Drone Driver

DJI data and information security = NOT

Recommended Posts

Here is the inside story of why our DoD found it necessary to recently restrict use of DJI platforms as presented by Kevin Finisterre an experienced counter espionage software expert.

 Here are 2 versions of his article in dealing with DJI corporate and their $30,000 bounty reward for reporting software deficiencies.

A sUAS article - https://www.suasnews.com/2017/11/dont-mess-bug-bounty-hunters-dji-full-infrastructure-compromise/ 

His complete and detailed report - https://www.suasnews.com/2017/11/dont-mess-bug-bounty-hunters-dji-full-infrastructure-compromise/

 

Share this post


Link to post
Share on other sites

Discussion of anything to do with DJI is a very divisive topic, not saying it shouldn't be discussed but opinions are all over the place.  

So I have a couple of suggestions:

The ban took effect August 2nd and it is a military wide ban.  There was some confusion because people thought it only effected the Army, the Army memo was leaked prior to the ban but each of the services had contributed to the research and shared the same conclusion.  This is no longer in dispute.  Also there was some footage and a lot of discussion that the Marines were still using DJI, that footage came from an exercise at Camp Pendleton that took place in April prior to the ban.

No amount of us debating the ban or DJI's PR will change it, so its pointless to debate this old news.  It would be more productive if the discussion centered around what the DoD ban on DJI might mean to commercial operators.

What if any effect might it have for competitors to gain access to capital?

Share this post


Link to post
Share on other sites

If you have not bothered to read this information then why comment as to the politics of the verbiage used in thread topic or initial sentence?

This article delves deeply into the facts concerning the lack of security of the DJI IT architecture. While your statements are accurate and true, the fact of the matter, as detailed in this report, is that DJI has severe security gaps and he proved it to them. Also DJI sponsored a bug fix program that actually was not focused on finding and fixing bugs, which he also very factually details in these reports. Mr. Finisterre is a world class IT counter espionage software expert. His report is very detailed and provides factual information on the huge security holes that he found within the DJI IT infrastructure. When pointing these deficiencies out to the highest levels of DJI management they chose to send him legal concerns versus reward him for sharing what he found which was the stated objective of their bug fix $30,000 bounty program.

I have read this article and several others that reported on his efforts, and the fact that he had to involve his legal team to review his work plus his response to DJI management tends to support the factual basis of his article. It is my belief that if the "King has no clothes on" them people should know about it. If you take the time to investigate Kevin's work and reports then you can judge for yourself just how much risk you and your clients information is exposed to. My sharing of this article has no intention of further debating the merits of the DoD ban, rather it serves to point out and provide details about the fact that DJI has IT practices which are counter to common security practices that are in effect throughout the e-commerce landscape by companies such as Amazon, E-Bay and others.

The additional fact of the matter is that so many of our videos and pictures which are taken and most of which have some access by the DJI IT infrastructure, have geotags associated with them which provides vast amounts of structural details and locations about the infrastructure of the USA. This is found troubling by some higher ups in the defense business.

Is your final premise that the DoD announcement was a ruse so that it might enhance DJI competitors ability to gain market share or capital assets?

Well that is an interesting theory but not pertinent to the scope of these articles that I posted. Finisterre was motivate by what he saw as an easy grab of the $30,000 bounty as it only took him one evening of snooping around to initially discover some big  gaps in their system which were readily available to hackers with skill sets much less capable than his. In fact some of the security gap information was easily accessible and out in public domain for a long time. 

There is not really a lot that we as users of DJI technology can do to protect the accessibility of the visual data which we collect with our drones and sensors, as doing such would drastically reduce the use of some key navigational features that are most often used while flying. But not being aware of the lack of data security issues does not improve the situation either.

Thank you for your post on this matter as I learn from it and so many of your other posts as well.

Edited by Drone Driver
spelling

Share this post


Link to post
Share on other sites

Sorry, as I said this is a divisive topic which is difficult to debate online.  I have read ALL of the articles, watched the videos and attended the occossional trade show appearance.

