Researcher says he was threatened after finding major DJI security flaw
Drone maker DJI has been criticized roundly this weekend over its alleged response to security researcher Kevin Finisterre's discovery of a significant security issue involving the company's system. According to Finisterre, he began hunting for bugs in DJI's system under its recently established bug bounty program. In the process, Finisterre says he discovered a major security issue, but rather than rewarding him for his effort, DJI accused him of hacking and threatened to report him to the authorities.
DJI announced its bug bounty program in August following a report that claimed the U.S. Army had banned use of the maker's drones over security concerns. As part of its announcement, DJI had stated:
The DJI Threat Identification Reward Program aims to gather insights from researchers and others who discover issues that may create threats to the integrity of our users’ private data, such as their personal information or details of the photos, videos and flight logs they create.
According to a long report on the matter published by Finisterre, he spent many weeks communicating with DJI through email about the scope of its bug bounty program, which hadn't yet been publicly defined. After receiving confirmation that it included the company's servers, Finisterre went to work in writing up a report disclosing his discoveries. Speaking of which...
Due to multiple security issues, including publicly available AWS private keys for DJI's photo-sharing service SkyPixel, Finisterre reports that he was able to get access to highly sensitive user data, including: identification cards and passports, flight logs, and drivers licenses. Once he found this flaw, he claims that he alerted DJI to this vulnerability, and that the company acknowledged it.
After more than 130 emails back and forth between DJI and Finisterre, he states in his report that DJI said he would be rewarded with $30,000 under the bug bounty program (the maximum award). However, Finisterre reports that weeks later he received an agreement for his particular bug bounty that was "literally not sign-able." As he goes on to explain in his report:
I won’t go into too much detail, but the agreement that was put in front of me by DJI in essence did not offer researchers any sort of protection. For me personally the wording put my right to work at risk, and posed a direct conflicts of interest to many things including my freedom of speech. It almost seemed like a joke. It was pretty clear the entire ‘Bug Bounty’ program was rushed based on this alone.
Efforts to alter the agreement didn't pan out as hoped, says Finisterre, who goes on to claim that several different lawyers advised him that DJI's final offer was, "likely crafted in bad faith," and that it was "extremely risky" for him to sign it. It was about this time that Finisterre also receive a legal demand from DJI ordering him to delete/destroy the data he had gathered during his investigation, while appearing to threaten Finisterre with the Computer Fraud and Abuse Act.
In a statement to Ars Technica, who was the first to cover this spat between DJI and Finisterre, the Chinese drone giant referred to Finisterre as a "hacker," claiming that he had accessed one of the company's servers without permission and that he had tried to claim it under the company's bug bounty program without following "standard terms for bug bounty programs." The statement goes on to claim that Finisterre "refused to agree to these terms, despite DJI’s continued attempts to negotiate with him, and threatened DJI if his terms were not met."
For his part, Finisterre says that he ultimately turned down the $30,000 in favor of going public with what he sees as an unsettling and unacceptable experience, concluding with the following statement:
If you that are wondering if DJI even bothered to respond after I got offended over the CFAA threat, you should be happy to know it was flat out radio silence from there on out. All Twitter DM’s stopped, SMS messages went unanswered, etc. Cold blooded silence.
A rising number of multi-camera designs means that sensor suppliers are struggling to meet increased demand.
Panasonic's Lumix DC-GX9 is a 20MP rangefinder-style mirrorless camera that aims to do a bit of everything. It borrows features from both the GX8 and the smaller GX80 / GX85, but does it strike the right balance?
Apparently, Huawei hasn't learned its lesson. Two years after passing off a DSLR image as a smartphone image, it's once again misleading consumers in a new, 30-second advertisement for its Novi 3 and 3i smartphones.
Nikon has posted teaser number five for its full-frame mirrorless system being announced in just three days. In this one, early users of the camera share their first impressions, and there's also a quick glimpse of an F-mount adapter.
