Two documents which have come to light recently throw severe doubts on both DJI’s ability and willingness to install security measures in its products. In the first, Kevin Finisterre, a researcher, found that DJI left the private key for its dot-com’s HTTPS certificate exposed on GitHub for up to four years. In the second, a White Paper by Department 13 entitled ‘Anatomy of DJI Drone Identification Implementation’, it emerges that some of DJI’s approaches have clear security issues with no apparent remediation.
Finisterre found that DJI also exposed customers’ personal information – from flight logs to copies of government ID cards – to the internet from misconfigured AWS S3 buckets.
By leaking the wildcard SSL cert private key, which covers *.dji.com, DJI gave miscreants the information needed to create spoof instances of the manufacturer’s website with a correct HTTPS certificate, and silently redirect victims to the malicious forgeries and downloads via standard man-in-the-middle attacks. Hackers could also use the key to decrypt and tamper with intercepted network traffic to and from its web servers.
It’s rather embarrassing. DJI is one of the world’s largest small and medium-sized aerial drone manufacturers.
The private SSL key was found sitting in a public DJI-owned GitHub repo by Kevin Finisterre, a researcher who focuses on DJI products. AWS account credentials and firmware AES encryption keys were also exposed on GitHub, we’re told, along with people’s highly sensitive personal information in poorly configured public-facing AWS S3 buckets, which he summarized as a “full infrastructure compromise.” DJI has since marked the affected HTTPS certificate as revoked, and acquired a new one in September.
“I had seen unencrypted flight logs, passports, drivers licenses, and identification cards,” Finisterre said, adding: “It should be noted that newer logs and PII [personally identifiable information] seemed to be encrypted with a static OpenSSL password, so theoretically some of the data was at least loosely protected from prying eyes.”
Finisterre posted an 18-page PDF on Twitter setting out his findings and frustrations over what he describes as several months of working with DJI’s US representatives in trying to report the security blunders. Having disclosed the cockups privately to DJI, he applied for a reward from its bug bounty scheme.
Though DJI agreed in principle that he would be paid their “top reward” of $30,000, the two sides disagreed vehemently over the terms of a non-disclosure agreement that the company wanted all bounty recipients to sign, which eventually led to Finisterre losing patience and going public with all the details, effectively throwing away thirty grand.
In a thinly veiled threat, he was also warned by the drone maker that he may have broken US laws on computer hacking by probing DJI’s systems.
The Department 13 White Paper focuses on DJI’s implementation of a remote drone identification system based on the influences of the drone community. In the recent technology white paper “What’s in a Name? A Call for a Balanced Remote Identification Approach”, DJI specifically mentions “The Privacy Interests of the Operator” as a potential hurdle to Drone ID.
The authors complain that DJI’s actions are occurring in isolation, without DJI working with the community to address security concerns, or providing information about issues such as how the system works and how data is handled
Essentially, DJI is playing God with the community’s data, and disregarding the outcomes on the community. The community needs to be warned and should assemble a watchdog group to push back and assert transparency.
The community raised two main concerns regarding DJI’s proposal. First, tracking drone ID data and metadata opens the door for future exploitation. For example, networked solutions increase “the possibility that all UAS operations will be tracked and recorded for future unknown exploitation, including enforcement quotas or business espionage.” Second, there is a potential for drone ID system hacking.
For example, a networked system may be “susceptible to system-wide hacking, or the creation by detractors of false entries of drone operations that do not exist.” It should be noted that some of the risks that were presented are also inherent in “localized” implementations. In some respects, it would be wise for DJI to put the Drone ID technology implementation up for examination via a public review Request for Comments (RFC). The fact that DJI has not put out an RFC, a common practice, may draw criticism from the security community as DJI pushes forward to have their work become the Remote Drone ID standard.
Earlier this year the US Army issued a blanket ban on the use of DJI products by its personnel. It gave no reason for doing so, other than unspecified “cyber vulnerabilities,” and was rapidly followed in doing so by the Australian military. Several British police forces also use DJI drones for operations, in place of helicopters.
Sources: The Register; Department 13
And after finding these defects in DJI it was the authors brilliant idea to BROADCAST that to the world. Awesome.
With regards to the military angle,
DJI is working with both the Military and US government to address security issues with flight data etc. If you don’t use the sync to cloud function in DJI Go you do not expose your data. Simple as that.
Yes these issues raised are serious, but not insurmountable, and amount mostly to veiled attempts to scare people to inferior and or more expensive domestic products that still fly on components created in china. Like it or not DJI owns the market for the foreseeable future, and you can either bury your head in the sand, or get on with business and take reasonable caution in your data security procedures, and update regularly.