for both the “wildcard” certificate for all the company’s Web domains and the keys to cloud storage accounts on Amazon Web Services exposed publicly in code posted to GitHub. Using the data, researcher Kevin Finisterre was able to access flight log data and images uploaded by DJI customers, including photos of government IDs, drivers licenses, and passports. Some of the data included flight logs from accounts associated with government and military domains.
Finisterre found the security error after beginning to probe DJI’s systems under DJI’s bug bounty program, which was announced in August. But as Finisterre worked to document the bug with the company, he got increasing pushback—including a threat of charges under the Computer Fraud and Abuse Act (CFAA). DJI refused to offer any protection against legal action in the company’s “final offer” for the data. So Finisterre dropped out of the program and published his findings publicly yesterday, along with a narrative entitled, “Why I walked away from $30,000 of DJI bounty money.”
Finisterre helpfully documented his interactions with several DJI employees, all of which paint a pretty clear picture of a company that encouraged his work in finding exposed data and insecure public-facing websites. So appreciative was DJI, in fact, that Finisterre won the top prize for its bug-bounty program: $30,000. That prize came for Finisterre’s discovery that DJI’s SSL certificates and firmware encryption keys had been exposed via GitHub for years. After receiving written confirmation from DJI that its servers were within the scope of the bounty program, Finisterre submitted his disclosure report.
That’s when things got weird.
When Finisterre submitted his full report on the exposure to the bug bounty program, he received an e-mail from DJI’s Brendan Schulman that said the company’s servers were suddenly not in scope for the bounty program. Still, Finisterre received notification from DJI’s bug bounty program e-mail account on September 28 that his report earned the top reward for the program—$30,000 in cash. Then, Finisterre heard nothing for nearly a month.
Ultimately, Finisterre received an e-mail containing an agreement contract that he said “did not offer researchers any sort of protection. For me personally, the wording put my right to work at risk, and posed a direct conflict of interest to many things including my freedom of speech.” It seemed clear to Finisterre that “the entire ‘Bug Bounty’ program was rushed based on this alone,” he wrote.
He goes on to note that he had several lawyers look over the contract, all of whom balked at the language it contained. Hiring any of them to work the contract to the point that it was something he would sign would cost several thousand dollars, reducing the bounty reward to the point that it wasn’t really worth collecting. On top of all that, the language in the contract offered nothing in the way of protection from the CFAA, which is frankly insane for a bug bounty program. The whole point is to research vulnerabilities. Jail time is not supposed to be a risk in that sort of work.
When Finisterre decided to refuse the bounty and go public instead, DJI suddenly began calling him a “hacker” and acted as though it barely had any idea who he was, despite having interacted with him over hundreds of emails.
DJI is investigating the reported unauthorized access of one of DJI’s servers containing personal information submitted by our users. As part of its commitment to customers’ data security, DJI engaged an independent cyber security firm to investigate this report and the impact of any unauthorized access to that data. Today, a hacker who obtained some of this data posted online his confidential communications with DJI employees about his attempts to claim a “bug bounty” from the DJI Security Response Center.
DJI implemented its Security Response Center to encourage independent security researchers to responsibly report potential vulnerabilities. DJI asks researchers to follow standard terms for bug bounty programs, which are designed to protect confidential data and allow time for analysis and resolution of a vulnerability before it is publicly disclosed. The hacker in question refused to agree to these terms, despite DJI’s continued attempts to negotiate with him, and threatened DJI if his terms were not met.
DJI has also shuttered the bug bounty program, with emails to it resulting in bouncebacks informing the reader that while they can still submit bug reports, the bounties are no longer available.
And so here we are. DJI offered a bug bounty program that one researcher responded to with a report about some serious vulnerabilities, including the disclosure of DJI customer information. Instead of being grateful for that information and correcting it, DJI instead decided to go the strongarm route, resulting in the public now knowing just how bad at security DJI is. Way to go?
Filed Under: bug bounty, cfaa, drones, hacks, kevin finisterre, threats
Companies: dji
Comments on “Drone-Maker DJI Offers Bug Bounty Program, Then Threatens Bug-Finder With The CFAA”
Giving DJI the benefit of doubt
They opened up the bounty program thinking their security was solid enough that it only needed tweaking, and then here comes a guy who proves it needs to be rewritten entirely.
Truth is hard, and they should pay him and learn their lesson.
But instead, it’s so easy to litigate.
Re: Giving DJI the benefit of doubt
No benefit deserved. They left very private information in a publicly available space. They can’t even claim “Well now we know!” because several other high-profile cases with exactly the same problem have filtered through the news recently to serve as a lesson and example to everyone.
DJI: Just another name on the “Never give these guys money” list.
From...
The careful what you wish for department.
Isn't this bait and switch?
Offer made, bug bounty, bug found, terms change. Any US court should find that the bait and switch overcomes the CFAA charges. The loss is to Finisterre, who not only looses the bounty, but must then spend money to defend the spurious CFAA charges. Seems like bounty plus should be the correct determination.
Though the proposer of the bounty is a Chinese company and Finisterre appears to be American, the challenge can only be made in a US court. While it may be difficult to get financial satisfaction from a Chinese company in the US, given the circumstances (many emails between proponents prior to the charges), there seems to be some illegal activity on the part of the Chinese company.
