Researcher says he was threatened after finding major DJI security flaw
Drone maker DJI has been criticized roundly this weekend over its alleged response to security researcher Kevin Finisterre's discovery of a significant security issue involving the company's system. According to Finisterre, he began hunting for bugs in DJI's system under its recently established bug bounty program. In the process, Finisterre says he discovered a major security issue, but rather than rewarding him for his effort, DJI accused him of hacking and threatened to report him to the authorities.
DJI announced its bug bounty program in August following a report that claimed the U.S. Army had banned use of the maker's drones over security concerns. As part of its announcement, DJI had stated:
The DJI Threat Identification Reward Program aims to gather insights from researchers and others who discover issues that may create threats to the integrity of our users’ private data, such as their personal information or details of the photos, videos and flight logs they create.
According to a long report on the matter published by Finisterre, he spent many weeks communicating with DJI through email about the scope of its bug bounty program, which hadn't yet been publicly defined. After receiving confirmation that it included the company's servers, Finisterre went to work in writing up a report disclosing his discoveries. Speaking of which...
Due to multiple security issues, including publicly available AWS private keys for DJI's photo-sharing service SkyPixel, Finisterre reports that he was able to get access to highly sensitive user data, including: identification cards and passports, flight logs, and drivers licenses. Once he found this flaw, he claims that he alerted DJI to this vulnerability, and that the company acknowledged it.
After more than 130 emails back and forth between DJI and Finisterre, he states in his report that DJI said he would be rewarded with $30,000 under the bug bounty program (the maximum award). However, Finisterre reports that weeks later he received an agreement for his particular bug bounty that was "literally not sign-able." As he goes on to explain in his report:
I won’t go into too much detail, but the agreement that was put in front of me by DJI in essence did not offer researchers any sort of protection. For me personally the wording put my right to work at risk, and posed a direct conflicts of interest to many things including my freedom of speech. It almost seemed like a joke. It was pretty clear the entire ‘Bug Bounty’ program was rushed based on this alone.
Efforts to alter the agreement didn't pan out as hoped, says Finisterre, who goes on to claim that several different lawyers advised him that DJI's final offer was, "likely crafted in bad faith," and that it was "extremely risky" for him to sign it. It was about this time that Finisterre also receive a legal demand from DJI ordering him to delete/destroy the data he had gathered during his investigation, while appearing to threaten Finisterre with the Computer Fraud and Abuse Act.
In a statement to Ars Technica, who was the first to cover this spat between DJI and Finisterre, the Chinese drone giant referred to Finisterre as a "hacker," claiming that he had accessed one of the company's servers without permission and that he had tried to claim it under the company's bug bounty program without following "standard terms for bug bounty programs." The statement goes on to claim that Finisterre "refused to agree to these terms, despite DJI’s continued attempts to negotiate with him, and threatened DJI if his terms were not met."
For his part, Finisterre says that he ultimately turned down the $30,000 in favor of going public with what he sees as an unsettling and unacceptable experience, concluding with the following statement:
If you that are wondering if DJI even bothered to respond after I got offended over the CFAA threat, you should be happy to know it was flat out radio silence from there on out. All Twitter DM’s stopped, SMS messages went unanswered, etc. Cold blooded silence.
Kodak has restarted production of one of its most famous film emulsions - Ektachrome. Popular Science editor Stan Horaczek recently go to take a look inside.
The Tamron 28-75mm F2.8 Di III RXD is an affordable F2.8 standard zoom for full frame Sony E-mount cameras. What's it like, what are the trade-offs, and what are the alternatives? Chris and Jordan take a closer look...
We've updated our Best Drones buying guide and there's a new winner. Find out which drone was our favorite and learn more about all current models in our updated guide.
A teardown of a Nikon D850 has provided proof that the camera's sensor is made by Sony Semiconductor. The chip's design and performance already strongly supported this, but the confirmation also gives a hint about how the industry works.
Leica Camera has announced a new compact camera that features a 24-360mm F3.3-6.4 zoom lens and a 20MP 1” MOS sensor. Essentially a re-badged Panasonic Lumix ZS/TZ200, the Leica C-Lux will save Raw and JPEG files, will offer 4K video and has a viewfinder with a 2.33 million-dot resolution.
