Security specialist Kevin Finsterre has published a serious security vulnerability concerning the world&s leading Chinese drones manufacturer DJI. On public Github pages of DJI, security-relevant information such as the private SSL key of the DJI website, access data to the Amazon Clouds repository of DJI for user data as well as the AES encryption keys for the DJI firmware were publicly accessible.
According to Finsterre, the private keys to the HTTPS certificate of the wildcard domain *. dji. com (i. e. equally valid for dji. com as well as for store. dji. com, security. dji. com and other subdomains) have been located on the web-based server for software development projects Github for 2-4 years. Similarly, private information from DJI users such as flight logs and scans of driver&s licenses and ID cards via an AWS (Amazon Web Services) Amazon Cloud Server could be retrieved via the Internet using the access data published on Github.
DJI Phantom 4 Quadcopter
In addition, an insufficient configuration of the AWS Cloud Server&s access restrictions - known in DJI hackers& circles - apparently also meant that attachments to service requests from users (including images of damaged drones and personal data) could theoretically be retrieved by anyone.
The private HTTPS key allows hackers to issue valid Web page certificates in order to use the so-called Man-in-the-Middle Attacks to pretend that users access the dji. com Web page via HTTPS, which is actually encrypted, to mirror the authenticity of mirrored and modified copies of the Web page or to listen to the user&s data traffic with the real DJI Web page. Users can be tricked into entering personal information on the seemingly real DJI web pages or downloading modified software without the browser displaying a warning. Since September, DJI has withdrawn the compromised certificate for the website and removed the corresponding Github code.
Github Code with DJIs AWS login data
In fact, Finsterre - known for his OS X exploits - wanted to publish his discoveries in the context of DJIs with up to 30,000 dollars of tendered Bug Bounty Rewards For Reporting Software Issues program, which was only launched at the end of August - but after initial cooperation with DJI, he was unable to agree on the required NDA silent agreements, among other things, and therefore decided to renounce the Bel DJI, on the other hand, accuses Finsterre in a press release of hacking DJI servers, obtaining unauthorized access, not adhering to standard agreements and threatening DJI.
However, DJI&s efforts to improve the safety of its products and to win or maintain customer confidence are not helped by the security incident and the inadequately defined bug bounty program.
After DJI&s problems with hacked drones and the decision of the US Army to use DJI products out of security concerns - ironically, Finsterre found on DJI&s cloud memory also data of users with. mil and. gov email data (i. e. military and governmental agencies) - the now known gross negligence in matters of security on the part of DJI should not be necessary for users. Whether the security gaps have been actively exploited is not known.