Chinese drone maker DJI left the private key for its dot-com's HTTPS certificate exposed on GitHub for up to four years, according to a researcher who gave up with the biz's bug bounty process.
DJI also exposed customers' personal information – from flight logs to copies of government ID cards – to the internet from misconfigured AWS S3 buckets.
By leaking the wildcard SSL cert private key, which covers *.dji.com, DJI gave miscreants the information needed to create spoof instances of the manufacturer's website with a correct HTTPS certificate, and silently redirect victims to the malicious forgeries and downloads via standard man-in-the-middle attacks. Hackers could also use the key to decrypt and tamper with intercepted network traffic to and from its web servers.
It's rather embarrassing. DJI is one of the world’s largest small and medium-sized aerial drone manufacturers.
The private SSL key was found sitting in a public DJI-owned GitHub repo by Kevin Finisterre, a researcher who focuses on DJI products. AWS account credentials and firmware AES encryption keys were also exposed on GitHub, we're told, along with people's highly sensitive personal information in poorly configured public-facing AWS S3 buckets, which he summarized as a “full infrastructure compromise.” DJI has since marked the affected HTTPS certificate as revoked, and acquired a new one in September.
“I had seen unencrypted flight logs, passports, drivers licenses, and identification cards,” Finisterre said, adding: “It should be noted that newer logs and PII [personally identifiable information] seemed to be encrypted with a static OpenSSL password, so theoretically some of the data was at least loosely protected from prying eyes.”
Earlier this year the US Army issued a blanket ban on the use of DJI products by its personnel. It gave no reason for doing so, other than unspecified “cyber vulnerabilities,” and was rapidly followed in doing so by the Australian military. Several British police forces also use DJI drones for operations, in place of helicopters.
Speaking to El Reg, Finisterre added that the SSL private key “sat on GitHub for two to four years as I recall... no clue who wound up with it,” continuing:
This breach seemingly confirms many of the concerns of the summer regarding the US Army ban, and other concerned parties discussing DJI's data security posture. It is unfortunate that I have had to share it in this fashion; I had hoped for a "responsible" collaboration on a mutual message with the vendor.
Earlier today Finisterre posted an 18-page PDF on Twitter setting out his findings and frustrations over what he describes as several months of working with DJI’s US representatives in trying to report the security blunders. Having disclosed the cockups privately to DJI, he applied for a reward from its bug bounty scheme.
Though DJI agreed in principle that he would be paid their “top reward” of $30,000, the two sides disagreed vehemently over the terms of a non-disclosure agreement that the company wanted all bounty recipients to sign, which eventually led to Finisterre losing patience and going public with all the details, effectively throwing away thirty grand.
In a thinly veiled threat, he was also warned by the drone maker that he may have broken US laws on computer hacking by probing DJI's systems.
DJI bug bounty NDA is 'not signable', say irate infosec researchersREAD MORE
DJI acknowledged the security failures, and told us it had “hired a third-party research firm to help us assess the issue and manage next steps.”
Computer security expert Professor Alan Woodward, of the University of Surrey in England, told El Reg: “This wouldn’t be the first time someone has posted their private key inadvertently on GitHub. When people write code that requires a hard-coded private key it’s always something that should be treated like the Crown Jewels. To post it in public view on the web is a real gotcha.”
Security researcher Scott Helme added: “The basic problem is that with access to the key, an attacker can use DJI's certificate.” He also highlighted the fact that the now-revoked certificate was issued for *.dji.com, covering all DJI subdomains – including security.dji.com, which is where their Security Reporting Centre can be found.
Helme added that, in his view, the canceled certificate could be used to decrypt intercepted web traffic to and from DJI’s website until its expiry date of 10.00 UTC on 5 June 2018. Helme has previously blogged that there are flaws in how common web browsers handle cert revocation via the Online Certificate Status Protocol, allowing recalled certs to still be trusted by browsers. He added: “If someone is in a position to use the certificate they are also in a position to stop the revocation check happening, so the browser would accept the certificate despite it being revoked.” ®