Chinese drone maker Da-Jiang Innovations (DJI) has landed itself into a cybersecurity row over a bug bounty issue. One of the world’s largest drone makers has reportedly accused a cybersecurity researcher of hacking its servers, BBC reported.
Kevin Finisterre, an independent security researcher, claimed that he found a private key publicly posted on code sharing site Github, after which he was able to access confidential and sensitive customer information and saw “unencrypted flight logs, passports, drivers’ licenses and identification cards.”
After discovering the flaw in the security system, he approached the firm that in-turn initially offered a bug bounty reward of up to $30,000 (£23,000) and also offered to hire him as a consultant. Finisterre also claimed that the company tried to make him sign a non-disclosure legal contract, that he refused to sign. The Next Web reported that DJI threatened to charge him with Computer Fraud and Abuse Act (CFAA).
In a detailed 31-page security vulnerability report to DJI in late September this year, Finisterre has revealed that “one of the clauses stated that he could not publicly disclose his research without written consent from DJI.”
On November 16, 2017, Finisterre described the general issues in a blog post and refrained from publicly disclosing the full findings.
Meanwhile, DJI has maintained that the server accessed by Finisterre was “unauthorized”. In a statement, DJI said “DJI takes data security extremely seriously, and will continue to improve its products thanks to researchers who responsibly discover and disclose issues that may affect the security of DJI user data and DJI’s products”.
“The hacker in question refused to agree to these terms despite DJI’s attempts to negotiate with him and threatened DJI if his terms were not met,” the company further said.
Cybersecurity expert Prof Alan Woodward from Surrey University termed DJI’s actions as “outrageous” and said “cybersecurity is one of those areas where there is no government organization or central body or standards agency holding these people to account. It’s ethical hackers and security researchers. The public has a right to know when there’s a security problem”.
