Logo Logo
deutsch
directory schraeg
Knowledge
Codecs
Hardware
Camcorders· Cinema-Kamera· Computers· Video-DSLR· accessories
Software
Compositing· Color correction· DV Editing
DV-Movies

HowTo
Shooting· Sound
Misc
Reviews
/// News
Major security vulnerabilities in DJI: Keys for domain, firmware and user data were freely accessibl

Major security vulnerabilities in DJI: Keys for domain, firmware and user data were freely accessibl

[12:09 tue,21.November 2017   by ]    

Security specialist Kevin Finsterre has published a serious security vulnerability concerning the world&s leading Chinese drones manufacturer DJI. On public Github pages of DJI, security-relevant information such as the private SSL key of the DJI website, access data to the Amazon Clouds repository of DJI for user data as well as the AES encryption keys for the DJI firmware were publicly accessible.

According to Finsterre, the private keys to the HTTPS certificate of the wildcard domain *. dji. com (i. e. equally valid for dji. com as well as for store. dji. com, security. dji. com and other subdomains) have been located on the web-based server for software development projects Github for 2-4 years. Similarly, private information from DJI users such as flight logs and scans of driver&s licenses and ID cards via an AWS (Amazon Web Services) Amazon Cloud Server could be retrieved via the Internet using the access data published on Github.


DJI-Phantom-4
DJI Phantom 4 Quadcopter


In addition, an insufficient configuration of the AWS Cloud Server&s access restrictions - known in DJI hackers& circles - apparently also meant that attachments to service requests from users (including images of damaged drones and personal data) could theoretically be retrieved by anyone.

The private HTTPS key allows hackers to issue valid Web page certificates in order to use the so-called Man-in-the-Middle Attacks to pretend that users access the dji. com Web page via HTTPS, which is actually encrypted, to mirror the authenticity of mirrored and modified copies of the Web page or to listen to the user&s data traffic with the real DJI Web page. Users can be tricked into entering personal information on the seemingly real DJI web pages or downloading modified software without the browser displaying a warning. Since September, DJI has withdrawn the compromised certificate for the website and removed the corresponding Github code.

DJI-AWS-Login
Github Code with DJIs AWS login data


In fact, Finsterre - known for his OS X exploits - wanted to publish his discoveries in the context of DJIs with up to 30,000 dollars of tendered Bug Bounty Rewards For Reporting Software Issues program, which was only launched at the end of August - but after initial cooperation with DJI, he was unable to agree on the required NDA silent agreements, among other things, and therefore decided to renounce the Bel DJI, on the other hand, accuses Finsterre in a press release of hacking DJI servers, obtaining unauthorized access, not adhering to standard agreements and threatening DJI.

However, DJI&s efforts to improve the safety of its products and to win or maintain customer confidence are not helped by the security incident and the inadequately defined bug bounty program.

After DJI&s problems with hacked drones and the decision of the US Army to use DJI products out of security concerns - ironically, Finsterre found on DJI&s cloud memory also data of users with. mil and. gov email data (i. e. military and governmental agencies) - the now known gross negligence in matters of security on the part of DJI should not be necessary for users. Whether the security gaps have been actively exploited is not known.

Link more infos at bei www.theregister.co.uk

deutsche Version dieser Seite: Grobe Sicherheitslücken bei DJI: Schlüssel für Domain und Firmware sowie Userdaten waren frei zugänglich

    

  Vorige News lesen Nächste News lesen 
bildVideotutorials: Einstieg in Wireless Control Units, Lens Mappings u.a. mit ARRI WCU-4 bildWie Google die Videos der Pixel 2 Smartphone-Kamera stabilisiert


related news:1E0Comprehensive Panasonic AU-EVA1 eBook by Barry Green available for free download 18.July 2018
Blackmagic surprises with eGPU: Thunderbolt 3 and Radeon Pro 580 for 695 Euro 12.July 2018
New Nikon COOLPIX P1000 with 125x optical zoom 10.July 2018
AI camera makes line drawing polaroids 10.July 2018
New Sony RX100 VA (5a) with proven F1.8 lens 6.July 2018
Manfrotto Noreg -- camera bag collection for mirrorless cameras 5.July 2018
Blackmagic DaVinci Resolve 15 available as Beta 6 5.July 2018
alle Newsmeldungen zum Thema Camcorders
1E0Fire at SmallHD leads to delays in deliveries 17.July 2018
Blackmagic surprises with eGPU: Thunderbolt 3 and Radeon Pro 580 for 695 Euro 12.July 2018
Lens rumor: ZEISS Batis 2/40 CF expected in autumn 12.July 2018
Using artificial Intelligence to filter audio waveforms from video files 9.July 2018
New Sony RX100 VA (5a) with proven F1.8 lens 6.July 2018
Manfrotto Noreg -- camera bag collection for mirrorless cameras 5.July 2018
Video tutorial: ARRI ALEXA LF - workflow, LF sensor, functions and much more ... 2.July 2018
alle Newsmeldungen zum Thema accessories


[nach oben]
















Archiv Newsmeldungen

2018

July - June - May - April - March - February - January

2017
December - November - October - September - August - July - June - May - April - March - February - January

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000






































deutsche Version dieser Seite: Grobe Sicherheitslücken bei DJI: Schlüssel für Domain und Firmware sowie Userdaten waren frei zugänglich



last update : 19.Juli 2018 - 12:00 - slashCAM is a project by channelunit GmbH- mail : slashcam@--antispam:7465--slashcam.de - deutsche Version