https://petapixel.com/2017/11/20 ... rejects-30k-bounty/

Here's DJI's official statement on the issue:

It seems that it's just a white hat guy reporting the security threat on the bug bounty program, that has rejected the reward and gone public because DJI sent him a threatening letter for accessing private data. In reality he has indeed accessed such information (there's no need to publish pics, enough with a directory listing...) DJI should have however reacted better... if you implement a bug bounty program you can't later complain when they hack you

"Finisterre ran another GitHub search and discovered AWS private keys for DJI's SkyPixel photo-sharing service. He learned through a DJI modders' Slack channel that some DJI AWS accounts were set to be publicly accessible, and the "buckets" included "all attachments to the service e-mails they receive… images of damaged drones… receipt and other personal data… and 'occasional photos of people cut by propellers."

https://arstechnica.com/informat ... -exposed-customers/

So is this a hacker or a disgruntle customer.

Interesting.

Anything can be hacked. It's the world we live in.

Life Lock protect you! jk.

“DJI is investigating the reported unauthorized access of one of DJI’s servers containing personal information submitted by our users. As part of its commitment to customers’ data security, DJI engaged an independent cyber security firm to investigate this report and the impact of any unauthorized access to that data. Today, a hacker who obtained some of this data posted online his confidential communications with DJI employees about his attempts to claim a “bug bounty” from the DJI Security Response Center.

DJI implemented its Security Response Center to encourage independent security researchers to responsibly report potential vulnerabilities. DJI asks researchers to follow standard terms for bug bounty programs, which are designed to protect confidential data and allow time for analysis and resolution of a vulnerability before it is publicly disclosed. The hacker in question refused to agree to these terms, despite DJI’s continued attempts to negotiate with him, and threatened DJI if his terms were not met.”

Sure sounds like a CYA move to me, with a contract written in bad faith to ensnare the researcher.

Nikon 1 Posted at 2017-11-21 06:09
“DJI is investigating the reported unauthorized access of one of DJI’s servers containing personal information submitted by our users. As part of its commitment to customers’ data security, DJI engaged an independent cyber security firm to investigate this report and the impact of any unauthorized access to that data. Today, a hacker who obtained some of this data posted online his confidential communications with DJI employees about his attempts to claim a “bug bounty” from the DJI Security Response Center.

DJI implemented its Security Response Center to encourage independent security researchers to responsibly report potential vulnerabilities. DJI asks researchers to follow standard terms for bug bounty programs, which are designed to protect confidential data and allow time for analysis and resolution of a vulnerability before it is publicly disclosed. The hacker in question refused to agree to these terms, despite DJI’s continued attempts to negotiate with him, and threatened DJI if his terms were not met.”

Apparently DJI didn't specify that all eligible hacks would need to be kept private at the time and white hat dude pushed back -- they do now. DJI should have just paid the guy and sucked it up.

Read that today!!!  DJI will hopefully learn from it.  Apparently server ssh keys were on Github source code??  Mind boggles, someone needs sacking.

I can't believe no one here knows of Kevin. He's been after DJI for years now. What people don't see is that DJI was trying to shut him up. So they wouldn't fix anything. He didn't want to sign the NDA. Which is totally right in my opinion. These bounty have had a long history of just sitting on huge wholes in their system. And I'm not saying this is true. But the Chinese Gov could be stealing or taking data from DJI. It's a scary thought that we as drone pilots could be flying and feeding info to another county for who knows what.

I have a feeling that DJI knew about this.  
Also for Kevin it's not about the money. He does this for a living.

Another side to the story is that Kevin works for Dept 13. A anti-drone company that is working on stuff. Their stocks dropped once Areospace (whatever it's called) was released at a cheaper price.

Here is the article

https://www.wetalkuav.com/department-13-kf-30/

jeebs-9 Posted at 2017-11-21 09:43
I can't believe no one here knows of Kevin. He's been after DJI for years now. What people don't see is that DJI was trying to shut him up. So they wouldn't fix anything. He didn't want to sign the NDA. Which is totally right in my opinion. These bounty have had a long history of just sitting on huge wholes in their system. And I'm not saying this is true. But the Chinese Gov could be stealing or taking data from DJI. It's a scary thought that we as drone pilots could be flying and feeding info to another county for who knows what.

