Logo Logo
deutsch
directory schraeg
Knowledge
Codecs
Hardware
Camcorders· Cinema-Kamera· Computers· Video-DSLR· accessories
Software
Compositing· Color correction· DV Editing
DV-Movies

HowTo
Shooting· Sound
Misc
Reviews
/// News
Major security vulnerabilities in DJI: Keys for domain, firmware and user data were freely accessibl

Major security vulnerabilities in DJI: Keys for domain, firmware and user data were freely accessibl

[12:09 tue,21.November 2017   by ]    

Security specialist Kevin Finsterre has published a serious security vulnerability concerning the world&s leading Chinese drones manufacturer DJI. On public Github pages of DJI, security-relevant information such as the private SSL key of the DJI website, access data to the Amazon Clouds repository of DJI for user data as well as the AES encryption keys for the DJI firmware were publicly accessible.

According to Finsterre, the private keys to the HTTPS certificate of the wildcard domain *. dji. com (i. e. equally valid for dji. com as well as for store. dji. com, security. dji. com and other subdomains) have been located on the web-based server for software development projects Github for 2-4 years. Similarly, private information from DJI users such as flight logs and scans of driver&s licenses and ID cards via an AWS (Amazon Web Services) Amazon Cloud Server could be retrieved via the Internet using the access data published on Github.


DJI-Phantom-4
DJI Phantom 4 Quadcopter


In addition, an insufficient configuration of the AWS Cloud Server&s access restrictions - known in DJI hackers& circles - apparently also meant that attachments to service requests from users (including images of damaged drones and personal data) could theoretically be retrieved by anyone.

The private HTTPS key allows hackers to issue valid Web page certificates in order to use the so-called Man-in-the-Middle Attacks to pretend that users access the dji. com Web page via HTTPS, which is actually encrypted, to mirror the authenticity of mirrored and modified copies of the Web page or to listen to the user&s data traffic with the real DJI Web page. Users can be tricked into entering personal information on the seemingly real DJI web pages or downloading modified software without the browser displaying a warning. Since September, DJI has withdrawn the compromised certificate for the website and removed the corresponding Github code.

DJI-AWS-Login
Github Code with DJIs AWS login data


In fact, Finsterre - known for his OS X exploits - wanted to publish his discoveries in the context of DJIs with up to 30,000 dollars of tendered Bug Bounty Rewards For Reporting Software Issues program, which was only launched at the end of August - but after initial cooperation with DJI, he was unable to agree on the required NDA silent agreements, among other things, and therefore decided to renounce the Bel DJI, on the other hand, accuses Finsterre in a press release of hacking DJI servers, obtaining unauthorized access, not adhering to standard agreements and threatening DJI.

However, DJI&s efforts to improve the safety of its products and to win or maintain customer confidence are not helped by the security incident and the inadequately defined bug bounty program.

After DJI&s problems with hacked drones and the decision of the US Army to use DJI products out of security concerns - ironically, Finsterre found on DJI&s cloud memory also data of users with. mil and. gov email data (i. e. military and governmental agencies) - the now known gross negligence in matters of security on the part of DJI should not be necessary for users. Whether the security gaps have been actively exploited is not known.

Link more infos at bei www.theregister.co.uk

deutsche Version dieser Seite: Grobe Sicherheitslücken bei DJI: Schlüssel für Domain und Firmware sowie Userdaten waren frei zugänglich

    

  Vorige News lesen Nächste News lesen 
bildVideotutorials: Einstieg in Wireless Control Units, Lens Mappings u.a. mit ARRI WCU-4 bildWie Google die Videos der Pixel 2 Smartphone-Kamera stabilisiert


related news:1E0Blackmagic DaVinci Resolve 14.2 update 15.December 2017
ARRI Alexa Mini and Amira SUP 5.2 with extended False Color, EVF Gammas and much more 15.December 2017
Freefly Movi: intelligent smartphone gimbal as camera assistant 10.December 2017
Panasonic presents 8K4K organic sensor in February 2018 7.December 2017
Netflix DARK: First German Netflix Originals Series filmed on Alexa 65 5.December 2017
Lytro Immerge 2.0 -- Lightfield-VR Camera-Rig changes shape 4.December 2017
Aldi Weihnachts-PC: Medion Erazer X67015 with GTX1070 and 256GB PCIe M.2 SSD 1.December 2017
alle Newsmeldungen zum Thema Camcorders
1E0ARRI Alexa Mini and Amira SUP 5.2 with extended False Color, EVF Gammas and much more 15.December 2017
KipperTie REVOLVA lens adapter with integrated ND filter wheel for RED cameras 13.December 2017
Freefly Movi: intelligent smartphone gimbal as camera assistant 10.December 2017
EIZO FlexScan EV2785: 27" 4K UltraHD IPS-display with USB-C 6.December 2017
Lytro Immerge 2.0 -- Lightfield-VR Camera-Rig changes shape 4.December 2017
Rotolight Anova Pro 2: LED lights with 10.700 lux 3.December 2017
DJI releases electronic license plate for drones 2.December 2017
alle Newsmeldungen zum Thema accessories


[nach oben]
















Archiv Newsmeldungen

2017

December - November - October - September - August - July - June - May - April - March - February - January

2016
December - November - October - September - August - July - June - May - April - March - February - January

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000






































deutsche Version dieser Seite: Grobe Sicherheitslücken bei DJI: Schlüssel für Domain und Firmware sowie Userdaten waren frei zugänglich



last update : 16.Dezember 2017 - 18:00 - slashCAM is a project by channelunit GmbH- mail : slashcam@--antispam:7465--slashcam.de - deutsche Version