It's not just the Seattle team celebrating ten years since the announcement of the first mirrorless system. Chris and Jordan have also been looking back at the camera that started it all: the Panasonic Lumix DMC G1.
On a hot and hazy afternoon, DPR staffer Carey Rose took the Panasonic Lumix GX9 and Lumix G Vario 35-100mm F2.8 lens to a neighborhood music festival to gather some impressions of the autofocus system. Here's what he found.
The European Imaging and Sound Association has announced the winners of its 2018-19 awards, with Sony doing particularly well and coming away with five of the eighteen prizes.
When it was introduced earlier this year, Google's new cloud storage service wasn't available to new customers. Now, anyone in the US can sign up for a Google One plan, starting at $2/month for 100GB of storage.
DJI has launched a new video teasing its upcoming launch event. The August 23 date is more than a month later than the original July 18 event date given by DJI back in June.
A veteran wildlife photographer and typically a Nikon shooter, Aaron Baggenstos took the Sony a9 on a recent trip to the Alaskan Wilderness. Find out his impressions of the camera and see some of the incredible images he was able to capture.
Parent company Longsys has announced that Lexar will be back "in full production" and shipping globally this fall.
Owners of V-mount Hasselblad lenses will now be able to use their modern and historic glass on the front of the Hasselblad X1D. The XV adapter hinted at late last year has now been officially announced and will cost €199 / $249 / £179.
Scottish whisky producer Macallen has teamed up with photographic cooperative Magnum Photos to create a single malt whisky in collaboration with Steve McCurry, Martin Parr, Paolo Pellegrin, Mark Power, Gueorgui Pinkhassov and Alec Soth.
The photography competition seeks "pictures that show the importance of health in society and the impact health issues have on people and communities worldwide."
Nikon has posted another teaser video for its upcoming full-frame mirrorless system featuring some classic Nikkor lenses. Perhaps the most notable thing about the video is the lens that's shown first...
Following the CES 2017 announcement of its revival, Kodak Alaris has started shipping test rolls of its new Ektachrome to photographers for beta testing.
Take an inside look at the work that goes into testing Nikon cameras from drops, dust, water and debris. There were definitely cameras harmed in the making of this video.
In a press release issued this morning, Sony announced it has sold more full-frame cameras than any other brand in the US over the past six months, measured both by units sold and by value.
Yuneec has introduced the Mantis Q, a consumer drone with an integrated 4K camera, electronic image stabilization and voice control.
The new 3 Legged Thing Patti is a compact tripod that doesn't break the bank.
Alex and Kathryn are photographers, friends and Tokyo residents who love exploring Japan's hidden cultural treasures. They each brought a Canon EOS M50 on a recent trip starting in bustling Tokyo and ending in the peaceful riverside town of Gujo Hachiman.
The triple-camera in Samsung's 2019 Galaxy S10 smartphone is expected to use three sensors with varying pixel counts.
Net SE, the parent company behind the likes of Oprema Jena, Meyer Optik Görlitz, Emil Busch, C.P. Goerz, Ihagee and A. Schacht products has filed for bankruptcy and removed itself from the German stock exchange.
Canon's latest 70-200mm F4L comes with a five stops of image stabilization, a new coat of paint and impressive sharpness. We've been shooting with our copy for several weeks now - see how it stacks up in our sample gallery.
Special 4K and 6K Photo modes may be one of the most under-appreciated features on recent cameras. In this week's episode, Chris and Jordan take a closer look at these modes and explain why – and when – you'll be glad to have them on your camera.
Ten years ago this month Panasonic and Olympus announced a new concept called Micro Four Thirds. We're now on the brink of full-frame mirrorless from at least one major player, so perhaps it's a good time to take a look back at where it all started – and how far we've come.
Ted Forbes of The Art of Photography breaks down five 'hacks' for organizing your camera equipment.
The City of Redding has published a series of aerial images showing the devastation caused by the ongoing Carr Fire in Shasta County, California.