Is it shame or an unwillingness to part with the $30,000 bounty that is precluding them from paying up? Or both?
Denial is such a pernicious position.
Re: Isn't this bait and switch?
First, I’m going to apologize in advance. I will be making generalizations that simply do not apply universally, even to China.
Now, why would anyone do anything with anyone in China, small business especially, that required any amount of trust? The moral fiber of China has been wicked away since the Revolution. The goal for many is how much you can get away with! Lies and deceit are just a given. Ultimately, you can only trust those that have more to lose than you do.
Re: Re: Isn't this bait and switch?
The sad truth is your right. Shoplifting charges for walking over a line on the rug to get to the register at the airport. Both the cop and the shop in on the game. Why do they do it? Because they are trained to get money now despite the future.
China’s population truly feels that getting someone into a scam is a good thing and will have no respect for the victim. I can’t say it’s all of China, but dear lord I have not seen so many scams in one place.
Re: Isn't this bait and switch?
You would think, however, Finistere left the program of his own volition. By publishing the paper, he can not now claim the money.
His options earlier were to sue for the $30,000. Even if they changed the rules in the middle of the game, that was the limit of his claim. Today he can claim no reward. A smart lawyer may be able to squeeze some damages out of any law suit, but I’m not seeing it.
And you know what? That sucks. But that is what happened when we allowed the government to put in all those protections for businesses over consumers and the public.
The one thing I noticed when I submitted this article was that DJI offered a bug bounty but that they didn’t disclose the particulars for the bugs in the drones. That the researcher had submitted the bug before DJI set up the bounty program for the drones.
In a way, the researcher had beat DJI to the punch, and I thought it was hilarious when I read the original article before I submitted it. LOLS
1. Lure researchers with promises of payouts
2. Wait for security reports to arrive
3. Fix the security holes
4. Threaten the researchers and withold pay
5. ???
6. PROFIT!!!
Re: Re:
“Dare to be different; it helps to cut the amount of effort needed when we’re trying to root out troublemakers.”
Re: Re:
Have the fact that you’re collection a whole bunch of sensitive information, like GPS logs, without telling anyone. Priceless.
Seriously, this might be one of those privacy violations the EU only seems to care about when it’s Facebook or some other US company.
Rule #1 in security research
… Never, not ever, access anything to test if it’s secure.
… Never, not ever, leave bread crumbs back to yourself.
For every 1 time a security researcher finds and reports a bug and it’s handled well, I would guess they get legal threats 9 more times. It’s just not worth the hassle.
If you want to make money finding vulnerabilities, find them, then sell them on the dark web. If the companies that have vulnerabilities don’t like it, then they can stop being asshats to people trying to tell them “Uh, dude, you’ve got a problem you might want to look at…” and the good companies that treat the researchers like gold can put pressure on the bad ones.
Re: Rule #1 in security research
Exactly correct. Better to sell the vulnerabilities and make a living than be threatened/sued/prosecuted.
There are two side effects to this case.
First, nobody is ever going to freely help DJI again. They just burned all their currency with the entire security community. Which means that if any of us find something nasty and amusing, we might release it to the world for free — just to piss them off. Or maybe sell it to one of their competitors.
Second, now that we have some ideal how bad DJI is at this, we also know that there are probably plenty of other problems to find. I’m not interested in looking, but I’m sure lots of other people are.
Re: Rule #1 in security research
What makes it particularly insidious here was that the circumstances involved an implied permission for the first, and a requirement of the second. The company told people they wanted them to find flaws, and claiming the bounty required the researcher to provide contact detail.
With companies suing and/or threatening to sue people for exposing vulnerabilities in their products/services your advice to never report to them directly is definitely the safest bet, but they took one of the few ‘safe’ avenues to do so and torched it, such that people would be insane to ever try to privately tell them specifically about a problem, and you can bet people will be a lot more hesitant to accept bug-bounties from any company that doesn’t have an extensive history of not doing this, screwing over newer companies as well.
Re: Rule #1 in security research
Any company offering a reward or bounty to find bugs has also opened the door to legitimate searching of it’s proprietary IT systems as well as their code. They have surrendered their “color of law” right of privacy and can not later come along and claim it is illegal, trespassing, or hacking.
Smart companies have an office that receives notices of bugs. Rewards and bugs are handled quietly but fairly. Companies that screw over those who report bugs, end up not getting tips.
Re: Rule #1 in security research
Logging into a public file server is not unauthorized access, because you ASKED the server for permission and it granted it to you. So long as there was no misrepresentation of who you are, that’s the end of it.
Discovering that the security keys to pretty much everything the company does are on that public server does not magically make the discoverer a hacker any more than you become a burglar because you looked (just looked, didn’t take anything) from a pile on the side of the road beneath a sign saying “free stuff.”
this action is typical of just about every company in the USA that has been found to be wanting in terms of customer protection and it’s basically down to those in top positions in the various law enforcement agencies and government who think that every and i mean every single person on the planet is a terrorist and is out to get every government and country destroyed! talk about paranoia! reminds you of any other nation and it’s leaders around the 1930’s?
Automated tertiary model
Persevering upward-trending encoding
Grass-roots logistical productivity