Please select Into the mobile phone version | Continue to access the computer ver.
DJI has been hacked
2444 28 2017-11-21
Uploading and Loding Picture ...(0/1)
o(^-^)o
dancopter
First Officer
Flight distance : 17901030 ft
  • >>>
United Arab Emirates
Offline

https://petapixel.com/2017/11/20 ... rejects-30k-bounty/
2017-11-21
Use props
DJI Joe
Administrator

United States
Offline

Here's DJI's official statement on the issue:
Screen Shot 2017-11-20 at 10.09.40 AM.png
2017-11-21
Use props
CuaC
First Officer
Flight distance : 369626 ft
Germany
Offline

It seems that it's just a white hat guy reporting the security threat on the bug bounty program, that has rejected the reward and gone public because DJI sent him a threatening letter for accessing private data. In reality he has indeed accessed such information (there's no need to publish pics, enough with a directory listing...) DJI should have however reacted better... if you implement a bug bounty program you can't later complain when they hack you
2017-11-21
Use props
dancopter
First Officer
Flight distance : 17901030 ft
  • >>>
United Arab Emirates
Offline

"Finisterre ran another GitHub search and discovered AWS private keys for DJI's SkyPixel photo-sharing service. He learned through a DJI modders' Slack channel that some DJI AWS accounts were set to be publicly accessible, and the "buckets" included "all attachments to the service e-mails they receive… images of damaged drones… receipt and other personal data… and 'occasional photos of people cut by propellers."

https://arstechnica.com/informat ... -exposed-customers/
2017-11-21
Use props
Woe
Captain
Flight distance : 4129268 ft
  • >>>
United States
Offline

So is this a hacker or a disgruntle customer.
2017-11-21
Use props
SafariMan
First Officer
Flight distance : 62917 ft
  • >>>
Switzerland
Offline

Interesting.
2017-11-21
Use props
Bulldog
First Officer
Flight distance : 816158 ft
United States
Offline

Anything can be hacked. It's the world we live in.

Life Lock protect you! jk.
2017-11-21
Use props
Nikon 1
Second Officer
United States
Offline

“DJI is investigating the reported unauthorized access of one of DJI’s servers containing personal information submitted by our users. As part of its commitment to customers’ data security, DJI engaged an independent cyber security firm to investigate this report and the impact of any unauthorized access to that data. Today, a hacker who obtained some of this data posted online his confidential communications with DJI employees about his attempts to claim a “bug bounty” from the DJI Security Response Center.

DJI implemented its Security Response Center to encourage independent security researchers to responsibly report potential vulnerabilities. DJI asks researchers to follow standard terms for bug bounty programs, which are designed to protect confidential data and allow time for analysis and resolution of a vulnerability before it is publicly disclosed. The hacker in question refused to agree to these terms, despite DJI’s continued attempts to negotiate with him, and threatened DJI if his terms were not met.”

Sure sounds like a CYA move to me, with a contract written in bad faith to ensnare the researcher.
2017-11-21
Use props
Ex Machina
Captain
Flight distance : 1739816 ft
United States
Offline

Nikon 1 Posted at 2017-11-21 06:09
“DJI is investigating the reported unauthorized access of one of DJI’s servers containing personal information submitted by our users. As part of its commitment to customers’ data security, DJI engaged an independent cyber security firm to investigate this report and the impact of any unauthorized access to that data. Today, a hacker who obtained some of this data posted online his confidential communications with DJI employees about his attempts to claim a “bug bounty” from the DJI Security Response Center.

DJI implemented its Security Response Center to encourage independent security researchers to responsibly report potential vulnerabilities. DJI asks researchers to follow standard terms for bug bounty programs, which are designed to protect confidential data and allow time for analysis and resolution of a vulnerability before it is publicly disclosed. The hacker in question refused to agree to these terms, despite DJI’s continued attempts to negotiate with him, and threatened DJI if his terms were not met.”

Apparently DJI didn't specify that all eligible hacks would need to be kept private at the time and white hat dude pushed back -- they do now. DJI should have just paid the guy and sucked it up.
2017-11-21
Use props
Welsh Mavic
lvl.4
Flight distance : 26493 ft
France
Offline

Read that today!!!  DJI will hopefully learn from it.  Apparently server ssh keys were on Github source code??  Mind boggles, someone needs sacking.
2017-11-21
Use props
jeebs-9
First Officer
Flight distance : 174262 ft
United States
Offline

I can't believe no one here knows of Kevin. He's been after DJI for years now. What people don't see is that DJI was trying to shut him up. So they wouldn't fix anything. He didn't want to sign the NDA. Which is totally right in my opinion. These bounty have had a long history of just sitting on huge wholes in their system. And I'm not saying this is true. But the Chinese Gov could be stealing or taking data from DJI. It's a scary thought that we as drone pilots could be flying and feeding info to another county for who knows what.

I have a feeling that DJI knew about this.  
Also for Kevin it's not about the money. He does this for a living.

Another side to the story is that Kevin works for Dept 13. A anti-drone company that is working on stuff. Their stocks dropped once Areospace (whatever it's called) was released at a cheaper price.

Here is the article

https://www.wetalkuav.com/department-13-kf-30/
2017-11-21
Use props
Montfrooij
Captain
Flight distance : 1859961 ft
Netherlands
Offline

jeebs-9 Posted at 2017-11-21 09:43
I can't believe no one here knows of Kevin. He's been after DJI for years now. What people don't see is that DJI was trying to shut him up. So they wouldn't fix anything. He didn't want to sign the NDA. Which is totally right in my opinion. These bounty have had a long history of just sitting on huge wholes in their system. And I'm not saying this is true. But the Chinese Gov could be stealing or taking data from DJI. It's a scary thought that we as drone pilots could be flying and feeding info to another county for who knows what.

