Don’t mess with bug bounty hunters, DJI full infrastructure compromise
Many things are going to unfurl over the next few days. Before we start, perhaps you should watch Kevin Finisterres video from our 2017 Expo to help set the scene.
In fact, for good measure refer back to this post as well US Army calls for units to discontinue use of DJI equipment
At the end of August DJI offered a bug bounty to help iron out any wrinkles.
Plenty of bugs have been found and here are some highlights from Kevin who was offered $30,000 for his trouble and then had the rug pulled from under his feet by DJI China,
Read his full report here http://www.digitalmunition.com/WhyIWalkedFrom3k.pdf
To cut to the chase from Kevin’s report.
The report I had delivered was in standard PDF form and covered all aspects of what I found, including but not limited to passport data, drivers licenses, state identification, and flight logs. Once I get a proper redaction tool I will release it.
There were serious ramifications to the things that were found on the DJI AWS servers. One of the first things I did to judge the impact of the exposure was grep for “.mil” and “.gov”, “gov.au”. Immediately flight logs for a number of potentially sensitive locations came out. It should be noted that newer logs, and PII seemed to be encrypted with a static OpenSSL password, so theoretically some of the data was at least loosely protected from prying eyes. Unfortunately, the rest of the server side security renders this point moot.
The other regular Kevin contributor at sUAS News, Kevin Pomaski has already reached out to me and had this to say.
Forensic data expert David Kovar in an email to sUAS News notes.
“Kevin is a member of a small, passionate group of cyber security researchers. They’ve found multiple vulnerabilities throughout DJI’s product line and supporting infrastructure. Some of these validated the U.S. Army’s concerns announced earlier this year. Others demonstrated that DJI collected personally identifying information and failed to secure it. Copies of passports belonging to DJI clients were located, completely unsecured, by the researchers on DJI’s site.
The researchers, in good faith, attempted to work with DJI to develop a responsible method for disclosing these vulnerabilities to DJI. Unfortunately those negotiations broke down due to DJI’s lack of familiarity with running a bug bounty program. We will likely see a number of vulnerabilities disclosed, reigniting the discussion about DJI’s cyber security and interest in truly providing a secure environment.”
Some more juicy bits.
My night of hunting wound up being pretty crazy. Around 4PM Sept 26th JUST before dinner, and family time I wound up finding DJI Skypixel keys for Amazon Web Services (AWS) sitting out in public view! These keys have long since been revoked, but they are depicted below. The repo was named skypixel_lottery… lottery indeed I thought!
Oddly enough, approximately a week earlier word had spread *further* that some of DJI’s AWS buckets were marked with public access and zero permissions. People had been in and out of slack mentioning it for about a month (literally 2 days after the bounty was announced).
Screenshots below show “dji-rev” randoms discussing this fact over the span of 20 days. It is unclear what exactly was in the public DJI buckets, short of the reported: “all attachments to the service emails they receive… images of damaged drones… receipt and other personal data…” and “occasional photos of people cut by propellers.
I woke up and sent a semi-snarky email about the fact I had not yet seen any response to the “servers” clarification request, and simultaneously gave a preemptive heads up on my incoming bounty submission.. “I noticed that 2 weeks has passed… I wanted to give you a heads up that I will be pushing you a new report hopefully later today. I still have lots of writing to do. Cheers.“
Rather than doing something useful… Adam Lisberg chimed and said something semi-snarky himself, sort of setting off the tone for future interactions. Never mind the fact we are over a month into dealing with an SSL key leak, and DJI is late on responding about the scope of the bounty, I guess it is time to start getting passive aggressive? I’ve literally been holding back the fact that their SSL keys had been leaked, and for some reason *now* it seemed like a good idea to imply that I was not trustworthy.
A few hours after Adam and I exchanging words, I finally got a response email to my “servers” question. Please note that DJI had not yet, and still has not made any public definition of the bounty program boundaries, and terms. It should also be noted that to this day DJI has yet to publish a rule guide, or roadmap for bounty.
The response to my question about DJI “servers” being in scope read as follows:
“Really sorry that we don’t reply within two weeks. And many thanks for your suggestions. Yes, we really would like researchers to help us… for the scope, the bug bounty program
covers all the security issues in firmware, application and servers, including source code leak, security workaround, privacy issue. We are working on a detailed user guide for it.
As you know, a lot of researchers have reported a lot of issues, and we have feedback to most of the issues, and we are going to pay the bounty. For example, the source code leak issue reported by Freek.
But we may still miss some emails like this one. We are working on improving the process to avoid such kind of issues. BTW, if any other researcher hasn’t gotten feedback in 2 weeks, please kindly let us know, we will do immediately. Thanks again.”
Pay particular attention to the portion of the email response that I bolded, and underlined. For your viewing pleasure, I have also included an image of the email below. DJI made it very clear that their servers were in scope, likewise, they made it very clear that “source code leaks” were in scope. I won’t go into details in this paper, but a group of the “dji-rev” Slack “Original Gangsters” aka “OGs” were already in communications with DJI about the fact their SSL key had been leaked on GitHub earlier in the month, having been exposed for several years.
By 1:21:52 PM Sept 27th DJI had sent the reply pictured above. I spent the next few hours examining the impact of what had been exposed on their AWS servers and began typing up my bounty report. I had no clue what a rabbit hole it would turn out to be!
Let’s take a little sidebar, do you wanna get you some bounty loot? Ask yourself what it is worth to you to devalue your time for a fraction of the pay you’d normally receive. Ask yourself what YOU are worth… do you know your own hourly bill rate? Do you know what you would charge for a week of work plus a report? How about post work *complimentary* support? If you have no clue what I am talking about, you should think about your time as a potential bounty hunter more wisely. $30,000 is a lot of loot… what would you do with it?
I was gonna buy me a sick Tesla Model 3. Please note, I’ve since had to cancel the order. Don’t forget this isn’t a happy bounty story.
Please pour out some liquor for the Model 3 that will never be.
You might have guessed that this story is not over, DJI are playing fast and loose with Kevin, but I will let you read that for yourselves in the complete report.
That link again http://www.digitalmunition.com/WhyIWalkedFrom3k.pdf
