Drone maker DJI left its private SSL, firmware keys open to world+dog on GitHub FOR YEARS

Plus AWS creds, S3 silos filled with sensitive customer info

By Gareth Corfield


Chinese drone maker DJI left the private key for its dot-com's HTTPS certificate exposed on GitHub for up to four years, according to a researcher who gave up with the biz's bug bounty process.

DJI also exposed customers' personal information – from flight logs to copies of government ID cards – to the internet from misconfigured AWS S3 buckets.

By leaking the wildcard SSL cert private key, which covers *, DJI gave miscreants the information needed to create spoof instances of the manufacturer's website with a correct HTTPS certificate, and silently redirect victims to the malicious forgeries and downloads via standard man-in-the-middle attacks. Hackers could also use the key to decrypt and tamper with intercepted network traffic to and from its web servers.

It's rather embarrassing. DJI is one of the world’s largest small and medium-sized aerial drone manufacturers.

The private SSL key was found sitting in a public DJI-owned GitHub repo by Kevin Finisterre, a researcher who focuses on DJI products. AWS account credentials and firmware AES encryption keys were also exposed on GitHub, we're told, along with people's highly sensitive personal information in poorly configured public-facing AWS S3 buckets, which he summarized as a “full infrastructure compromise.” DJI has since marked the affected HTTPS certificate as revoked, and acquired a new one in September.

“I had seen unencrypted flight logs, passports, drivers licenses, and identification cards,” Finisterre said, adding: “It should be noted that newer logs and PII [personally identifiable information] seemed to be encrypted with a static OpenSSL password, so theoretically some of the data was at least loosely protected from prying eyes.”

Earlier this year the US Army issued a blanket ban on the use of DJI products by its personnel. It gave no reason for doing so, other than unspecified “cyber vulnerabilities,” and was rapidly followed in doing so by the Australian military. Several British police forces also use DJI drones for operations, in place of helicopters.

Speaking to El Reg, Finisterre added that the SSL private key “sat on GitHub for two to four years as I recall... no clue who wound up with it,” continuing:

This breach seemingly confirms many of the concerns of the summer regarding the US Army ban, and other concerned parties discussing DJI's data security posture. It is unfortunate that I have had to share it in this fashion; I had hoped for a "responsible" collaboration on a mutual message with the vendor.

Earlier today Finisterre posted an 18-page PDF on Twitter setting out his findings and frustrations over what he describes as several months of working with DJI’s US representatives in trying to report the security blunders. Having disclosed the cockups privately to DJI, he applied for a reward from its bug bounty scheme.

Though DJI agreed in principle that he would be paid their “top reward” of $30,000, the two sides disagreed vehemently over the terms of a non-disclosure agreement that the company wanted all bounty recipients to sign, which eventually led to Finisterre losing patience and going public with all the details, effectively throwing away thirty grand.

In a thinly veiled threat, he was also warned by the drone maker that he may have broken US laws on computer hacking by probing DJI's systems.

DJI bug bounty NDA is 'not signable', say irate infosec researchers


DJI acknowledged the security failures, and told us it had “hired a third-party research firm to help us assess the issue and manage next steps.”

Computer security expert Professor Alan Woodward, of the University of Surrey in England, told El Reg: “This wouldn’t be the first time someone has posted their private key inadvertently on GitHub. When people write code that requires a hard-coded private key it’s always something that should be treated like the Crown Jewels. To post it in public view on the web is a real gotcha.”

Security researcher Scott Helme added: “The basic problem is that with access to the key, an attacker can use DJI's certificate.” He also highlighted the fact that the now-revoked certificate was issued for *, covering all DJI subdomains – including, which is where their Security Reporting Centre can be found.

Helme added that, in his view, the canceled certificate could be used to decrypt intercepted web traffic to and from DJI’s website until its expiry date of 10.00 UTC on 5 June 2018. Helme has previously blogged that there are flaws in how common web browsers handle cert revocation via the Online Certificate Status Protocol, allowing recalled certs to still be trusted by browsers. He added: “If someone is in a position to use the certificate they are also in a position to stop the revocation check happening, so the browser would accept the certificate despite it being revoked.” ®

Sign up to our NewsletterGet IT in your inbox daily


Keep Reading

Chinese dev jailed and fined for posting DJI's private keys on Github

Hapless soul repents 'unintentionally' sharing drone makers privates in repo

Now Chinese-made drones rubbing US govt up the Huawei: 'Strong concerns' DJI kit threat to national security

Memo warns of regime having access to American data – remind you of anything?

It's raining drones, but just one specimen: DJI's Matrice 200 quadcopter

UK's Civil Aviation Authority grounds kit after 'complete loss of power' mid-flight reported

FYI: Drone maker DJI's 'Get it on Google Play' website button definitely does not get the app from Google Play...

Updated Quadcopter slinger rudely palms folk off to .apk download

DJI bug bounty NDA is 'not signable', say irate infosec researchers

Non-disclosure agreement prompts uproar

Helicopter crashes after manoeuvres to 'avoid... DJI Phantom drone'

Incident reported to local cops and Federal Aviation Administration

'DJI Mavic' drone seen menacing London City airliner after takeoff

UK Airprox Board say it was 'endangering other aircraft'

What is DJI Terra? Mystery builds over Chinese biz's trademark

Could be a ground drone ... or a music maestro

Six weeks later, drone biz DJI deploys control app 'flight mode'

Perhaps this will calm the American military?

I've got the key, I've got the secret. I've got the key to another person's DJI drone account: Vids, info left open to theft

Luckily no one else spotted flaw before we did, say infosec bods who reported vuln

Tech Resources

The CISO’s Guide to Choosing an Automated Security Questionnaire Platform

In this day and age of cyber risk and data privacy regulations, automated third-party questionnaires are a must. Organizations can no longer simply hire vendors without proof of a strong cyber posture, and a comprehensive questionnaire can demonstrate that vendors’ internal security policies are up to par.

2020 CrowdStrike Global Threat Report

The 2020 Global Threat Report is one of the industry's most highly anticipated reports on today's most significant cyber threats and adversaries.

Security Orchestration and Automation Playbook

This playbook highlights some of the most common use cases for security orchestration and automation, as well as useful tips on how to get started.

Leading Your Team to DevOps Maturity

Rob Zuber, CircleCI CTO, brings an inspiring and practical guide to moving your team further up the DevOps maturity ladder, regardless of where you are now.