DJI, the Chinese company that manufactures the popular Phantom brand of consumer quadcopter drones, was informed in September that developers had left the private keys for both the "wildcard" certificate for all the company's Web domains and the keys to cloud storage accounts on Amazon Web Services exposed publicly in code posted to GitHub. Using the data, researcher Kevin Finisterre was able to access flight log data and images uploaded by DJI customers, including photos of government IDs, drivers licenses, and passports. Some of the data included flight logs from accounts associated with government and military domains.

Finisterre found the security error after beginning to probe DJI's systems under DJI's bug bounty program, which was announced in August. But as Finisterre worked to document the bug with the company, he got increasing pushback—including a threat of charges under the Computer Fraud and Abuse Act (CFAA). DJI refused to offer any protection against legal action in the company's "final offer" for the data. So Finisterre dropped out of the program and published his findings publicly yesterday, along with a narrative entitled, "Why I walked away from $30,000 of DJI bounty money."

"Hacker?"

DJI launched its bug bounty this fall shortly after the US Army issued a ban on using DJI drones for any military purpose due to "operational security" concerns. There were also spreading reports of people hacking the firmware of DJI drones—some have even posted hacks to GitHub by Finisterre. But according to Finisterre, the program was clearly rushed out. The company did not, and has yet to, define the scope of the bounty program publicly. So when Finisterre discovered that DJI's SSL certificates and firmware AES encryption keys had been exposed through searches on GitHub—in some cases for as long as four years—he contacted the company to see if its servers were within the scope of the bug bounty program. He was told they were—a statement that would later be walked back from by DJI officials.

Finisterre ran another GitHub search and discovered AWS private keys for DJI's SkyPixel photo-sharing service. He learned through a DJI modders' Slack channel that some DJI AWS accounts were set to be publicly accessible, and the "buckets" included "all attachments to the service e-mails they receive… images of damaged drones… receipt and other personal data… and 'occasional photos of people cut by propellers.'"

After his initial inquiry, Finisterre didn't hear back about the scope of the program for more than two weeks. He next sent a follow-up e-mail and received a message saying:

For the scope, the bug bounty program covers all the security issues in firmware, application and servers, including source code leak, security workaround, privacy issue. We are working on a detailed user guide for it.

After getting that assurance, Finisterre said he began working on a disclosure report based on what he had seen, documenting the extent of the breach. During this, he discovered personal identifying information. In light of that, he gave the company an immediate heads-up on the exposure "via a friend at DJI with a better technical understanding than the people I was dealing with."

Finisterre was contacted by another DJI employee a few hours later. He informed this representative, "I had seen unencrypted flight logs, passports, driver's licenses, and Identification Cards." Finisterre continued to communicate with the employee, Yongsen Chen, "in a long line of education on basic security concepts, and bug bounty practices"—the exchange stretched over 130 e-mails.

"At one point… DJI even offered to hire me directly to consult with them on their security," Finisterre wrote.

When Finisterre submitted his full report on the exposure to the bug bounty program, he received an e-mail from DJI's Brendan Schulman that said the company's servers were suddenly not in scope for the bounty program. Still, Finisterre received notification from DJI's bug bounty program e-mail account on September 28 that his report earned the top reward for the program—$30,000 in cash. Then, Finisterre heard nothing for nearly a month.

Ultimately, Finisterre received an e-mail containing an agreement contract that he said "did not offer researchers any sort of protection. For me personally, the wording put my right to work at risk, and posed a direct conflict of interest to many things including my freedom of speech." It seemed clear to Finisterre that "the entire ‘Bug Bounty’ program was rushed based on this alone," he wrote.

Despite efforts by Schulman to help communicate with DJI's Chinese legal department, things did not significantly improve. Finisterre soon received a letter from the legal department in Shenzhen demanding that he destroy any data he had uncovered in his research or face prosecution under the CFAA.

When a "final offer" contract arrived from DJI, Finisterre wrote, "no less than four lawyers told me in various ways that the agreement was not only extremely risky, but it was likely crafted in bad faith to silence anyone that signed it. It was ultimately going to cost me several thousand dollars for a lawyer that I was confident could cover all angles to put my concerns to bed and make the agreement signable." DJI stopped communicating with Finisterre after he expressed offense over the CFAA threat, and he walked away from the agreement, forfeiting the $30,000 he had been promised.

Ars reached out to Adam Lisberg, DJI's corporate communication director for North America, for comment. He responded by referring us to the following official statement issued on November 16. The language calls Finisterre a "hacker."

DJI is investigating the reported unauthorized access of one of DJI’s servers containing personal information submitted by our users. As part of its commitment to customers’ data security, DJI engaged an independent cyber security firm to investigate this report and the impact of any unauthorized access to that data. Today, a hacker who obtained some of this data posted online his confidential communications with DJI employees about his attempts to claim a “bug bounty” from the DJI Security Response Center. DJI implemented its Security Response Center to encourage independent security researchers to responsibly report potential vulnerabilities. DJI asks researchers to follow standard terms for bug bounty programs, which are designed to protect confidential data and allow time for analysis and resolution of a vulnerability before it is publicly disclosed. The hacker in question refused to agree to these terms, despite DJI’s continued attempts to negotiate with him, and threatened DJI if his terms were not met.

In the statement, DJI claims to have paid out thousands of dollars to "almost a dozen researchers" since the program was launched. The terms of the bug bounty program posted by DJI exclude "third-party websites or services, including third party software incorporated in DJI applications," though it is not clear whether these terms were communicated to Finisterre prior to his work. And bug submissions through the bug bounty program's official e-mail address were shut down as of yesterday, as per this bounce-back message received by Ars:

Please note that starting 2017-11-16, we will no longer be accepting bug reports thru this e-mail. If you have any questions, please contact us at bugbounty@dji.com and we will get back to you shortly.

If you do want to submit bugs to DJI, you still can through their security web page.