Leica has launched a limited edition M10 with a contoured handgrip designed by luxury car manufacturer Zagato. And, to celebrate the opening of a new part of the company's Wetzlar factory, a pair of Leica-made watches are due this autumn.
The new Mijia gimbal provides 3-axis stabilization and can charge the battery of the attached device.
YouTuber George Tomlin explains the concept of sub-framing and details how you can use it to take not only make the composition more interesting, but also provide context for the scene you're shooting.
British photographer Drew Gardner tells us how his gigapixel image of the queen's birthday parade came together.
YouTube channel Company Man has shared a 12-minute video explaining the history of Kodak and the factors that led to it going from industry leader to bankrupt business.
Neewer, a photo gear brand out of China, has launched a new budget APS-C lens for Fuji X and Sony E mounts. The Fuji X mount lens offering has appeared on Amazon as a new release with a $119.99 price tag, but is currently listed as unavailable.
Two years after launching its first photo filter, Aurora Aperture is back at it again with the Kickstarter launch of its PowerXND Mark II filters.
Nikon has announced the development of the AF-S NIKKOR 500mm F5.6E PF ED VR lens. Thanks to its use of 'phase fresnel' optics, Nikon claims that the lens will be small and light enough to be used handheld.
MIOPS has opened up a Kickstarter campaign for its latest product, the Capture360. This pocket-sized device is a versatile motion control box designed to be as simple or robust as your needs desire.
Lowepro has released the FreeLine BP 350 AW, an all-new daypack that features Lowepro's adaptive interior divider system it calls QuickShelf.
Currently seeking funding on Kickstarter, the Instant Magny 35 supports Fujifilm Instax Square film and doesn't require any camera modifications. The instant film back is described as ideal for rangefinders and SLRs from Pentax, Leica, Olympus, Canon, and Nikon.
Utah-based tripod manufacturer Really Right Stuff has updated all 17 of its tripods with updated features and better ergonomics.
The new Technical Camera app offers comprehensive manual controls and a range of features for users who prefer to take control of the capture process.
Someone finally made a 1"-sensor compact with a fixed prime lens that can take great photos, but it's aimed at Scuba enthusiasts more so than land-based photographers and has a few operational quirks.
Leica has released details of the twelve finalists for this year’s Leica Oskar Barnack Award, one of who will take the €35,000 (approx. $41K) top prize. Organizers say that 2500 photographers submitted work to the competition this year.
One week after it was first seen in leaked images, Samyang—also known as Rokinon in the US—has unveiled a ‘tiny but wide’ 24mm F2.8 lens for full-frame Sony cameras.
Whether you're hitting the beach in the Northern Hemisphere or the ski slopes in the Southern, a rugged compact camera makes a great companion. In this buying guide we've taken a look at seven current models and chosen our favorites.
Every photographer knows about APS-C sensors, but what about APS film? This week, Chris and Jordan take a stroll down memory lane and try out the original APS format, a technology that promised to streamline the film workflow, but which ultimately lost out to digital technology.
It's not every day you have the opportunity to shoot with a lens like the Hasselblad XCD 21mm F4. It's currently the widest lens in the company's medium-format lineup and as we discovered, incredibly sharp.
Although it wasn’t a stand-out detail during the keynote, Apple is bringing new features and improved performance when working with Raw photos on iOS 12. We break down a few of the updates we’ve come across in the iOS 12 Beta 1.
Our existing Sony RX100 VI sample gallery has been updated with more images from our initial outings with the camera.
Manfrotto has updated its travel tripod range with three new tripod models: the Befree Advanced Carbon Fiber, Befree GT, and Befree Live Carbon Fiber. The first two models feature Manfrotto's M-lock twist lock, and the Befree Live Carbon Fiber is designed for recording video.
Parrot has launched its latest consumer drone, the Anafi. This folding drone will retail for just shy of $700 and features a 21-megapixel camera capable of 4K HDR capture at 30 fps.
DPReview's Technical Editor Richard Butler was in New York for the launch of the new Sony Cyber-shot RX100 VI. Find out his first impressions of Sony's powerful new pocket zoom.