I have a feeling that DJI knew about this.  

Also interesting.

Seems to me DJI got caught with their pants down getting called out on and now don't want to pay up...Sketchy to say the least.

Drseussami Posted at 2017-11-21 11:09
Seems to me DJI got caught with their pants down getting called out on and now don't want to pay up...Sketchy to say the least.

They offered him $30k for finding the hole but wanted him to sign NDA which he refused and did not take the money. For a hacker, the nod and bragging rights of his discovery on his resume are far greater than the monetary value. It's clear which way he chose which is why we know about the security hole today. If he'd taken the money we wouldn't.

It is sooooooooo simple to encrypt everything on any servers so even if someone stole the hard drive they won't be able to do anything with it  but NOOOOOOOOOOOOOOOO...

No one is willing to do the extra steps, from big box company to small businesses, and that is why everyone get hacked and NOT because it is the new norm and everyone can get hack.

EXPERIAN, TARGET, OFFICE DEPOT, STAPLES, SCORES OF HOSPITAL GROUPS all get hacked because their data was NOT encrypted. If it was would not have to endure all the furstrations.

It is a shame that people keep getting away with laziness and stupidity!  

dronist Posted at 2017-11-21 14:33
It is sooooooooo simple to encrypt everything on any servers so even if someone stole the hard drive they won't be able to do anything with it  but NOOOOOOOOOOOOOOOO...

No one is willing to do the extra steps, from big box company to small businesses, and that is why everyone get hacked and NOT because it is the new norm and everyone can get hack.

Let's not forget Uber!

Uber Paid Hackers...

CycleParadise Posted at 2017-11-21 17:37
Let's not forget Uber!

Uber Paid Hackers...

These punks kept the secret for a year maybe more. It is simple, if people DON'T GET PUNISHED they will keep doing it and we get screwed.

That is why I was one of the first to object to DJI storing our information and everybody said oh what you have to hide they don't understand IT IS MY PRIVACY and I only trust myself to keep it safe.

I am still using .700 and always fly in airplane mode and don't give access to my photos to any apps period. Save it on the SD and then download it.

Ex Machina Posted at 2017-11-21 07:03
Apparently DJI didn't specify that all eligible hacks would need to be kept private at the time and white hat dude pushed back -- they do now. DJI should have just paid the guy and sucked it up.

And fixed the problems he found.

Sure....I'm gonna believe DJI "fixed" the problems.....just like Equifax and Uber....

Remember this is a Chinese Billion Dollar company as well, bet the Gov are well involved.

The Chinese are on another planet in many respects to the West although they like to emulate the West.

After reading both sides of the story, I think Kevin overstepped the norm for security testing - you check the keys, BUT YOU DO NOT TAKE THE STUFF OUT! This is what DJI's response is about.

Montfrooij Posted at 2017-11-21 10:46
Also interesting.

Seems like a few things were going on here. SMH

Wow.... This is big...

https://www.engadget.com/2017/11 ... rones-spying-china/

While Google Street view accidently gathered people's WiFi info as they went.

Hacker  or disappointed employee?

jeebs-9 Posted at 2017-11-30 14:36
Wow.... This is big...

https://www.engadget.com/2017/11/30/homeland-security-claims-dji-drones-spying-china/

Definitely wont be seeing any synced flights or internet connection on my drones from now on.

Fractures Posted at 2017-11-30 16:02
Definitely wont be seeing any synced flights or internet connection on my drones from now on.

Just use dji pilot app.

Welsh Mavic Posted at 2017-11-30 15:24
While Google Street view accidently gathered people's WiFi info as they went.

They actually explained why it was happening. DJI hasn't and got exposed badly....

Woe Posted at 2017-11-30 15:51
Hacker  or disappointed employee?

Kekvin is a Hacker.... He's done this before and will again.