4 hours ago, Drone Driver said:

If you take the time to investigate Kevin's work and reports then you can judge for yourself just how much risk you and your clients information is exposed to.

Kevin worked on exposing these security issues for months.  He was part of the thread regarding this on the other forum and that thread devolved into a pointless debate about DJI. 

4 hours ago, Drone Driver said:

Well that is an interesting theory but not pertinent to the scope of these articles that I posted. Finisterre was motivate by what he saw as an easy grab of the $30,000 bounty as it only took him one evening of snooping around to initially discover some big  gaps in their system which were readily available to hackers with skill sets much less capable than his. In fact some of the security gap information was easily accessible and out in public domain for a long time. 

I don’t want to impugn his motives but a lot of people questioned his intentions for months before there was even a hint of a bug bounty.  In the weeks and months leading up to the ban and the bug bounty people warned him that the actions he was taking would not result in the outcome he was hoping for.  It really wasn’t a question of whether what he was reporting  was accurate but what did he want?  Was he influential at the time in hacking DJI and exposing many of the security issues?  Absolutely. But he wasn’t the only person and wasn’t the first to report it, he was just the first to stand up at user groups and trade shows to give almost incoherent speeches about it which garnered him a lot of notoriety.  He had become the self anointed leader of the “hacking” movement and Patric Eagan at sUAS News was more than willing to spread the word.    

Whatever their agenda, they had their 15 minutes of fame.  It’s not up to me to judge their success but this has been  been thouroughly debated in lots of forums and I guess my hope was that we would not repeat it here.  That in no way implies that it’s not a serious issue but I think it might be more productive to acknowledge that this has happened and discuss what we think happeneds next?  What’s the result of all of this?  

It’s certainly not my intent to censor your post.  I’m Australian, English is my second language so I don’t always make my point very effectively.  

The military ban was unprecedented and I don’t think it was a ruse.  I posted the following on August 4th (I think).  

Personally I don’t think DJI’s security issues were malicious, I do think the military were naive to allow them to be used in the first place but that’s hardly DJI’s fault.  Regardless of motive exposing these security issues, intentional or otherwise, was the right thing.  Hopefully it will prevent other users from naively using this technology in places they probably shouldn’t. 

As Forrest Gump says “That’s all I got to say about that.”  

Share this post


Link to post
Share on other sites

Chuck - Thank you for bringing to light, at least for me more background information on this topic. You are certainly much more informed about this issue than I. However there are many others who like me are not as well informed. For those forum members I wanted to make them aware of the factual components involved with the DJI IT security issues. Many of their commercial customers have contracts with our members which stipulate a measure of privacy that of which they are in no position to implement nor capable to honor.

OK - Kevin has motives which might be called into question, however he is of superb talents and does work for a counter drone measures manufacturer who's goal is to sell and market frequency jamming systems to the industrial marketplace. And a primary target audience for their product is the electrical power generation facilities. It is his job to seek out these openings and by bringing them into the public forum he creates a market awareness of these vulnerabilities which can predispose his target customers to procure their jamming equipment.

BTW, he did not exclude 3DR from his discussions and accurately details just how easy it is for commercial drones to be deployed with explosive payloads on the battle field, both multi rotor and fixed wing. This is the real impetus for DJI and the open source flight controller developers to explore geo-fencing restrictions, not the FAA 400ft AGL or above a tall structure limitations and also horizontal restrictions. Battlefield use of easily available and afforded commercially available drones is a far more serious situation than being able to freely navigate legal US airspace boundaries. The actualities of what whoever the end user of these drones chooses to use them for is well beyond the ability of any manufacturer to impose limitations on. It must be somewhat of a liability nightmare for those corporations to ponder.

Thank you for taking your time to share you insights and opinions, as previously stated, I learn something from all of your posts.  

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now



  • Welcome to UCCF.

    The UAV Coach Community Forum is actively moderated by the UAV Coach team and offered to help serve those in the UAV industry. Use this space to meet and greet, to ask and answer questions, to share what you're working on, etc. Have fun, play nice, and fly safe! :)

  • Forum Statistics

    • Total Topics
      3,080
    • Total Posts
      15,355