Logo Logo
deutsch
directory schraeg
Knowledge
Codecs
Hardware
Camcorders· Cinema-Kamera· Computers· Video-DSLR· accessories
Software
Compositing· Color correction· DV Editing
DV-Movies

HowTo
Shooting· Sound
Misc
Reviews
/// News
Major security vulnerabilities in DJI: Keys for domain, firmware and user data were freely accessibl

Major security vulnerabilities in DJI: Keys for domain, firmware and user data were freely accessibl

[12:09 tue,21.November 2017   by ]    

Security specialist Kevin Finsterre has published a serious security vulnerability concerning the world&s leading Chinese drones manufacturer DJI. On public Github pages of DJI, security-relevant information such as the private SSL key of the DJI website, access data to the Amazon Clouds repository of DJI for user data as well as the AES encryption keys for the DJI firmware were publicly accessible.

According to Finsterre, the private keys to the HTTPS certificate of the wildcard domain *. dji. com (i. e. equally valid for dji. com as well as for store. dji. com, security. dji. com and other subdomains) have been located on the web-based server for software development projects Github for 2-4 years. Similarly, private information from DJI users such as flight logs and scans of driver&s licenses and ID cards via an AWS (Amazon Web Services) Amazon Cloud Server could be retrieved via the Internet using the access data published on Github.


DJI-Phantom-4
DJI Phantom 4 Quadcopter


In addition, an insufficient configuration of the AWS Cloud Server&s access restrictions - known in DJI hackers& circles - apparently also meant that attachments to service requests from users (including images of damaged drones and personal data) could theoretically be retrieved by anyone.

The private HTTPS key allows hackers to issue valid Web page certificates in order to use the so-called Man-in-the-Middle Attacks to pretend that users access the dji. com Web page via HTTPS, which is actually encrypted, to mirror the authenticity of mirrored and modified copies of the Web page or to listen to the user&s data traffic with the real DJI Web page. Users can be tricked into entering personal information on the seemingly real DJI web pages or downloading modified software without the browser displaying a warning. Since September, DJI has withdrawn the compromised certificate for the website and removed the corresponding Github code.

DJI-AWS-Login
Github Code with DJIs AWS login data


In fact, Finsterre - known for his OS X exploits - wanted to publish his discoveries in the context of DJIs with up to 30,000 dollars of tendered Bug Bounty Rewards For Reporting Software Issues program, which was only launched at the end of August - but after initial cooperation with DJI, he was unable to agree on the required NDA silent agreements, among other things, and therefore decided to renounce the Bel DJI, on the other hand, accuses Finsterre in a press release of hacking DJI servers, obtaining unauthorized access, not adhering to standard agreements and threatening DJI.

However, DJI&s efforts to improve the safety of its products and to win or maintain customer confidence are not helped by the security incident and the inadequately defined bug bounty program.

After DJI&s problems with hacked drones and the decision of the US Army to use DJI products out of security concerns - ironically, Finsterre found on DJI&s cloud memory also data of users with. mil and. gov email data (i. e. military and governmental agencies) - the now known gross negligence in matters of security on the part of DJI should not be necessary for users. Whether the security gaps have been actively exploited is not known.

Link more infos at bei www.theregister.co.uk

deutsche Version dieser Seite: Grobe Sicherheitslücken bei DJI: Schlüssel für Domain und Firmware sowie Userdaten waren frei zugänglich

    

  Vorige News lesen Nächste News lesen 
bildVideotutorials: Einstieg in Wireless Control Units, Lens Mappings u.a. mit ARRI WCU-4 bildWie Google die Videos der Pixel 2 Smartphone-Kamera stabilisiert


related news:1E0Huawei Mate 20 Pro smartphone features 16-80mm Leica triple camera 18.October 2018
Future of the Jaunt VR camera uncertain: Extended Reality instead of (cinematic) VR 17.October 2018
New Sony Alpha 7 (R) III firmware 2.0 with problems 15.October 2018
Ximea xiB-64 High speed camera: 5K with 300 fps 15.October 2018
Blackmagic Design joins Netflix Post Technology Alliance 12.October 2018
Record: Samsung Galaxy A9 (2018) announced with quad camera 11.October 2018
AJA Firmware Updates for FS-HDR, HELO und Ki Pro Ultra Plus // IBC 2018 4.October 2018
alle Newsmeldungen zum Thema Camcorders
1E0HyperJuice: the strongest USB-C battery pack 12.October 2018
Zhiyun Weebill Lab One-Handed Gimbal with HD Streaming and Mimic Mode 11.October 2018
Attack of the Transformer Gimbals: Lightweight Moza Air X Gimbal with 6 kg carrying capacity 8.October 2018
Video interview: Shape: Blackmagic Pocket 4K Cage incl. Metabones and SSD support // IBC 2018 4.October 2018
Teradek: Accessories for RED cameras and new lens control system // IBC 2018 2.October 2018
Videointerview: Manfrotto carbon tripod with new locking mechanism, 50% stiffer // IBC2018 1.October 2018
ZEISS Batis 2/40 CF fullframe prime is official // Photokina 2018 29.September 2018
alle Newsmeldungen zum Thema accessories


[nach oben]
















Archiv Newsmeldungen

2018

October - September - August - July - June - May - April - March - February - January

2017
December - November - October - September - August - July - June - May - April - March - February - January

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000






































deutsche Version dieser Seite: Grobe Sicherheitslücken bei DJI: Schlüssel für Domain und Firmware sowie Userdaten waren frei zugänglich



last update : 20.Oktober 2018 - 18:00 - slashCAM is a project by channelunit GmbH- mail : slashcam@--antispam:7465--slashcam.de - deutsche Version