I have a feeling that DJI knew about this.  

Also interesting.
2017-11-21
Use props
Drseussami
Second Officer
Flight distance : 108002 ft
United States
Offline

Seems to me DJI got caught with their pants down getting called out on and now don't want to pay up...Sketchy to say the least.
2017-11-21
Use props
Hugh Jaynus
First Officer
Flight distance : 1204754 ft
United States
Offline

Drseussami Posted at 2017-11-21 11:09
Seems to me DJI got caught with their pants down getting called out on and now don't want to pay up...Sketchy to say the least.

They offered him $30k for finding the hole but wanted him to sign NDA which he refused and did not take the money. For a hacker, the nod and bragging rights of his discovery on his resume are far greater than the monetary value. It's clear which way he chose which is why we know about the security hole today. If he'd taken the money we wouldn't.
2017-11-21
Use props
dronist
Captain
  • >>>
United States
Offline

It is sooooooooo simple to encrypt everything on any servers so even if someone stole the hard drive they won't be able to do anything with it  but NOOOOOOOOOOOOOOOO...

No one is willing to do the extra steps, from big box company to small businesses, and that is why everyone get hacked and NOT because it is the new norm and everyone can get hack.

EXPERIAN, TARGET, OFFICE DEPOT, STAPLES, SCORES OF HOSPITAL GROUPS all get hacked because their data was NOT encrypted. If it was would not have to endure all the furstrations.

It is a shame that people keep getting away with laziness and stupidity!  

2017-11-21
Use props
CycleParadise
Captain
Flight distance : 157047 ft
United States
Offline

dronist Posted at 2017-11-21 14:33
It is sooooooooo simple to encrypt everything on any servers so even if someone stole the hard drive they won't be able to do anything with it  but NOOOOOOOOOOOOOOOO...

No one is willing to do the extra steps, from big box company to small businesses, and that is why everyone get hacked and NOT because it is the new norm and everyone can get hack.

Let's not forget Uber!

Uber Paid Hackers...
2017-11-21
Use props
dronist
Captain
  • >>>
United States
Offline

CycleParadise Posted at 2017-11-21 17:37
Let's not forget Uber!

Uber Paid Hackers...

These punks kept the secret for a year maybe more. It is simple, if people DON'T GET PUNISHED they will keep doing it and we get screwed.

That is why I was one of the first to object to DJI storing our information and everybody said oh what you have to hide they don't understand IT IS MY PRIVACY and I only trust myself to keep it safe.

I am still using .700 and always fly in airplane mode and don't give access to my photos to any apps period. Save it on the SD and then download it.


2017-11-21
Use props
Nikon 1
Second Officer
United States
Offline

Ex Machina Posted at 2017-11-21 07:03
Apparently DJI didn't specify that all eligible hacks would need to be kept private at the time and white hat dude pushed back -- they do now. DJI should have just paid the guy and sucked it up.

And fixed the problems he found.
2017-11-22
Use props
Drseussami
Second Officer
Flight distance : 108002 ft
United States
Offline

Sure....I'm gonna believe DJI "fixed" the problems.....just like Equifax and Uber....
2017-11-22
Use props
Welsh Mavic
lvl.4
Flight distance : 26493 ft
France
Offline

Remember this is a Chinese Billion Dollar company as well, bet the Gov are well involved.

The Chinese are on another planet in many respects to the West although they like to emulate the West.
2017-11-22
Use props
BumblerBee
First Officer
Flight distance : 609816 ft
Norway
Offline

After reading both sides of the story, I think Kevin overstepped the norm for security testing - you check the keys, BUT YOU DO NOT TAKE THE STUFF OUT! This is what DJI's response is about.
2017-11-22
Use props
jeebs-9
First Officer
Flight distance : 174262 ft
United States
Offline


Seems like a few things were going on here. SMH
2017-11-27
Use props
jeebs-9
First Officer
Flight distance : 174262 ft
United States
Offline

Wow.... This is big...

https://www.engadget.com/2017/11 ... rones-spying-china/
2017-11-30
Use props
Welsh Mavic
lvl.4
Flight distance : 26493 ft
France
Offline

While Google Street view accidently gathered people's WiFi info as they went.
2017-11-30
Use props
Woe
Captain
Flight distance : 4129268 ft
  • >>>
United States
Offline

Hacker  or disappointed employee?
2017-11-30
Use props
Fractures
lvl.4
Flight distance : 635531 ft
United States
Offline

jeebs-9 Posted at 2017-11-30 14:36
Wow.... This is big...

https://www.engadget.com/2017/11/30/homeland-security-claims-dji-drones-spying-china/

Definitely wont be seeing any synced flights or internet connection on my drones from now on.
2017-11-30
Use props
hallmark007
Captain
Flight distance : 5482523 ft
  • >>>
Ireland
Offline

Fractures Posted at 2017-11-30 16:02
Definitely wont be seeing any synced flights or internet connection on my drones from now on.

Just use dji pilot app.
2017-11-30
Use props
jeebs-9
First Officer
Flight distance : 174262 ft
United States
Offline

Welsh Mavic Posted at 2017-11-30 15:24
While Google Street view accidently gathered people's WiFi info as they went.

They actually explained why it was happening. DJI hasn't and got exposed badly....
2017-12-1
Use props
jeebs-9
First Officer
Flight distance : 174262 ft
United States
Offline

Woe Posted at 2017-11-30 15:51
Hacker  or disappointed employee?

Kekvin is a Hacker.... He's done this before and will again.
2017-12-1
Use props
Advanced
You need to log in before you can reply Login | Register now

Credit Rules